RSAC 2022: Introducing CrowdStrike Asset Graph — the path to proactive security posture management

Driven by all the new technologies being adopted and the move to the cloud, the number and types of assets an organisation has to manage increased nearly fourfold over the last 10 years. As a result, organisations are at risk to adversaries, who continually conduct reconnaissance to identify, target and exploit soft targets and vulnerabilities. The proliferation of assets also creates an untenable situation for IT to minimise service disruption as asset configurations are changed and patches are applied. Gaining visibility and being able to manage both known and unknown assets is critical to maintaining proper security hygiene and a proactive security posture, but remains an unsolved challenge for nearly every organisation.

The scale of the challenge is immense: hundreds of thousands of assets and devices, with hundreds of thousands of accounts logging into those workloads, with thousands of applications running. For true cloud-based solutions, this problem becomes exponentially harder with hundreds of millions of assets, hundreds of millions of users, running tens of thousands of applications.

One of the biggest obstacles today in operationalising security posture management is the lack of understanding of the cascading impact of any configuration change. For too long, security posture management tools have focused on the security impact of proposed mitigations, but are unable to understand the operational impact such a mitigation may have on the organisation. This creates a gap between security and IT teams, resulting in huge hurdles for implementing any change.

Let’s take a simple example of mitigating a vulnerability in a deployed product. First, it is almost impossible for any organisation to even keep track of published vulnerabilities and associated patches due to the pace at which vulnerabilities are being discovered. Second, even if an organisation knows about a mitigation, they cannot deploy it fast enough before exploits are available in the wild. That is because of the aforementioned lack of insight into the ITOps impact of any patch. The result is an ever-increasing attack surface and IT and security teams that are often at loggerheads.

Gaining a single, unified, 360-degree view of assets, identities and configurations across all systems – including cloud, on-premises, mobile, IOT and more – and understanding how each of these assets interacts with each other, provides a bridge to IT and security operations.

For security teams, this level of dynamic visibility empowers them to discover and catalogue every asset and its interconnected relationship to better understand the configurations, vulnerabilities and exposures that an adversary might try to exploit. And IT operations can better manage, maintain and track assets across the organisation to better minimise service disruption, ensure system uptime and support other critical IT projects.

CrowdStrike has always focused on solving the hard problem first by developing innovative, scalable solutions, and we are now applying the same approach to this area of security posture management. That’s why I’m so excited to announce that CrowdStrike today unveiled the CrowdStrike Asset Graph, a new graph database underpinning the CrowdStrike Falcon platform.

CrowdStrike Asset Graph dynamically monitors and tracks the complex interactions among assets, providing a single holistic view of the risks those assets pose. Asset Graph provides graph visualisations of the relationships among all assets such as devices, users, accounts, applications, cloud workloads and operations technology (OT), along with the rich context necessary for proper security hygiene and proactive security posture management to reduce risk in their organisations — without impacting IT.

Asset Graph: Powering the Falcon platform and the future of IT SecOps

CrowdStrike has once again done the hard, architectural work upfront to deliver superior protection, performance and value from the Falcon platform.

Asset resolution — the merging of small pieces of information from various sources and systems into a single view of the asset — continues to be an unmet challenge in the industry. For instance, one system in an IT environment may register a device by IP address, while another system registers it by user name. This problem grows more complex depending on how and where the asset is used (internal networks, on cloud networks, etc) and the number of data sources used to track inventory. According to ESG, nearly one-third (32%) of organisations utilise 10 or more data sources to track and inventory their assets for security purposes.

This makes it incredibly difficult for organisations to gain a unified view of their assets – and conversely, makes it difficult to ensure that disparate assets are not conflated with a different asset of a similar name from another system. The data exists to make these distinctions, but resolving assets across myriad systems has proved elusive, until now.

Figure 1 – CrowdStrike Asset Graph shows every entity (device, IOT, identities, etc) on a customer network and how they all interact. This insight helps organisations make better decisions – from security to IT performance, utilisation, capacity, licence management and more – to proactively protect and manage their IT environment.
Figure 1 – CrowdStrike Asset Graph shows every entity (device, IOT, identities, etc) on a customer network and how they all interact. This insight helps organisations make better decisions – from security to IT performance, utilisation, capacity, licence management and more – to proactively protect and manage their IT environment.

The CrowdStrike Falcon platform was purpose-built with a cloud-native architecture to harness vast amounts of high-fidelity security and enterprise data, and deliver solutions through a single, lightweight agent to keep customers ahead of today’s sophisticated adversaries.

CrowdStrike’s groundbreaking graph technologies, beginning with the company’s renowned Threat Graph, help form a powerful, seamless and distributed data fabric, interconnected into a single cloud – the CrowdStrike Security Cloud – that powers the Falcon platform and CrowdStrike’s industry-leading solutions.

Using a combination of artificial intelligence (AI) and behavioural pattern-matching techniques to correlate and contextualise information in the vast data fabric, CrowdStrike’s graphs create a “collect data once, re-use it multiple times” approach to solving the biggest problems customers face. With the introduction of Asset Graph, CrowdStrike is applying this same approach to solving customers’ hardest, unmet challenges with an eye to proactive security, as well as unprecedented IT visibility and risk management.

The three highly advanced graph technologies underpinning the Falcon platform now include:

Threat Graph: CrowdStrike’s industry-defining Threat Graph takes trillions of security data points from millions of sensors, enriched by threat intelligence data and third-party sources, to identify and link threat activity together to provide full visibility of attacks and automatically prevent threats in real-time across CrowdStrike’s global customer base.

Intel Graph: By analysing and correlating massive amounts of data on adversaries, their victims and their tools, Intel Graph provides unrivalled insights into the shifts in tactics and techniques, powering CrowdStrike’s adversary-focused approach with world-class threat intelligence.

Asset Graph: With this release, CrowdStrike is solving one of the most complex customer problems today: identifying assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, IOT and more, and connecting them together in a graph form. Unifying and contextualising this information will lead to powerful new solutions that transform how organisations enforce security hygiene and dynamically manage their security posture.

Falcon Discover 2.0: The first module powered by Asset Graph

CrowdStrike Asset Graph will enable new Falcon modules and features built on top of it to define, monitor and explore the relationships among assets within an organisation. The first Falcon module to use Asset Graph is Falcon Discover, CrowdStrike’s security hygiene solution, which includes the following enhancements:

Newly enhanced dashboards, highly customisable filters and sharing options: IT teams can tailor their experience of Asset Graph’s map visualisation and powerful search capabilities, all presented conveniently within the Falcon Discover console.

New third-party data integration with ServiceNow: By combining a ServiceNow integration with Asset Graph and Falcon Discover, IT teams gain another layer of asset visibility around devices in a single console, providing enhanced monitoring over unmanaged and unsupported assets.

Manage risk by thinking like an adversary

CrowdStrike has long advocated for an adversary-focused approach to security. This means staying ahead of shifting adversary tradecraft and tactics so you know how they’ll come after you. It also means having deep visibility across your critical assets and technology environment to understand where they’ll come after you as well.

The introduction of Asset Graph will enable organisations to gain a much deeper understanding of their complete technology environment and how it interacts, more accurately assess the risk posture of their assets, and move to proactively adapt their security posture to defend against today’s adversaries without disrupting IT operations. 

Share