Open in app

Sign in

Write

Sign in

Exposure Management with CrowdStrike

Martina Lenić
CyberDnevnik
Published in
5 min readJun 28, 2024

Vulnerability and asset management merged together to serve and support an organization’s security posture in a greater manner.

Security posture defined by NIST SP 800–128:

The security status of an enterprise’s networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.

When defining an organization’s security posture there are several key functions to be evaluated to determine the organization’s security readiness and effectiveness of its security measures. Depending on the nature of an organization, the core security functions include:

  • assets inventory,
  • vulnerability identification,
  • risk assessment,
  • threat analysis and
  • recommendation for improvements.

Proactive vulnerability and risk management alongside asset management have become mandatory security measures.

In 2023 CrowdStrike have continued showing its ability to keep up with security challenges clients are facing and Gartner once again recognized it.

CrowdStrike named a Leader

CrowdStrike named a leader in the 2023 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Download the report…

www.crowdstrike.com

As it continues to share the leader position on the EDR market with some of the most respectable cybersecurity vendors, it also continues to grow and strengthen its capabilities in the aspects of managing vulnerabilities, discovering digital assets, and improving the overall visibility of the asset surface.

Exposure Management vs. Vulnerability Management

Exposure Management is the process of identifying, assessing, and addressing security risks associated with digital assets. It starts with asset discovery and risk exposure assessment and it is followed by prioritization and remediation steps to reduce the attack surface.

Vulnerability Management addresses the CVEs (Common Vulnerabilities and Exposures) by identifying, assessing, and managing vulnerabilities across all organization’s endpoints. After the assessment, it organizes the findings, takes actions (accept the risk, mitigate or remediate the vulnerability), and proceeds with the reassessment all over again.

Although serving different roles, both parts start with the assessment of all digital assets and findings with the ability to complement each other in later stages. The results from the Vulnerability Management are accompanied by the necessary context provided by the Discover module and vice versa. By merging several modules CrowdStrike offers a broader picture of one own state of security and exposure to risks and threats.

Falcon Exposure Management

The new Exposure Management module emphasizes the importance of a healthy relationship between managing vulnerabilities and having visibility into all managed and unmanaged assets in one’s organization. The module fights the key challenges companies are facing nowadays:

  • legacy OSes and tools,
  • locating unprotected assets/areas,
  • controlled asset management and
  • understanding the overall attack surface.
Courtesy of CrowdStrike

Capabilities included within the Falcon Exposure Management:

  • Discover (assets, applications, accounts) — complete visibility into all digitally managed (CrowdStrike sensor installed) and unmanaged (CrowdStrike sensor not installed) assets, accounts, and applications with additional context on the asset’s role and criticality. Passive discovery offers the ability to catch “rogue” IT assets and blind spots unaccounted by the organization. This is helpful with the integration of the BYOD (Bring Your Own Device) model and in today’s hybrid mode of work when employees are often connecting business laptops to their home network. Track installed applications and get reports on all assets running a non-standard set of the organization’s allow-listed applications and their (un)supported versions.
  • Assess — vulnerability and risk assessment. It involves the health assessment of discovered assets, ingestion of third-party sources of vulnerability information, vulnerability coverage of the software and OS CVEs, and misconfigurations.
  • Prioritize — AI-power vulnerability management model that effectively helps prioritize exposures. Prioritization of discovered vulnerabilities across the company’s assets is based on CrowdStrike’s ExPRT.AI rating, asset criticality, Internet exposure identification, and adversary context pulled from the intelligence feed. With all gathered information security analysts can more easily weight security risks and act on them based on the calculated severity of exploitation.
  • Remediate — deploy mitigation measures that focus on setting up workflows to notify, contain, or trigger a Real-Time Response action with several high-level commands, integrating third-party tools like Service Now and Jira to create tickets, and one-click patching. CrowdStrike provides automatic and on-demand reports with information on how to remediate the found vulnerability.

Exposure Inventory

The exposure inventory dashboard provides a summary of all findings from asset and vulnerability management dashboards. It includes the number of all assets (managed, unmanaged and unsupported), open vulnerabilities, cloud and external vulnerabilities, and much more. The dashboard can be customized based on the user’s preference.

The tabs above the exposure inventory dashboard, All open vulnerabilities and All assets lead to data gathered by CrowdStrike’s sensors, analyzed with Threat Graph and compared within the Intelligence feed which represents the content of Spotlight and Discover modules.

All open vulnerabilities

Filtering and grouping all the vulnerability-related findings emphasizes prioritization and easier management of thousands of rows of found vulnerabilities and assets/products containing them.

Vulnerabilities can be grouped by:

  • vulnerability ID,
  • asset,
  • product,
  • product version and
  • remediation.

Filtering options include asset and vulnerability confidence, exploit status (actively used, easily accessible, available, unproven), suppression status, information on CVE and CVSS, remediation, vendor and product, asset information, asset criticality and more.

All assets

Similar to the vulnerability list, All Assets table provides the possibility to filter out hosts based on the OS version, IP address history, last and first seen, asset criticality, serial number, owner and much more. Here, the emphasis is on the Internet exposure which is determined by the network topology and if the asset has one or more specific, open ports.

In conclusion…

While both asset management within Falcon Discover module and vulnerability management within the Falcon Spotlight module can be looked at and analyzed separately, there is no good security posture without the two parts being involved together and building on each other. The goal of the article was to introduce to CrowdStrike’s merging of two modules and their contributing roles in analyzing and assessing the security posture.

Hey, thanks for sticking until the end. Let me know your thoughts, ideas, critics and advices. Find me on LinkedIn.

Crowdstrike
Vulnerability Management
Asset Management
Edr

--

--

Martina Lenić
CyberDnevnik

Written by Martina Lenić

11 Followers
Editor for

Exploring and sharing ideas, thoughts and knowledge related to : Cybersecurity | Endpoint protection | EDR | Power BI - and more to come!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams