Unmatched Visibility and Automation through CrowdStrike Falcon and SIRP

 

Organizations cannot risk having unprotected endpoints like servers, workstations, and laptops. Ensuring the visibility and protection of these systems is critical for business continuity and safety. Integration between a SOAR (Security, Orchestration, Automation & Response) platform and EDR (Endpoint Detection and Response) becomes a no-brainer with the automation of threat detection and containment abilities, enriched alerts, and mitigation capabilities. 

The cyber threat landscape is ever-evolving, new attack vectors and techniques emerge every day. APT (Advanced Persistent Threat) groups, cybercriminals,  and hacktivists are looking to exploit your systems. And their favorite targets are the vulnerable assets and endpoints that are left unprotected. 

NGAV (Next-Generation Antivirus) and EDR (Endpoint Detection and Response) enable security teams to monitor and protect endpoints. However, a SOAR platform’s integration with security tools (such as NGAV, EDRs) enhances their joint capabilities. SIRP SOAR integrates with CrowdStrike’s Falcon for its comprehensive detection and response capabilities. CrowdStrike Falcon, combined together with SIRP’s risk-based SOAR platform, provides SOC teams with unparalleled incident response. The SOC teams have access to active threats, accelerated visibility and detection, and complete information on artifacts to provide context and threat validation.

CrowdStrike’s Falcon platform is purpose-built to stop breaches via a unified set of cloud-delivered technologies. It prevents all types of sophisticated attacks including malware and ransomware. Falcon gives a comprehensive view of the attack cycle of a threat for faster investigations with deep context.

Challenge

Crowdstrike Falcon does a good job of identifying, blocking and containing threats and hosts. However, a major issue is the number of false positives detected. These false positives can be a distraction for the analysts and also cause alert fatigue and increase the overall burden on SOCs. Another challenge for organizations is the slow response time from support. By the time the support team reaches out, analysts have already resolved their queries. 



Solution

SIRP SOAR improves upon the effectiveness of an EDR by regulating and managing various security operations (including endpoints) with its orchestration, automation, and response capabilities. SIRP ingests threats from CrowdStrike Falcon and these threats are assessed on the basis of their severity and the S3 (SIRP Security Score). Automated playbooks eliminate any alert fatigue and manual labor required by the analysts otherwise. The cybersecurity meshes and interconnected devices (and their millions of alerts) are managed easily and seamlessly. 

With SIRP, the Mean Time to Respond (MTTR) decreases for cyber threats. And monitoring and response to incidents improve. Not only are the incidents processed faster, but the false positives are also easily distinguished. Also, SIRP support teams are always ready to assist you in any ambiguities, issues, and queries that may arise. Our 24/7 support ensures our availability for you always. 

Detections can be assessed by analysts easily with SIRP and the indicators, IPs, hashes, and domains can be blocked or unblocked using CrowdStrike Falcon. Along with these advantages, the integration between CrowdStrike Falcon Insight and SIRP SOAR automates the workflows and playbooks which can be customized to reduce the MTTR and also streamline the incidence response. The playbooks and complex workflows are easily customized and can minimize alert fatigue and resource consumption. Incident response and mitigation for analysts becomes effortless with the containment and blocking actions of Falcon Insight with the clear visibility into threats provided by SIRP.

Integration Features


Use Case 1: Malware Breakout Analysis and Containment

In this example, SIRP SOAR receives an alert on a malware breakout from a threat intelligence platform. Based on the predefined rules, SIRP automatically executes a playbook to investigate and contain the malware outbreak. 

The playbook is set to perform the following actions:

  • Once an alert is ingested in SIRP, it will automatically parse all the artifacts in evidences e.g. User ID, Source IP Address, Hostname, Process ID. Now we begin automated investigation via playbook taking below actions:

    • Get User Info from Active Directory

    • Get Manager Info of same user from Active Directory

    • Get Endpoint details from crowdstrike using hostname

    • Get Process details from crowdstrike using process id

    • Get Behaviors of malware from crowdstrike using crowdstrike detection id

  • After alert enrichment playbook is now taking the decision to check malicious behaviour by the factor of 25.

  • IF the behaviour is detected as malicious i.e. >25

    • The Host is Contained using CrowdStrike Falcon Insight. 

    • The L2 SOC analyst is added as member to carry out further investigation

    • The priority is changed  to “High.”

    • The disposition is changed  to “Incident.”

  • ELSE the behaviors of the alerts are assessed 

    • Tasks are assigned to L1 analysts for further verification


Use Case 2: Ransomware Attack Mitigation

A ransomware attack occurs when the attacker might infect a system with malicious files or use any other attack techniques to encrypt files on the victim's system and leave a ransom note offering a key to decrypt the files in exchange for a ransom. With the right mitigation and preventative steps the playbook will contain the ransomware attack radius before any further damage to the organization's systems and critical data.

Let’s review how this SIRP playbook is set to function:

  • Once an alert is ingested in SIRP, it will automatically parse all the artifacts in evidence e.g. User ID, Source IP Address, Hostname, Process id. Now we begin automated investigation via playbook taking below actions:

    • Endpoint details including source IP addresses. 

    • User and it’s manager’s information from Active Directory.

    • Process details and behaviors using process IDs and source IP 

    • Asset details are also collected from SIRP Asset module

  • After enrichment, playbook will take decision from collected information to check behavior and process pertaining to ransomware

  • IF the process and behaviors are related to ransomware.

    • The host is contained using CrowdStrike. 

    • The L2 SOC analyst is added as member to carry out further investigation

    • Case is created on SIRP. 

    • The priority is changed  to “High.”

    • The disposition is changed  to “Incident.”

  • ELSE 

    • Tasks are assigned to L1 analysts for further manual analysis

    • The disposition is changed  to “investigation.”

    • The priority is changed  to “low.”

  • Furthermore, the Destination IP reputations are investigated

  • IF the destination IP score is higher than usual.

    • Block the destination IP on CrowdStrike Custom IOC rules. 

    • Change Disposition to “Incident”

    • Assign investigative tasks to L2 Analysts

  • ELSE mark the alert as false positive. 

    • Assign task to l1 Analyst to investigate and close manually

    • Change Disposition to “Investigation”

    • The priority is changed  to “low.”


Benefits

  • Advanced detection and remediation capabilities with CrowdStrike and SIRP to contain hosts, get incident and process insights, and block and unblock hashes, IPs, and domains.

  • Automated playbooks accelerate incident triaging and responses. 

  • Endpoint monitoring and detection capabilities with a single pane of glass view.

  • Reduction in costs and resource consumption with automated and consistent workflows

  •  Easier mitigation and MTTR with customized actions and contextual data.

 
Start free trial