Agentless Security
Overview
Typically, the Xshield platform deploys a low-compute agent software on server and endpoint machines to collect hardware, operating system, and network telemetry data. The platform then uses this information to provide visibility into ongoing network communications within the enterprise. Using this data, enterprises can configure micro-segmentation policies on the host firewall using the agent, to prevent lateral movement of communications towards critical assets or from breached assets.
Endpoint Detection and Response (EDR) platforms such as CrowdStrike Falcon and SentinelOne Singularity also install agents on host machines to collect similar telemetry data and build policies necessary to secure endpoints.
Since these agents collect similar telemetry data and also have the capability to configure host firewalls, it may be more beneficial for the Xshield platform to leverage these platforms' services rather than installing its own agent.
This approach enables the Xshield platform to extend existing EDR security to include micro-segmentation, preventing lateral movement of unauthorized communications. This extension allows Xshield to showcase network visibility immediately, without the extensive time required to install another agent on customer host machines. Additionally, it reduces agent redundancy and minimizes compute consumption on the host.
CrowdStrike Integration
Prerequisites
The Falcon platform requires the following licenses to be applied to the tenant to collect telemetry and program the endpoint host firewall:
- Falcon Data Replication - Provides network communication visibility.
- Falcon Firewall Management - Enables programming of host firewalls.
Additional module licenses may be required if further enrichment of collected data is necessary.
Architecture
The integration architecture primarily involves the following touchpoints:
| Operation | Falcon | Xshield |
|---|---|---|
| Host Discovery | Agent | Import Host Groups and Members using Falcon API |
| Network Visibility (Telemetry Collection) | Collected by agent and placed in S3 bucket by the platform | Import network communications data from the S3 bucket |
| Segment & Policy Template | Create Firewall Host Groups and Firewall Rules | Map Segment to Firewall Host Group and Template to Firewall Rules via the Falcon API |
| Segmentation Enforcement | Agent writes to Host Firewall | Export Firewall Host Group via the Falcon API |
| Firewall Action Events | Collected by agent and placed in S3 bucket by the platform | Import firewall events from the S3 bucket |
The intent of this integration is to perform micro-segmentation operations on the Xshield platform. As seen in the table above, the operator never has to use the Falcon Platform UI to configure the micro-segmentation solution.
The diagram below provides a high-level overview of these operations to build a micro-segmentation solution.
Workflow
For detailed documentation on how to use the CrowdStrike Integration on the Xshield platform to implement a micro-segmentation solution, refer to CrowdStrike Integration.