Businesses move faster with SaaS, but so do attackers. Breaches that once took days now unfold in minutes. To help security teams keep up with these new threats, Obsidian Security and CrowdStrike are combining the power of their AI to enhance detection and response capabilities.
Going forward, CrowdStrike will be able to leverage the extensive Obsidian SaaS breach data repository to enrich the AI-powered models within the CrowdStrike Falcon® Next-Gen SIEM. As a trusted CrowdStrike incident response (IR) partner for SaaS breaches, Obsidian Security has been involved in hundreds of SaaS IRs. These unique insights give security teams faster, actionable protection to stay ahead of sophisticated attacks and provide visibility into securing critical applications. Plus, unique insights from Obsidian through real-world SaaS breaches creates superior models, delivering prevention, not just alerts, to minimize the noise and false positives common in rules-based approaches.
Below we explore a couple use cases for how the CrowdStrike Falcon® Next-Gen SIEM can leverage Obsidian insights and data to accelerate SaaS threat detection and response.
Use Case 1: Identity Compromise Detection and Subsequent Login via Obsidian Security and CrowdStrike
Actors
- User: A threat actor compromised an IdP identity and managed to persist with additional MFA. They login into the corporate environment via VPN or Remote Desktop Protocol (RDP) .
- CrowdStrike: Endpoint security solution providing protection for hosts.
- Identity aware VPN/proxy: Monitor network traffic.
Preconditions:
- Obsidian Security is actively monitoring the user’s account for potential identity compromises and behavioral anomalies.
- CrowdStrike is installed and active on the servers hosting the RDP service.
- Identity aware VPN/proxy log are ingested for correlation.
- The user has access to an RDP account protected by CrowdStrike, and their identity is being monitored.
Scenario:
- Initial Compromise Detection:
- Obsidian Security detects a potential identity compromise, such as unusual login attempts, impossible travel activity, or the use of stolen credentials.
- The system raises an alert, flagging the compromised account due to suspicious behavior deviating from typical user patterns and sends that alert to the CrowdStrike Falcon® Next-Gen SIEM.
- Attempted Login via RDP:
- The attacker (or user) attempts to successfully authenticate and gain access to the RDP service.
- The login is facilitated by the use of valid credentials, multi-factor authentication (MFA), or bypass of security mechanisms.
- CrowdStrike Falcon® Next-Gen SIEM detects a login from a potential compromised account and triggers a high-fidelity alert and optionally invoking a fusion workflow.
- Investigation Process:
- Security operations team is notified of the detected compromise and begins investigating the flagged activity in the CrowdStrike Falcon® Next-Gen SIEM Console.
- They review the details from Obsidian Security, including login attempts, IP addresses, geographic locations, and behavioral discrepancies as well as the CrowdStrike agent detections and telemetry from the hosting service to detect any further malicious behavior post-login.
- CrowdStrike actively scans the system for malware, lateral movement, and unusual activity within the session.
- Response and Mitigation:
- Depending on the behavior post-login, CrowdStrike can take actions such as isolating the compromised device, preventing further access, or notifying the security team.
- If the identity compromise turns out to be part of an active threat, CrowdStrike Falcon® Next-Gen SIEM can automatically isolate systems, and reset compromised credentials.
Postconditions:
The compromised identity is contained, and the account access is restored securely. Obsidian Security updates its user behavior profile for future detection. CrowdStrike logs and alerts are reviewed for any malicious activity during the compromised session
Outcome:
The combined detection from Obsidian Security and endpoint protection from CrowdStrike provides a layered defense, identifying the compromise early and enabling rapid response to prevent further damage.
Use Case 2: Correlation of Obsidian and Crowdstrike Events for Non-Human Identities (Service Accounts & Third-Party Integrations)
Description:
In environments where non-human identity tokens are employed, there is a risk of these tokens being exfiltrated and abused by threat actors. Hosts running the CrowdStrike agent are particularly targeted for such attacks. By correlating logs from Obsidian and CrowdStrike, security teams can identify high-fidelity detections of token abuse and unauthorized access, enabling rapid response and mitigation.
Actors:
- Threat Actor: Attempts to exfiltrate and abuse non-human identity tokens.
- CrowdStrike: Provides endpoint detection and response capabilities on host machines.
- Obsidian Security: Monitors identity-related activity and security.
Scenario:
- Initial Attack: A non-human identity token, used for service automation or machine-to-machine communication, is exfiltrated from a host that has the CrowdStrike agent installed.
- Token Abuse: The exfiltrated token is then abused to gain unauthorized access to resources or services.
- Event Correlation: Correlating the identity-related events from Obsidian with the endpoint logs from CrowdStrike reveals anomalous behavior, such as:
- Unusual token usage patterns.
- Token used on unrecognized hosts.
- Abnormal access attempts tied to the exfiltrated token.
- Detection & Response: The correlation of these logs yields high-confidence detections, allowing security teams to quickly detect, investigate, and respond to the abuse of the non-human identity token.
Outcome:
By leveraging both Obsidian and CrowdStrike data, organizations can enhance detection fidelity, identifying the exfiltration and misuse of non-human identity tokens before it leads to significant damage.
Impact:
This approach improves the security posture by ensuring that identity-related threats are quickly identified, even when non-human identities are involved, reducing the window of opportunity for attackers.
Conclusion
Obsidian addresses the SaaS and PaaS security blind spot for organizations, allowing security professionals to defend against SaaS-originated attacks before they can move to on-premises infrastructure. Schedule a demo to learn more about Obsidian SaaS security solutions and how they integrate with the CrowdStrike Falcon® Next-Gen SIEM.
