CrowdStrike recently announced its Falcon Identity Protection, which can not just detect Identity attacks, it can also prevent them. Furthermore, unlike either Microsoft Defender for Identity (MDI) or Azure Active Directory (AAD) Identity Protection — even when combined, Microsoft still can’t apply MFA to on-premises authentication flows. Falcon Identity Protection can, and integrates in the top Identity Providers, without any changes to your environment.

This means if a user has a certain risk score, not only can you apply this score to MFA, allows and deny’s, customers can apply the same Zero Trust policies on-premises, using AD as the enforcement point.

MDI is only a detection tool. It only works with Azure AD, which in turn, only allows it to challenge cloud-based authentication. Why create a Zero Trust Architecture that can’t be applied to on-premises? Remember SolarWinds? — well the adversary compromised on-premises first to compromise it’s victims O365, Azure and other cloud-resources. Ignoring Zero Trust on-premises is quite risky…

Want more information on how this all relates to Sunburst? We did a dedicated session just for this, while performing the IR for SolarWinds and briefing Congress.

Want a 15 min video instead? Check this out.

Falcon Identity Protection, unlike Microsoft’s products, can build threat models and risk scores for users even when those users aren’t replicated to Azure AD — like the most important and targated attacks, such as Service Accounts and Domain/Enterprise Administrators. Ask Microsoft if your most protected credentials have risk-scores for on-premises, those which shouldn’t be replicated to the cloud (AAD). You might not like the answer…

You’re probably scratching your head… and honestly, so are we. Why would Microsoft ignore on-premises? Why would they refuse to allow any other vendor to integrate their MFA with Azure AD? How does that help customers who are Hybrid? How does it help customers with a multi-cloud strategy?

It doesn’t. Again, Sunburst.

But luckily, there is CrowdStrike Falcon, which is best-of-breed, integrates with dozens of Identity Providers (Okta, Ping, etc.), customized policies and auto-classification of service accounts so you can have more control across your clouds and your premises.

Image for post
Modifying Policies. For example, force Service Accounts to act as service accounts, _blocking_ them from performing interactive logons. MFA your IT operations team when they PowerShell-automate to update machines; something Microsoft’s stack simply doesn’t allow.

CrowdStrike also help you protect your multi-cloud — CrowdStrike Cloud Security — across your clouds, in an easy to use console. You have alternatives as a security team, so why not use best-of-breed, trusted by cybersecurity operations teams, from a company who redefined ML/AI in this space and has protected its customers from even previously unknown threats like Sunburst?

So… is Microsoft really providing you with security products? Or did they just provide you half-baked products by bundling them together and giving you a “discount”?

Cybersecurity has no shortcuts.

--
Andrew