Falcon Horizon, CrowdStrike’s cloud security posture management solution, uses configuration and behavior policies to monitor public cloud deployments, proactively identify issues, and resolve potential security issues. However, clients are not limited to predefined policies. This article will review the different options for creating custom cloud security posture management policies in Falcon Horizon.
The Falcon Horizon Dashboard illustrates an overview of recent findings across all registered cloud providers and accounts.
Those findings are based on policy settings. The “Policies” tab displays comprehensive options, categorized by provider and service, for monitoring cloud misconfigurations as well as malicious behavior. In this example from Amazon’s S3 service, there are multiple policy options for both categories. Falcon Horizon also provides the functionality to create custom policies tailored to best meet an organization’s needs.
Create a custom policy
From the “Policies” tab under “Cloud Security Posture”, there is an option to create a “New Custom Policy”.
A wizard will guide the creation of the new policy. The first step is to choose the applicable cloud provider.
A new name, description, and severity are then assigned to the policy. In the following example, this custom Azure Identity policy is of medium severity.
To create a new policy from scratch, the next step is to choose an asset type that corresponds to the cloud service. The following example shows an AD user asset type. (The option to select a reference policy will be covered under “Modify Existing Policies”.)
Once the asset type is selected, filters and conditions can be added. Adding rules based on any number of additional criteria, including specific accounts, groups, or tenants, makes the new policy more specific. Here’s a policy that looks for enabled accounts where the credentials aren’t registered for MFA, but the credential itself is enabled.
Modify existing policies
In many situations, it can be useful to start with an existing rule and make changes or additions. There are two different ways to approach that in the UI. From the list of policies, some policies include a “Clone” link. Cloning a policy will transfer all policy and compliance details, while allowing changes to the rule criteria.
Alternatively, selecting the “New Custom Policy” option will present options for the applicable cloud provider.
Below are directions for entering a custom policy name and severity before selecting the appropriate cloud service. The next screen includes two main options. As shown above, selecting an asset type is the first step in creating a blank policy. In contrast, choosing to start with an existing reference policy will replicate that policy and associated query logic (shown below for AWS EC2).
Once the cloned or reference policy has been selected, there are a number of options to make changes. Existing fields and operations can be edited. While the trash can icon provides the option to remove criteria, new criteria can also be added using any number of fields. In the following example, ports considered high risk can be added or removed. Added a rule for tag name to ensure that this rule will fire whenever systems with a tag NOT equal to “test” are allowed public entry into high-risk ports.
The “Test Custom Rule” option highlighted above provides a preview of how that rule will perform in your environment.
After saving custom policy filters, there are options to assign that policy to compliance controls. While the cloned policies will already include any enforcement associations, they can also be modified as needed.
Using a policy baseline or starting from scratch, the next step will present menu options for compliance. CrowdStrike’s built-in compliance frameworks can be selected, but there is also the option to “Add New Compliance.”
By completing just a few fields, policies can be associated with a custom benchmark or compliance frameworks that are not currently built into the platform.
Once the requirement has been saved, it will appear in the dropdown so that the version, section, and requirement can be mapped to the custom policy before saving.
After mapping compliance, the next step is to save the policy.
New policies will be listed under the “Policies” tab as custom policies. The buttons at the top rotate the screen between default and custom policies for each service.
With default and custom policies in place, assessments occur at regular, configurable intervals. Assessment results can be filtered to quickly hone in on a specific severity, account, region, service, or type. Also, a “custom” mark is used next to the policy name to help identify those custom policies.
As organizations continue to deploy mission-critical data and applications in the cloud, it’s critical that those resources are properly configured and protected. In addition to monitoring multi-cloud deployments for incorrect configurations and behaviors, Falcon Horizon enables customers to create custom policies that best meet their organizational and compliance needs.