CrowdStrike Cloud Security

Questions and Answers

An organization wants to ensure continuous monitoring of their cloud infrastructure, identify misconfigurations, and receive guided remediation steps. Which CrowdStrike cloud security product should they prioritize implementing?

• Application Security Posture Management (ASPM)
• Cloud Workload Protection (CWP)
• Cloud Security Posture Management (CSPM) (correct)
• Data Security Posture Management (DSPM)

A security team needs to rapidly deploy Falcon sensors across a large number of AWS EC2 instances without manual intervention. What is the MOST efficient method to achieve this?

• Leveraging a third-party deployment tool.
• Utilizing one-click sensor deployment. (correct)
• Using a custom script to automate the installation process.
• Manually installing the Falcon sensor on each instance.

An administrator needs to enforce security policies at runtime for a Kubernetes cluster, ensuring that only compliant workloads are admitted. Which Falcon component should they configure for this purpose?

• Falcon Kubernetes Admission Controller (KAC) (correct)
• Falcon Cloud Security Posture Management (CSPM)
• Falcon Data Security Posture Management (DSPM)
• Falcon Cloud Workload Protection (CWP)

An organization aims to minimize noisy alerts and focus security efforts on relevant cloud resources. Which strategy aligns with this goal?

Organizing cloud resources into cloud groups and assigning responsibility. (D)

A security engineer wants to temporarily bypass a security policy for a specific container image while a fix is being deployed. Which Falcon console steps should they follow?

Falcon Console → Cloud Security > Policies > Image Assessment Exclusions > Create Exclusion (B)

After setting up CrowdStrike Falcon for a cloud environment, the snapshot feature is not working. What should the administrator do FIRST?

Refer to Troubleshooting Snapshot and Enable Snapshot Management documentation. (A)

What is the MOST LIKELY reason for an 'Inactive' or 'Partially Active' Identity Protection Status (orange circle) in CrowdStrike Falcon?

Falcon Identity Protection has not been enabled. (D)

An organization wants to ensure their cloud environment complies with CIS benchmarks. Which CrowdStrike Falcon capability directly supports this?

Ensuring compliance with security frameworks using CSPM policies. (D)

When configuring an image assessment policy, what is the MOST effective approach to minimize false positives while ensuring secure container images in a CI/CD pipeline?

Applying policy to images based on repository and tags. (A)

An organization wants to prevent misconfigurations and block high-risk workloads in their Kubernetes deployments. Which Kubernetes Admission Controller (KAC) policy configuration is MOST effective?

Applying the policy to specific namespaces, enabling IOM rules, and setting the failure policy to 'Fail'. (D)

An organization aims to detect and prevent suspicious activity in running containers with minimal performance impact. Which runtime sensor policy configuration meets this goal?

Deploying the Falcon Kubernetes Protection Agent and enabling IOA detection for privilege escalation attempts. (B)

For scanning container images before release in a CI/CD pipeline, which image assessment method is MOST appropriate?

Pre-Deployment Image Assessment (D)

What is the MOST reliable method to detect rogue containers and drift in a Kubernetes environment?

Identifying Indicators of Attack (IOAs) (D)

A security analyst discovers numerous misconfiguration alerts (IOMs) in CrowdStrike Falcon. What should be the analyst's NEXT step?

Check misconfiguration alerts (IOMs) in Cloud Security Posture settings. (C)

What is the PRIMARY benefit of automating IAM policy corrections using CrowdStrike Falcon Fusion SOAR workflows?

Ensuring consistent and rapid remediation based on security posture findings. (C)

Flashcards

Cloud Security Posture Management (CSPM)

Continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks, providing guided remediation.

Cloud Workload Protection (CWP)

Secures cloud workloads, including containers and Kubernetes, at pre-runtime and runtime, ensuring image integrity and preventing attacks.

One-click sensor deployment

Simplifies and accelerates Falcon sensor installation on AWS EC2 instances, enabling easy deployment of security agents without manual intervention.

Falcon Kubernetes Admission Controller (KAC)

Acts as a gatekeeper for Kubernetes clusters, enforcing security policies at runtime.

Cloud Groups - Reduce Noise

Filters findings based on attributes (e.g., cloud provider, account ID, images).

Cloud Groups - Assign Responsibility

Limits access to relevant assets, ensuring teams focus on their designated areas.

Cloud Security Scan Exclusion Settings

Allows findings/images to bypass security policies temporarily/permanently.

Securing Container Images in a CI/CD Pipeline

Ensures only secure container images are deployed while minimizing false positives in a CI/CD pipeline.

Kubernetes Admission Controller (KAC) Policy Configuration

Prevents misconfigurations, enforces image assessment, and blocks high-risk workloads in Kubernetes deployments.

Runtime Sensor Policy Configuration

Detects and prevents suspicious activity in running containers while minimizing performance impact.

Pre-Deployment Image Assessment

Scans for vulnerabilities before release in a CI/CD pipeline.

Runtime Image Assessment

Scans for vulnerabilities in running containers.

View Image Reports

Identifies software and detected vulnerabilities.

Misconfigurations (IOMs) Remediation

Apply recommended fixes in Falcon CSPM.

CrowdStrike Falcon Fusion SOAR Workflows

Automates response actions (e.g., notify teams, trigger remediation).

Study Notes

• CrowdStrike Cloud Security provides comprehensive protection for cloud-native environments

Falcon Cloud Security Key Components:

• Cloud Security Posture Management (CSPM) continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks and offers remediation guidance
• Cloud Workload Protection (CWP) secures cloud workloads, including containers and Kubernetes, at both pre-runtime and runtime, while ensuring image integrity and detecting threats
• Other components include Application Security Posture Management (ASPM), Data Security Posture Management (DSPM), and Infrastructure as Code (IaC) Security
• ASPM, DSPM, and IaC Security enforce security policies and ensure infrastructure configurations follow security best practices

One-Click Sensor Deployment:

• Simplifies and accelerates Falcon sensor installation on AWS EC2 instances
• Provides an easy way to deploy security agents without manual intervention
• Ensures continuous protection of cloud workloads
• Requires CloudFormation and/or Ansible (manual)

Falcon Kubernetes Admission Controller (KAC):

• Functions as a gatekeeper for Kubernetes clusters
• Enforces security policies at runtime
• Provides visibility by monitoring and discovering Kubernetes objects in the cluster
• Detects misconfigurations by identifying and alerting on Kubernetes Indicators of Misconfiguration (IOMs)
• Implements Policy Enforcement by blocking or alerting based on pre-defined security policies
• Facilitates Image Assessment by evaluating container images before they run (KAC v7.14+ required)
• Enables Event Streaming by sending cluster events to CrowdStrike Falcon for centralized monitoring

KAC Use Requirements:

• Subscriptions to Falcon Cloud Security with Containers and/or Falcon Managed Containers are required
• Default roles needed are Falcon Administrator, Cloud Security Manager, and Kubernetes and Containers Manager
• Supports Kubernetes platforms like Amazon EKS, Google GKE, Microsoft AKS, and Red Hat OpenShift 4.6+
• Deployment needs Helm 3.x installed, a Kubernetes cluster supporting Helm 3.x, an x86_64 Kubernetes cluster, and cluster admin privileges for Helm deployment

Cloud Account Registration:

• Determine the most efficient and secure registration method for your cloud environment based on the use case
• Falcon Administrator Role: required with full access to all cloud security settings and configurations
• Cloud Security Manager Role: required to manage cloud security settings, monitor security posture, and take remediation actions
• Sensor Deployment Role (for One-Click Sensor Deployment): requires AWS Systems Manager (SSM) integration to install Falcon sensors
• Kubernetes and Containers Manager Role: manages Kubernetes Admission Controller and container security policies

Cloud Groups Organization:

• Reduce noise to filter findings based on attributes like cloud provider, account ID, and images
• Assign responsibility within groups to limit access to relevant assets for focused effort

Configuring Cloud Security Scan Exclusion Settings:

• Exclusions allow certain findings or images to bypass security policies temporarily or permanently

Steps to Configure Image Assessment Policy Exclusions include:

• Navigate: Falcon Console → Cloud Security > Policies > Image Assessment Exclusions
• Click "Create Exclusion"
• Choose Exclusion Type: Image name, Vulnerability ID
• Set Exclusion Duration: Permanent or Limited Time
• (Optional) Add a Description for auditing/tracking
• Click "Create Exclusion"

Troubleshooting Cloud Account Registration Issues:

• For general registration issues in Azure, consult Troubleshooting and Maintenance for Azure Accounts
• Verify IAM Permissions to ensure AWS or Azure IAM roles are correct
• Confirm API Access with the CrowdStrike API client needing the necessary scopes

Snapshot Issues:

• If Snapshot is not working after registration, consult Troubleshooting Snapshot and Enable Snapshot Management

Identity Protection Issues:

• If Identity Protection Status is "Inactive" or "Partially Active" (orange circle), click the status in the cloud account list for troubleshooting
• Verify that Falcon Identity Protection is enabled
• To enable post-registration: Go to Cloud Security > Settings > Account Registration > AWS tab and click "Set up"

DSPM Issues:

• Check Troubleshoot DSPM in the Falcon Console if facing Data Security Posture Management (DSPM) issues
• For persistent issues, review cloud provider logs and CrowdStrike support documentation

Configuring CSPM Policies in CrowdStrike Falcon:

• Use CSPM policies to ensure compliance, detect misconfigurations, and customize security posture

Steps to set up CSPM Policies:

• To access CSPM Policies, navigate in Falcon Console to Cloud Security > Policies > Cloud Security Posture
• To configure default policies, click Default Policies, select a cloud provider tab, choose a policy, and click Open Menu > Configure Policy
• Adjust settings (severity levels)
• To create custom policies, click Custom Policies → Create Policy. Define Cloud Provider, Asset Type, and Unique Rules
• Policies are automatically enabled and enforced after saving

CSPM Findings Review:

• Go to Indicators of Misconfiguration (IOMs) to view alerts
• Investigate policy violations and apply remediation actions
• Ensures continuous cloud security monitoring and compliance enforcement

Securing Container Images in a CI/CD Pipeline:

• Goal: deploy only secure container images, minimizing false positives

Recommended Image Assessment Policy:

• Define Image Group: Apply to images based on attributes
• Repository: Assess images in critical repositories (prod-registry vs. dev-registry)
• Tags: Prioritize latest or stable tags over experimental versions

Set Rules:

• Block Deployment if critical vulnerabilities (CVSS 9.0+) are detected or the image is from an untrusted registry

Alert if:

• Medium/High vulnerabilities with no known exploits exist and ensure strict policies have precedence over general rules

Recommended Exclusions:

• Exclude specific Vulnerability IDs for a limited period if a vendor fix is pending, as a temporary vulnerability
• Exclude trusted internal images that do not change frequently, in image-based exclusions
• Exclude non-production registries to focus on production security, in registry-based exclusions

Securing Kubernetes Deployments Against Misconfigurations and Vulnerable Images:

• Goal: Prevent misconfigurations, enforce image assessment, and block high-risk workloads

Recommended KAC Policy Configuration:

• Scope: Apply the policy to specific namespaces (production only), objects with critical labels, and all pods/services

Configure Default Rule Group:

• Enable IOM Rules to block workloads running as root, containers without resource limits, and prevent privileged mode

Enable Image Assessment Policy:

• Trigger assessment before deployment using CrowdStrike's image scanning and block images with critical vulnerabilities and untrusted/unsigned registries
• Set Failure Policy to Fail (block the request) over passive logging

Admission Action:

• Block risky deployments based on IOM findings and set alert-only mode for less critical misconfigurations

Protecting Kubernetes Workloads from Runtime Threats:

• Goal: Prevent suspicious activity in running containers, minimizing performance impact

Recommended Runtime Sensor Policy:

• Enable Falcon Sensor for Linux (DaemonSet Mode)
• Deploy the Falcon Kubernetes Protection Agent to monitor workloads and ensure version 7.10+ for containerd or 7.04+ for Docker

Configure Threat Detection Policies:

• Enable IOA Detection for privilege escalation attempts, lateral movement activity, and unauthorized network connections
• Enable IOM Detection to detect insecure Kubernetes settings
• Set response actions: Block Execution, Prevent Process Injection, Terminate Container if risks are detected

Tuning Policies:

• Apply stricter rules to production and disable unnecessary detections in development

Registry Settings:

• In Falcon Console > Cloud Security > Image Assessment > Registry Settings

Actions include:

• Adding a URL, credentials, and preferences when adding a registry
• Modifying severity levels and exclusions when editing settings
• Removing unwanted configs when deleting a registry

Recommend an Image Assessment Method:

• Pre-Deployment for CI/CD Pipeline Security to scan before release
• Runtime for Production Environment to assesses running containers
• Require Signed Images and Malware Scanning before execution in High-Security Workloads
• Enable continuous external registry assessment on Third-Party Registries

Image Assessment Reports:

• In Falcon Console to find and address malware presence, high-severity CVEs, leaked secrets, and Dockerfile misconfigurations

Identifying Vulnerabilities and Installed Packages:

• Use Image Reports and Vulnerability Database Mapping, for external tracking via data exports
• Falcon Container Sensor is best in restrictive environments
• Falcon Sensor for Linux is meant for broader, container runtime monitoring
• Falcon Kubernetes Admission Controller blocks pre-runtime risky deployments

Troubleshooting Kubernetes and Container Sensor Deployment Issues:

• Verify sensor compatibility with runtime (Docker, containerd, CRI-O)
• Check Falcon sensor logs, confirm IAM and ensure proper Kubernetes roles
• Access detections via Falcon Console to troubleshoot

IOM Detection:

• Ensure that IOM is enabled and that containers are not running as root in Kubernetes settings

To find images in container:

• Access Console > Cloud Security > Detections
• Use continuous scans to catch undeclared images

Identify Indicators of Attack (IOAs), Rogue Containers, and Drift:

• Keep an eye out for privilege escalations and traffic patterns
• Unauthorized workloads may also be running, which could indicate unauthorized processes

Examine IOMs and Vulnerabilities:

• Check alerts, look for risks and prioritize findings that could lead to a breach

Review detections for persistence to detect persistent, unauthorized programs.

Description

CrowdStrike Cloud Security provides comprehensive protection with components like CSPM and CWP for monitoring cloud infrastructure, securing workloads, and ensuring compliance. It supports one-click sensor deployment, simplifying Falcon sensor installation on AWS EC2 instances. It helps enforce security policies and ensures infrastructure configurations follow security best practices.