Improving EDR Management for Large, Complex Networks
By Don Imfeld, EDR Operations Lead Engineer and Rob Rosenlund, Security Engineering Manager
While adversaries use an array of tactics to infiltrate networks, one of their favorite marks is endpoint systems, such as laptops, smartphones, tablets, and other portable devices. These endpoints are juicy targets because users often store sensitive data on them, and they make excellent avenues for phishing, privilege escalation, malware, ransomware, and network attacks.
To help secure these endpoints and detect threats before they become a problem, Adobe implements CrowdStrike Falcon EDR (Endpoint Detection and Response) agents on every company-managed endpoint in the company. And while the CrowdStrike solution has improved Adobe’s ability to detect and respond to endpoint threats in a timely manner, our EDR operations team identified some areas that would provide even more value for a company of Adobe’s size with an incredibly complex network architecture.
Using the CrowdStrike FalconPy SDK, the team created 33 unique add-ons to better match our internal processes and improve the scalability of the solution. In this blog, we’ll describe two of these add-ons that we are making available as open source to the CrowdStrike community to help scale the solution for other larger organizations.
Automating Change Management
When Adobe updates any system or software in our enterprise network, we engage in our well-defined change management process. Updating CrowdStrike sensors is no different. However, the CrowdStrike solution does not include the ability to automatically schedule sensor updates out of the box. Instead, it supports automatic updates — which could happen at any time, similar to turning on the “auto-update” feature for your laptop’s operating system — and manual updating is a non-starter for a network as large as Adobe’s.
To align CrowdStrike sensor updates with Adobe’s change management process, we created a custom scheduler that enables us to pre-define our change windows. The scheduler chooses the sensor version to deploy a week before the change window, notifies the teams of the version selected, and performs the change during the prescribed change window. Automating this process saves Adobe several hours each month by eliminating the manual process of choosing a sensor version and updating the policies.
Checking Status of the Falcon Sensor
Adobe conducts periodic “health checks” to determine if the CrowdStrike Falcon agent is operating properly. These checks often require coordination with other teams in the company, slowing down the process, causing bottlenecks, and potentially leaving systems unprotected.
To streamline and automate this process, our EDR operations team built a SlackBot that utilizes a self-service model to call the bot and determine the status of the EDR agent on any particular host. The custom SlackBot has saved more than 1,000 person-hours of work by enabling teams to check their hosts’ status themselves and an additional 300 person-hours by giving users direct feedback on how to fix issues.
While we built these custom add-ons to solve specific problems at Adobe, we know we are not alone. That’s why we are making these along with a handful of other custom add-ons developed by Adobe available as open-source code for anyone to deploy. We hope that others in the security community will find value from these tools and that it will increase their EDR capabilities and overall productivity.
If you’re interested in implementing these additions in your CrowdStrike deployment, please visit the CrowdStrike GitHub repo to get started.
What’s on Your Mind? We Want to Hear from You!
Your opinion matters to us. Help shape the future of our blog by sharing your ideas and preferences. Click the link below to take a quick survey and tell us what you’d like to read about next.
