back caretBlog

A Multinational Retailer Combats Advanced Attacks with ExtraHop and CrowdStrike

  • Published by on
  • Last Updated on December 10, 2021

The year 2020 was incredibly difficult for the retail industry. Seismic shifts in consumer behavior—not just how much they spent, but how and where they spent it—accelerated the already rapid shift toward online shopping and direct-to-consumer brands. But consumer spending wasn't the only challenge these organizations faced.

Like many industries, retail saw spikes in advanced threats as cybercriminals sought to take advantage of the chaos of the pandemic. Phishing scams, email and account takeovers, and malware schemes all increased as both retailers and customers tried to adjust to a new normal.

For one ExtraHop customer—a large multinational retail brand—cybersecurity has always been a top priority. The company not only needs to protect its global customers' data, but also the intellectual property that has made the brand an icon for decades.

In 2020, the security team realized that it needed to once again up its game. A rapidly expanding online footprint, greater demand for direct-to-consumer sales, and a workforce that had suddenly been displaced into home offices, combined to create an attack surface that was not only expanding, but changing shape.

As a customer of both Crowdstrike and ExtraHop, the retailer had endpoint detection and response (EDR) and network detection and response (NDR) deployed across their environment. Their SOC team wondered if there was a way to combine the power of the solutions to give them even greater visibility and more nuanced insight into potentially malicious activity happening within their environment.

ExtraHop + CrowdStrike: Better Together

Every attack campaign has network and endpoint behavior components. Attackers often follow the pattern of compromising a single endpoint in their target network, then moving laterally, expanding their footprint by gaining access and compromising other internal endpoints, and eventually using that footprint to access and exfiltrate data.

CrowdStrike provides visibility into what an attacker has done on each endpoint, including which user accounts, credentials, programs, and processes the attacker used. ExtraHop can see inside the network traffic sent between the endpoints, providing visibility into the path an attacker took as they laterally moved across the network, helping confidently identify the scope and blast radius of any compromise, as well as which data has been transmitted, even if it was encrypted.

Working with ExtraHop experts, our customer's SOC team began deploying a series of integrations between ExtraHop Reveal(x) 360 and the CrowdStrike Falcon Platform.

Managing Every Device

The retailer started with visibility. Using dynamic device discovery within ExtraHop Reveal(x) 360, the security team was able to get real-time information about every device connected to the network, including whether that device was instrumented with CrowdStrike's Falcon agent. Through this integration, the retailer can quickly identify any unmanaged or shadow IT devices and deploy the CrowdStrike Falcon agent for detection and response on the endpoint.

Stopping Threats in their Tracks with Real-Time Response

Some attack tactics leave detectable signals on the network before they begin significantly impacting endpoints. These early signals can be vital for stopping an attack before it spreads out of control.

ExtraHop Reveal(x) 360 is the only NDR solution that can detect these early signals of previously unknown threat activity in real time at scale across hybrid environments. With Reveal(x) 360 and CrowdStrike Falcon working in tandem, the retailer gained the capability to have Falcon automatically quarantine endpoints that were being targeted by network attack tactics detected by Reveal(x) 360.

The integration offers fine-grained controls over which types of network threats result in autocontainment, delivering precision results based on high-fidelity data that minimizes business disruption and risk simultaneously.

Falcon Threat Graph Enables Integrated Forensics For When Seconds Matter

To investigate a sequence of attack behaviors, analysts often need to pull together data about the user activity and processes on the endpoint, as well as network telemetry and forensics. Lack of integration between endpoint and network security tools introduces friction and takes more time, leaving the attacker valuable minutes to expand their footprint.

CrowdStrike Falcon Threat Graph stores endpoint user activity and process data gathered from Falcon agents deployed throughout the customer environment. When Reveal(x) 360 detects a network threat, it pulls details from Falcon Threat Graph and correlates them with the relevant network behavior details. Analysts can view these correlated details in Reveal(x) 360, or the organization can choose to centralize the records in a SIEM platform to suit the needs of their own SOC. Reveal(x) 360 provides one-click access to the decrypted packets relevant to the incident for immediate forensic analysis if needed.

When Security Tools Work Together, Enterprises Win Against Cyber Attackers

As cyberattacks escalate in speed and sophistication, defenders need tools that help them stay ahead. When security solutions like ExtraHop Reveal(x) 360 and CrowdStrike Falcon integrate seamlessly to make the right data available at the right time to the right people, and even automate security tasks that once took manual intervention, security teams win.

To see how Reveal(x) detects threats in their early stages, explore our demo.

Related Blogs

Sign Up to Stay Informed