A Multinational Retailer Combats Advanced Attacks with ExtraHop and CrowdStrike

Over the past three years, retail has seen a seismic shift in consumer behavior. Driven by rising prices, ongoing supply chain disruption, and digital transformation, consumers have changed how they spend their money and where they spend it, with more and more transactions moving to digital channels.

At the same time, both retailers and consumers have seen a dramatic uptick in cyberattacks, including phishing, ransomware and account takeovers.

For one ExtraHop customer—a large multinational retail brand—cybersecurity has always been a top priority. The company not only needs to protect its global customers' data, but also the intellectual property that has made the brand an icon for decades.

Notably, the retailer had endpoint detection and response (EDR) from CrowdStrike and network detection and response (NDR) from ExtraHop deployed across its environment. The retailer’s SOC team wondered if there was a way to combine the power of these two industry-leading solutions to give them even greater visibility and more nuanced insight into malicious activity happening in their environment.

ExtraHop + CrowdStrike: Better Together

Every attack campaign has network and endpoint behavior components. Attackers often follow the pattern of compromising a single endpoint in their target network, then moving laterally, expanding their footprint by gaining access and compromising other internal endpoints, and eventually using that footprint to access and exfiltrate data.

CrowdStrike provides visibility into what an attacker has done on each endpoint, including which user accounts, credentials, programs, and processes the attacker used. ExtraHop can see inside the network traffic sent between the endpoints, providing visibility into the path an attacker took as they moved laterally across the network. This network visibility helps security teams confidently identify the scope and blast radius of any compromise, as well as which data has been transmitted, even if it was encrypted.

Working with ExtraHop, the retailer's SOC team began deploying a series of integrations between ExtraHop Reveal(x) 360 and the CrowdStrike Falcon Platform.

Managing Every Device

The retailer started with visibility. Using dynamic device discovery within ExtraHop Reveal(x) 360, the security team was able to get real-time information about every device connected to the network, including whether that device was instrumented with the CrowdStrike Falcon agent. This integration allows the retailer to quickly identify any unmanaged or shadow IT devices and deploy the Falcon agent for detection and response on the endpoint.

Stopping Threats in their Tracks with Real-Time Response

Some attack tactics leave detectable signals on the network before they begin significantly impacting endpoints. These early signals can be vital for stopping an attack before it spreads.

ExtraHop Reveal(x) 360 is the only NDR solution that can detect these early signals of previously unknown threat activity in real time and at scale across hybrid environments. With Reveal(x) 360 and CrowdStrike Falcon working in tandem, the retailer gained the capability to have Falcon automatically quarantine endpoints that were being targeted by network attack tactics detected by Reveal(x) 360.

The integration offers fine-grained controls over which types of network threats lead to auto-containment, delivering precision results based on high-fidelity data that minimizes both business disruption and risk.​​​​​​

Falcon Threat Graph Enables Integrated Forensics When Seconds Matter

To investigate a sequence of attack behaviors, analysts often need to pull together data about the user activity and processes on the endpoint, as well as network telemetry and forensics. A lack of integration between endpoint and network security tools introduces friction and adds manual effort, giving attackers more time to expand their footprint.

The CrowdStrike Falcon Threat Graph stores endpoint user activity and process data gathered from Falcon agents deployed throughout the customer environment. When Reveal(x) 360 detects a network threat, it pulls details from Falcon Threat Graph and correlates them with the relevant network behavior details. Analysts can view these correlated details in Reveal(x) 360, or the organization can choose to centralize the records in a SIEM platform to suit the needs of their own SOC. Reveal(x) 360 provides one-click access to the decrypted packets relevant to the incident for immediate forensic analysis if needed.

When Security Tools Work Together, Enterprises Win Against Cyber Attackers

As cyberattacks escalate in speed and sophistication, defenders need tools that help them stay ahead. When security solutions like ExtraHop Reveal(x) 360 and CrowdStrike Falcon integrate seamlessly to make the right data available at the right time to the right people, and even automate security tasks that once took manual intervention, security teams reverse the adversary advantage.

Watch our webinar to see how Reveal(x) detects threats in their early stages.