CrowdStrike Spends to Boost Identity Threat Detection

Source: Artemis Diana via Alamy Stock Photo

CrowdStrike’s spending spree for security posture management capabilities continued with a deal to buy Adaptive Shield, an Israeli startup that specializes in securing organizations’ SaaS ecosystems and protecting against identity-based attacks.

Last week’s deal calls for CrowdStrike to pay cash and stock for Adaptive Shield; CrowdStrike expects to complete the transaction by the end of January 2025. Press reports estimate the value of the deal at around $300 million.

Founded in 2019, Adaptive Shield is one of many companies in the SaaS security posture management (SSPM) sector; others include AppOmni, DoControl, Obsidian, and Reco.

Adaptive Shield’s platform supports more than 150 SaaS applications including Adobe, Google Workspace, Microsoft 365, Salesforce, Slack, and Zoom. It monitors for misconfigurations and identity threats, and offers a no-code tool for custom SaaS applications called Integration Builder.

Competitive Impact?

Omdia senior principal analyst Rik Turner wonders whether the deal will prompt CrowdStrike’s competitors like Cisco, Palo Alto Networks, and Sentinal One to follow suit with their own deals. Overall, it’s been an active time for acquisitions of cloud and data security posture management (DSPM) startups, he noted.

Adaptive Shield is CrowdStrike’s third security posture management provider in the last 18 months. In October 2023, CrowdStrike bought Bionic, an early provider of application security posture management (ASPM), extending security risk visibility from code development to cloud deployment.

Earlier this year, CrowdStrike bought Flow Security, another DSPM cloud platform that protects data at rest and in motion. “In contrast, there has been no such buying frenzy with SSPMs. CrowdStrike’s acquisition of Adaptive Shield is the first deal of this kind, raising the question of whether it might start a trend among the purchaser’s competitors,” Turner note in a recent report.

CrowdStrike emphasizes that the addition of Adaptive Shield will boost the capability of its Falcon platform to protect organizations against identity-based attacks by adding SaaS applications to the mix.

Once integrated into Falcon, Adaptive Shield’s SSPM platform will give organizations visibility into misconfigurations, unnecessary or rogue privileges, and activities undertaken among accounts of on-premises and cloud identity providers as well as SaaS security applications. The addition “provides organizations with granular visibility into their growing cloud environments, enables them to manage and secure their SaaS security posture and their human and non-human identities, and helps them detect and prevent identity-centric, cloud-focused cyberattacks,” CrowdStrike president Michael Sentonas explained in a blog post.

CrowdStrike senior product manager for identity Ryan Terry buttressed that message at a company meeting last week in Amsterdam. “Our vision is to unify identity protection across the entire Falcon security platform that includes cloud security,” he said. “That will bring ISPM, CIEM, and ITDR together in an integrated way, in one single platform to help you address today’s modern identity challenges.”

Keying in on Identity

SaaS connectors will improve visibility into threat activity and precursors to identity-based attacks, says Forrester Research principal analyst Andras Cser. And he believes adding SSPM to CrowdStrike Falcon will fill a gap in the platform’s identity protection module.

“Identity-wise, CrowdStrike claims they have ITDR, but in reality, it’s mainly cloud infrastructure entitlement management, addressing how admins have access to policies that drive privileges on things like [AWS] S3 buckets and Azure Blobs and things like that,” Cser says. “It’s not true [identity and access management] in the sense of user account provisioning-deprovisioning, federation, token service, and all these other types of things.”

The Adaptive Shield SSPM and ITDR platform promises to provide a broad range of protection against such attacks by providing unified, hybrid identity management for SaaS-based apps and on-premises authentication, notably Microsoft’s Active Directory.

Adaptive Shield’s platform also continuously monitors generative AI-based SaaS applications for configuration shifts and enforces security standards and privileges. And it’s designed to prevent data exfiltration and discover unauthorized AI applications. “Beyond identities, it also provides visibility into misconfigurations and other risks affecting SaaS applications so organizations can better manage these issues and detect and respond to threats,” Sentonas added.

Identity-Based Attacks Continue to Mount

Vendor focus on identity isn’t happening in a vacuum. Threat actors such as Scattered Spider and Cozy Bear (also known as APT29 and Midnight Blizzard) have actively exploited identity through various techniques, including password spraying, phishing, stealing legitimate credentials, and exploiting misconfigurations.

After managing to get global administrator rights to MGM Resorts’ Azure instances last year, Scattered Spider was able to exfiltrate data and disrupt its operations. Earlier this year, Microsoft was among the victims of a password spray attack by Russia-based Midnight Blizzard, compromising its corporate email systems. Overall, CrowdStrike has claimed that 80% of breaches now have an identity component.

At the RSA Conference earlier in the year, Sentonas and CrowdStrike co-founder and CEO George Kurtz demonstrated how hackers exploit identity provider misconfigurations with phish-able authentication factors to gain access to highly privileged accounts. “They move laterally once they’re inside an organization to achieve their outcome,” Sentonas said.

More Identity Features in the Wings

Ross Penny, a principal technical strategist for CrowdStrike, said the company plans to roll out several tools to bolster CrowdStrike Falcon Identity by February 2025. Among recent and current deliverables include integration with AWS Identity Center, which reports on the “full picture” of risks associated with federated AWS accounts.

“If you’re only looking within AWS because it’s federated, you lack a lot of information about it,” Penny explained. “The fact that we know where that account lives and originates means you have a much wider variety of risk that you’re able to use to calculate those access decisions and detections.”

Penny said that CrowdStrike is also readying a policy management API that can be integrated into external workflows. CrowdStrike developed this API because many of its customers also use ServiceNow.

Early next year, CrowdStrike will extend integration with other identity providers, including Okta Universal Directory, Google Workspace, and AWS permission usage analysis. CrowdStrike also plans to add attack path detection across those multiple identity providers in 2025.

Don’t miss the upcoming free Dark Reading Virtual Event, “Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors,” Nov. 14 at 11 am ET. Don’t miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, Dr. Max Smeets from ETH Zurich, and Elvia Finalle from Omdia. Register now!

About the Author

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.