CrowdStrike Spends to Boost Identity Threat Detection

CrowdStrike's spending spree for security posture management capabilities continued with a deal to buy Adaptive Shield, an Israeli startup that specializes in securing organizations' software-as-a-service (SaaS) ecosystems and protecting against identity-based attacks.

Last week's deal calls for CrowdStrike to pay cash and stock for Adaptive Shield; CrowdStrike expects to complete the transaction by the end of January 2025. Press reports estimate the value of the deal at around $300 million.

Founded in 2019, Adaptive Shield is one of many companies in the SaaS security posture management (SSPM) sector. Others include AppOmni, DoControl, Obsidian, and Reco. 

Adaptive Shield's platform supports more than 150 SaaS applications, including Adobe, Google Workspace, Microsoft 365, Salesforce, Slack, and Zoom. It monitors for misconfigurations and identity threats and offers a no-code tool, called Integration Builder, for custom SaaS applications.

Competitive Impact?

Omdia senior principal analyst Rik Turner wonders whether the deal will prompt CrowdStrike's competitors, such as Cisco, Palo Alto Networks, and SentinelOne, to follow suit with their own deals. Overall, it has been an active time for the acquisitions of cloud and data security posture management (DSPM) startups, he notes. 

Adaptive Shield is CrowdStrike's third acquisition of a security posture management provider in the past 18 months. In October 2023, it bought Bionic, an early provider of application security posture management (ASPM), extending security risk visibility from code development to cloud deployment. And earlier this year, CrowdStrike bought Flow Security, another DSPM cloud platform that protects data at rest and in motion.

"In contrast, there has been no such buying frenzy with SSPMs. CrowdStrike's acquisition of Adaptive Shield is the first deal of this kind, raising the question of whether it might start a trend among the purchaser’s competitors," Turner noted in a recent report.

CrowdStrike emphasizes that the addition of Adaptive Shield will boost the capability of its Falcon platform to protect organizations against identity-based attacks by adding SaaS applications to the mix. 

Once integrated into Falcon, Adaptive Shield's SSPM platform will give organizations visibility into misconfigurations, unnecessary or rogue privileges, and activities undertaken among accounts of on-premises and cloud identity providers, as well as SaaS security applications. The addition "provides organizations with granular visibility into their growing cloud environments, enables them to manage and secure their SaaS security posture and their human and non-human identities, and helps them detect and prevent identity-centric, cloud-focused cyberattacks," CrowdStrike president Michael Sentonas explained in a blog post.

Ryan Terry, CrowdStrike's senior product manager for identity, buttressed that message at a company meeting last week in Amsterdam.

"Our vision is to unify identity protection across the entire Falcon security platform that includes cloud security," he said. "That will bring ISMG [identity security posture management], CIEM [cloud infrastructure entitlement management], and ITDR [identity threat detection and response] together in an integrated way, in one single platform to help you address today's modern identity challenges."

Keying In on Identity

SaaS connectors will improve visibility into threat activity and precursors to identity-based attacks, says Forrester Research principal analyst Andras Cser. Adding SSPM to CrowdStrike Falcon will fill a gap in the platform's identity protection module, he says.

"Identity-wise, CrowdStrike claims they have ITDR, but in reality, it's mainly cloud infrastructure entitlement management, addressing how admins have access to policies that drive privileges on things like [AWS] S3 buckets and Azure Blobs and things like that," Cser says. "It's not true [identity and access management] in the sense of user account provisioning/deprovisioning, federation, token service, and all these other types of things."

The Adaptive Shield SSPM and ITDR platform promises to provide a broad range of protection against such attacks by providing unified, hybrid identity management for SaaS-based apps and on-premises authentication, notably Microsoft's Active Directory.

Adaptive Shield's platform also continuously monitors generative AI-based SaaS applications for configuration shifts and enforces security standards and privileges. It's also designed to prevent data exfiltration and discover unauthorized AI applications.

"Beyond identities, it also provides visibility into misconfigurations and other risks affecting SaaS applications, so organizations can better manage these issues and detect and respond to threats," Sentonas explained.

Identity-Based Attacks Continue to Mount

Vendor focus on identity isn't happening in a vacuum. Threat actors have actively exploited identity through various techniques, including password spraying, phishing, stealing legitimate credentials, and exploiting misconfigurations. For example, after managing to get global administrator rights to MGM Resorts' Azure instances last year, Scattered Spider was able to exfiltrate data and disrupt its operations. Earlier this year, Microsoft was among the victims of a password spray attack by Russia-based Midnight Blizzard (also known as Cozy Bear and APT29), compromising its corporate email systems. Overall, CrowdStrike says that 80% of breaches now have an identity component.  

At the RSA Conference earlier in the year, Sentonas and CrowdStrike co-founder and CEO George Kurtz demonstrated how hackers exploit identity provider misconfigurations with phishable authentication factors to gain access to highly privileged accounts.

"They move laterally once they're inside an organization to achieve their outcome," Sentonas said.

More Identity Features in the Wings

Ross Penny, a principal technical strategist for CrowdStrike, said the company plans to roll out several tools to bolster CrowdStrike Falcon Identity by February. Among recent and current deliverables include integration with AWS Identity Center, which reports on the "full picture" of risks associated with federated AWS accounts. 

"If you're only looking within AWS because it's federated, you lack a lot of information about it," Penny explained. "The fact that we know where that account lives and originates means you have a much wider variety of risk that you're able to use to calculate those access decisions and detections."

CrowdStrike is also readying a policy management API that can be integrated into external workflows, Penny said. CrowdStrike developed this API because many of its customers also use ServiceNow.

Early next year, CrowdStrike will extend integration with other identity providers, including Okta Universal Directory, Google Workspace, and AWS permission usage analysis. CrowdStrike also plans to add attack path detection across those multiple identity providers in 2025.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, Dr. Max Smeets from ETH Zurich, and Elvia Finalle from Omdia. Register now!