Use case demo for the Zscaler and CrowdStrike integration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we will show you to sample integration use cases for Z scalar and CrowdStrike in the first demo we will show posture driven conditional access and in the second we will show zero-day malware detection and response in this demo we will look at how Z scalar private access and CrowdStrike work together to implement zero trust access control based on the real-time security posture of the endpoint device in this use case a user tries to access internal applications located either on Prem or in a cloud Z scalar private access is implemented to verify the compliance status of the user device and an access rule is configured where access to these selected applications is denied unless the CrowdStrike sensor is running on the endpoint first from the ZP a portal let's take a look at access policy by clicking the administration tab and selecting access policy under policy management as you can see here ZP a will block attempts to internal applications unless the CrowdStrike agent is running on the endpoint host so now let's define what exactly internal apps are click the administration tab and select application segments under application management in this case any domain ending in BD dev comm is considered an internal app let's switch over to the client pc and confirm the app status first we'll open up the z scalar app and check that both private access and internet security or running now let's try accessing an internal app by opening up the internet browser and typing sales BD dev calm as you can see since CrowdStrike isn't running the posture check does not pass and access is denied a custom notification can be configured to inform the end-user about the reasoning for this block back on the Z scalar private access console in the Diagnostics section check for the relevant log to see this denied attempt finally let's install the CrowdStrike agent on the client pc and retry accessing the internal app since the CrowdStrike agent is successfully installed and running posture check passes and access to the internal applications is now granted once again you can check the relevant log in the CPA UI in this demo we'll take a look at how Z scalar cloud sandbox works in tandem with CrowdStrike to enhance your organization's security posture in this use case through our API integration the threat detected by Z scalar sandbox can be correlated with CrowdStrike telemetry data automatically to pinpoint the infected endpoints in your environment z scalar can also trigger a containment response to the CrowdStrike platform from the client PC we try to download an executable since Z scalar is always sitting in line enforcing all security policies configured by the customer Z scalar checks against its security engines to determine whether the executable is benign or malicious in this case Z scalars security engines cannot glean enough information to make that determination so we detonate this file in a sandboxed environment and observe the actions it attempts while sandbox detonation is in progress simultaneous download can be blocked or allowed as per customer policy in this case the customer configured the latter now let's see what Z scalar sandbox thinks select the analytics tab and then choose web insights apply sandbox as a filter then from the drop-down menu select sent for analysis switch to logs at the top of the screen then apply filters in this case the file was allowed per the policy put in place but it was sent to Z scalar sandbox for analysis and detonation so let's view the sandbox detailed report as you can see here the sandbox determined the file to be malicious so let's see which customer endpoints were affected back in logs choose view CrowdStrike endpoint hits CrowdStrike is telling us the malicious file was detected on three endpoints looks like even though one host downloaded the file via Internet it reached two other endpoints via other channels all endpoints are currently in normal status now let's quarantine an endpoint host quarantining or containing cuts off network access from that host once quarantined it can only talk to crowd strikes IP addresses or any other IPS specifically whitelisted by the customers CrowdStrike policy settings via an API call happening in the background you can now see that the status has changed to containment pending finally we will confirm that the endpoint host was successfully quarantined click back to logs and choose view CrowdStrike endpoint hits once again now we can see that the host status has changed to contained through just one UI screen you can see which hosts got affected the timeline of the infections and take containment action

Info

Channel: Zscaler Inc.

Views: 4,927

Rating: 5 out of 5

Keywords: internet security, web security, cloud security, zscaler, digital transformation, crowdstrike use case, zscaler and crowdstrike use case, posture driven conditional access, zero-day malware response, zscaler private access crowdstrike demo, zscaler crowdstrike use case, zpa crowdstrike access policy, crowdstrike app status, crowdstrike zpa internatal app, integration zscaler, crowdstrike zscaler integration, malware response zscaler, zero trust access control crowdstrike

Id: y_93d6meuMo

Channel Id: undefined

Length: 5min 17sec (317 seconds)

Published: Wed Apr 08 2020