Falcon Identity Threat Protection (ITD)

Threat Protection

Segment workforce identities

Provides continuous multi-directory visibility into the scope and the impact of access privileges for identities across Microsoft Active Directory (AD), Azure AD and cloud single sign-on (SSO) solutions.

Automatically classifies identities into hybrid (identities that are on on-premises and cloud AD) and cloud-only (identities that reside only on Azure AD).

Segments accounts into human, service, shared accounts and privileged accounts.

Provides a customizable attack surface overview with insights into user risk and behavior changes over time, like an increase in account lockouts, high-risk endpoints, compromised passwords, etc.

 

Automate threat detection and response

Enables hybrid identity store protection with continuous inspection of live authentication traffic, including encrypted protocols such as LDAP/S.

Provides continuous assessment of security and incidents around identity threats without requiring the ingestion of logs or complex analysis.

Uncovers reconnaissance (e.g., LDAP, BloodHound, SharpHound, credential compromise attacks), lateral movement (e.g., RDP, Mimikatz tool, unusual endpoint usage, unusual service logins, etc), and persistence (e.g., Golden Ticket attack) with advanced analytics and patented machine learning technology.

Speeds up security investigations using intuitive threat hunting, with predefined search criteria, like but not limited to authentication events, unencrypted protocols, user roles, IP reputation and risk scores.

 

Verify identities with zero friction

Defines and enforces policies in real time, based on authentication patterns, behavior baselines and individual risk scores to verify identities using step-up authentication such as multifactor authentication (.e.g MFA).

Automatically secures access to identity stores and applications, with improved user experience, by triggering identity verification only when the risk increases or if there’s a deviation from normal behavior.

Reduces the attack surface by extending MFA to any resource or application, including legacy/proprietary systems and tools — for example, desktops that are not covered by cloud-based MFA solutions, and tools like PowerShell and protocols like RDP over NTLM.

Automatically resolves security incidents that the user approves using identity verification methods such as 2FA/MFA, without involving security analysts and help desk tickets.