Accenture MxDR Quick Start Guide for AER Access in Crowdstrike

The following guide will provide you with instructions to setup the Accenture Managed MxDR CrowdStrike service.

 The document includes the following topics:

• Managed Extended Response Detection (MxDR) Introduction

• Managed Extended Response Detection (MxDR) Overview

• Pre-Installation Questionnaire (PIQ)

 Introduction

 The Accenture Managed Extended Detection Response (MxDR)service delivers visibility and response, where Accenture SOC analysts action suspicious threat activities and find emerging and unknown threats across on-premises and cloud endpoints using forensics data coupled with machine learning analytics and the Accenture Global Intelligence Network. MxDR allows for close collaboration and seamless handoff of incident intelligence and helps to prioritize efforts and relieve security teams of valuable time and effort that would have been spent investigating incident alerts and detecting and responding to advanced attacks.

 Overview

 The CrowdStrike MxDR service has three primary components:

• Log Collection Platform (LCP)

• CrowdStrike Falcon Management

• Host Management

Open

MxDR Access and Logging Architecture

Log Collection Platform (LCP)

 The Log Collection Platform (LCP) is designed to collect, compress, and send your log data securely to Accenture MxDR. The LCP is deployed in the Accenture Security Cloud and pulls the data directly from CrowdStrike’s cloud via API (application programming interfaces).

 CrowdStrike Falcon Management

 The CrowdStrike Falcon Console will be co-managed by Accenture MxDR for shared services with client. After signing-up for the service, client’s will be provided with an Authorization Form for Access to CrowdStrike Falcon Host by MSP (Managed Service Provided) Personnel which will need to be provided to CrowdStrike, this should be emailed to MSSP@crowdstrike.com, Service Delivery Leads should be copied. This will grant Accenture MxDR access to your CrowdStrike data.

 Topology

• Existing Accenture clients who currently own CrowdStrike will be moved under the Accenture MxDR parent instance in coordinated manner

• New CrowdStrike clients will be deployed with Accenture MxDR as Parent

• Each CID (Customer ID) has a stand-alone Splunk backend for data isolation purposes

Open

CrowdStrike MSSP (Managed Security Service Provider) Parent Architecture

Access Control

• Access to the client’s CID is granted after the client submits the MSSP Authorization Form to CrowdStrike on behalf of Accenture MxDR (form can be provided by CrowdStrike or Service Delivery Lead)

• Accounts for Accenture will be housed at the parent Accenture MxDR instance

  • Accenture MxDR requires the following roles in the client’s environment (changes to these permissions may impact the capabilities of the service):

    • Falcon Security Lead

    • Quarantine Manager

    • Custom IOAs Manager

    • Detection Exceptions Manager

    • Real Time Responders – Administrator

• Access and entitlements for clients will be managed in their respective child CIDs and will allow choice of the existing CrowdStrike roles

 Event Data and Detections

•  Detections

  • Detections will flow from the client CIDs into the Accenture MxDR instance

  • Detections can be managed at either the parent or child level, and by either Accenture or the client

• Raw event data

  • Endpoint Activity Monitoring (EAM) data will be housed and stored in each client environment, and will only be searchable across the CIDs that house it

  • Accenture MxDR analysts will be able to search client Endpoint Activity Monitoring (EAM) data by pivoting into their respective consoles

•  SIEM (Security Information Event Management) Connections for Detections

  • Accenture will consume detection data directly from each respective client CID

  • If required, clients will consume their detection data directly from their respective CID

Policy Management

•  Accenture MxDR will have access to policy management, but clients will handle managing these policies. Unless pre-authorized to do so, Accenture MxDR will not update policies.

Host Management

Falcon agent installation and management are the responsibility of the client. If applicable, remediation is performed by MxDR analysts via the Falcon Console.

Pre-Installation Questionnaire (PIQ)

The pre-installation questionnaire (PIQ) is used to capture device and network details from your environment to begin the onboarding process. The PIQ requires information about the network ranges eligible for pre-authorized containment if applicable, how you will deploy the agent, and information about your current environment.

• An Accenture MxDR Engineer will supply the PIQ for the client to complete via email or Service Request within the MxDR portal.

• The client is expected to complete the PIQ and return it to the MxDR Engineer for processing.

• Complete and return the PIQ – If remediation is authorized, the network range(s) of the hosts authorized for remediation must be defined in proper section of PIQ.

 FAQ (Frequently Asked Question)

 Will Accenture MxDR handle deployment of CrowdStrike falcon agents to new clients?

No. Accenture MxDR will have co-management access to CrowdStrike Falcon console to supply service, but this will not include deployment of agents.

 Will Accenture MxDR update the CrowdStrike (CS) agent configurations?

We will update the Endpoint Detection & Response (EDR) policy (blacklist, whitelist, etc.) if authorized. We will not update the endpoint policies (AV signatures, firewall rules, etc.).