Box Status
Print

Enabling and Configuring CrowdStrike for Device Protection

Security

CrowdStrike is a global cybersecurity leader with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data. CrowdStrike’s Falcon® Insight XDR monitors endpoint activity, that is, devices that connect to Box and your Box organization, analyzing the device settings and configuration to identify potential threat activity. If a threat is identified, you can define remediation activity based on the level of threat.

For CrowdStrike for Device Protection to work, devices connecting to your Box account must have Box Tools installed.

You enable and configure CrowdStrike for Device Protection in 3 parts:

  1. Enabling CrowdStrike for Device Protection
  2. Enabling Real-Time Checks in CrowdStrike
  3. Configuring CrowdStrike for Device Protection

Enabling CrowdStrike for Device Protection

Prerequisites

  • Box Shield
  • An active CrowdStrike account
  • The Falcon Insight XDR module enabled

To enable CrowdStrike integration, starting from Box, logged out of CrowdStrike

  1. Go to Admin Console > Enterprise Settings.
  2. Select the Device Protection tab.
  3. In the Endpoint Detection and Response Integrations section, click Enable in the CrowdStrike pane.
  4. In the CrowdStrike platform dialog box, select Go to CrowdStrike store. This link take you to the CrowdStrike for Box app page.
  5. Log in to your CrowdStrike account.
  6. Select Try it free.
  7. In the Connecting Falcon Platform and Box device security dialog box, select Agree & Request Trial. You should receive an email with the integration confirmation link.
  8. Click on the link in the email, or refresh the current page, and select Open App.
  9. In the Connect CrowdStrike Falcon platform with Box? dialog box, select Connect

The connection may take a short amount of time to transfer and synchronize necessary data. When complete, the status indicator will update to "Enabled." Your Box account is now connected to your CrowdStrike account and you can configure remediation and enforcement actions.

To enable CrowdStrike integration starting from CrowdStrike

  1. Log in to your CrowdStrike account.
  2. Click the hamburger menu in the upper-left and select CrowdStrike Store.
  3. Find the Box device security app.
  4. Select Try It Free.
  5. In the Connecting Falcom Platform and Box device security dialog box, select Agree & Request Trial. You should receive an email with the integration confirmation link.
  6. Click on the link in the email, or refresh the current page, and select Open App.
  7. In the Connect CrowdStrike platform with Box? dialog box, select Connect.

The connection may take a short amount of time to transfer and synchronize necessary data. When complete, the status indicator will update to "Enabled." Your Box account is now connected to your CrowdStrike account and you can configure remediation and enforcement actions.

Enabling Real-Time Checks in CrowdStrike

Once the connection is properly configured, the devices’ security posture will be checked every few minutes. You enable these real-time checks in CrowdStrike by creating a CrowdStrike Falcon Fusion Workflow (you must be logged in to your CrowdStrike account to access this help topic) with a corresponding Box action. See the CrowdStrike Fusion documentation for more details.

Configuring CrowdStrike for Device Protection

CrowdStrike for Device Protection configuration has 2 components:

  • Remediation actions, where you define logical conditions and actions
  • Enforcement action, where you decide if you are going to monitor or enforce restrictions

You can also optionally enter an email address that users can contact if their device does not meet security requirements.

CrowdStrike Zero Trust Assessment Score

The Zero Trust Assessment (ZTA) score (you must be logged in to your CrowdStrike account to access this help topic) is a single metric that defines the overall health of an endpoint and that is generated by CrowdStrike. According to the CrowdStrike documentation:

Zero Trust Assessment calculates a security score from 1 to 100 for each host. A higher score indicates a better security posture for the host. A security score is specific to the unique configurations of your environment. Zero Trust Assessment does not define what constitutes a good score. Instead, the ZTA dashboard provides visibility into possible risks and insight into settings that can increase the security posture of hosts.

You will define remediation actions based on ZTA scores, or a range of ZTA scores. The information in the CrowdStrike Zero Trust Assessment dashboard can help you determine what scores or ranges of scores are likely optimal for the remediation actions you choose.

The Zero Trust Assessment (ZTA) score aggregates more than 100 different risk signals in one unique score. If you identify a change in the ZTA score of a device, to understand the nature of the change, Box Admins can use the Falcon Agent ID field present in the specific CrowdStrike events available in Box EventStream or in Box Reporting. In the CrowdStrike Zero Trust Assessment dashboard, use these values to search by Host ID. This will allow you to identify what has triggered the ZTA score change in your device and how to address it.

Prerequisites

  • An active CrowdStrike account
  • The Falcon Insight XDR module enabled
  • CrowdStrike for Device Protection enabled, as described above

To configure CrowdStrike for Device Protection

  1. Go to Admin Console > Enterprise Settings.
  2. Select the Device Protection tab.
  3. In the Endpoint Detection and Response Integrations section, click Configure in the CrowdStrike pane.
  4. In the Remediation actions section, configure one or more remediations. For each remediation:
    1. Select a Remediation. This is an action that will occur if a device connects to Box and it is determined to match the ZTA risk score that you define. Select from:
      • Terminate user session and block device
    2. Select a comparison operator from:
      • In the range of
      • Less than
    3. Enter either 1 or 2 ZTA score values, depending on the comparison operator you chose.
  5. In the Enforcement Action section, select:
    • Enforce restrictions - (default) to start enforcing device restrictions immediately
    • Monitor restriction violations only - to monitor any violations so you can gather data about the configuration you defined and decide if they are satisfactory or if they need changing before you enforce restrictions
  6. Optionally enter an IT Help Email. If an email address is entered here, users who have devices that are restricted by this policy will be given this email address as contact information.
  7. Click Save.

User Experience With CrowdStrike for Device Protection Enabled

CrowdStrike for Device Protection requires a minimum version of Box Tools, 4.25.0, be installed on the device that is attempting to access Box. Once CrowdStrike for Device Protection is enabled, the next time users attempt to log in from a Windows or macOS computer, if the minimum version of Box Tools is not installed, the user will be required to download and install Box Tools before they are allowed to log in to Box.

Note:
Admins and Co-Admins who can edit enterprise settings are exempt from Device Protection checks and remediations. This keeps them from accidentally locking themselves out of the Admin Console.

For more information about installing Box Tools on devices within your organization, see Large Scale Deployments: Box Tools.

Monitoring Device Access

  • Reports can be generated in Admin Console > Reports > User Activity (select CrowdStrike-related events under Login)
  • Logs are available in Box Events Stream

 

 

 

Related articles