Falcon IDP Innovations Stop Insider Risk - CrowdStrike

___ BLOG Featured Recent Video Category Start Free Trial Falcon Identity Protection Innovations Stop Insider Risk, Secure Non-Human Identities, and Lock Down Privileged Access New capabilities deliver unified protection across all human and machine identities to close critical security gaps and stop attacks in real time. June 03, 2025 | Ryan Terry - Kendra Kendall | Next-Gen Identity Security How do you stop identity-based attacks in real time — across both human and non-human identities? CrowdStrike Falcon® Identity Protection now delivers powerful new capabilities to answer that question. The innovations announced today address urgent challenges facing security teams: unprotected non-human identities (NHIs) such as service accounts, insider risk during employee offboarding, and standing privileges in hybrid Microsoft environments. Adversaries like SCATTERED SPIDER, COZY BEAR, and FAMOUS CHOLLIMA are exploiting identity blind spots such as NHIs, insider threats, and privileged access. These attacks thrive in hybrid identity environments, where disconnected tools and processes allow fast-moving adversaries to enter and move through organizations undetected. CrowdStrike’s latest identity security capabilities are built to close these gaps with real time detection, risk-based enforcement, and unified visibility — and they’re all delivered through the unified CrowdStrike Falcon® cybersecurity platform. Stop Non-Human Identity Attacks in Microsoft Active Directory and Entra ID Service accounts and other NHIs often operate with high privileges and minimal oversight, making them a prime adversary target. CrowdStrike is expanding its industry-leading protection for non-human identities with new dedicated risk and activity dashboards that provide: Instant visibility to quickly identify NHIs and their associated risks Access activity monitoring to identify deviations from baseline behavior Context-rich investigation workflows, supported by 15+ new security checks for service principal permissions and NHI attack paths These enhancements complement our AI-powered detection and response capabilities for NHIs to stop identity-based attacks across hybrid environments. How Falcon Identity Protection Secures NHIs Falcon Identity Protection uses AI to automatically establish a behavioral baseline for non-human accounts across Microsoft Active Directory and Entra ID. This baseline establishes normal activity for an account, including endpoints used, services accessed, and more. The new non-human identities dashboard, now generally available in Falcon Identity Protection, instantly surfaces access activity, deviations, and service principal risks. This interactive dashboard enables analysts to quickly drill down into events, accounts, and detections of interest. Figure 1. Falcon Identity Protection’s interactable non-human identities dashboard surfaces access activity, deviations, and service principal risks. Find and Fix Risky NHIs Before Adversaries Exploit Them Analysts can use the dashboard to find high-risk non-human identities and close security gaps before adversaries take advantage. This may include, for example, privileged service accounts with inadequate password policies that could make it easy for adversaries to gain valid credentials. We have expanded the number of security checks for Entra ID and AD to identify excessive permissions and misconfigurations across service principals. These expanded checks spotlight risks like over-permissioned NHIs with unnecessary access to applications such as Microsoft Teams, which adversaries could exploit for lateral movement or data exfiltration. With visibility into these risks, analysts can use the NHI dashboard to ensure non-human identities are only accessing what they are permitted to access. Further, this visibility enables analysts to create prescriptive identity protection policy rules to stop unwanted and/or malicious activity — for example, blocking access from rarely used source endpoints the moment malicious activity is detected. Key Takeaway: Falcon Identity Protection gives analysts immediate visibility into non-human identity risk and actionable insights to prevent identity-based attacks. Stop Insider Threats During Employee Departures Security teams often lack proactive visibility when employees depart, creating a dangerous gap that can lead to data theft or sabotage. CrowdStrike fuses HR signals with real-time identity and data behavior analytics to detect and stop insider risk by helping customers: Add departing employees to a watchlist and continuously monitor their activity Automatically flag high-risk activity like privilege escalation or unusual data transfers Dynamically enforce policy actions, extend risk-based conditional access, and leverage MFA to stop malicious activity in real time Falcon Identity Protection integrates with Workday through Falcon Foundry to leverage HR-driven lifecycle events, such as employee resignations, to proactively tag users as leavers before risk escalates. These watchlisted users are then continuously monitored for unusual data access or account activity, enabling early detection of potential insider threats. When suspicious behavior is detected, adaptive enforcement policies automatically respond with actions like requiring multifactor authentication (MFA), revoking sessions, or blocking access entirely — mitigating risk in real time. Key Takeaway: Falcon Identity Protection proactively stops insider threats during offboarding by combining HR signals and real-time behavioral analytics, seamlessly integrating with third-party applications through Falcon Foundry, our low-code application development platform. Lock Down Privileged Access in Hybrid Microsoft Environments Standing privileges are a standing risk for organizations. CrowdStrike Falcon Privileged Access, recently announced, provides just-in-time access so users can only access what they need, when they need it, as security conditions allow. This capability is being expanded to enforce just-in-time privileged access across Microsoft Entra ID and Active Directory. This is now available for Microsoft Entra ID; early access for Active Directory support will be available in the coming weeks. With this, organizations now have additional protection for their hybrid Microsoft environments. They gain continuous risk-based monitoring, real-time access revocation, and simpler privileged access enforcement with faster time-to-value.  When just-in-time policy conditions are met, such as a user having a low identity protection risk score, privileged access can be automatically granted or available upon request. Risk scores are continuously authenticated so elevated access can be revoked in real time if risk levels change. This helps ensure elevated privileges are only assigned under secure, policy-driven conditions. With this enforcement model, privileged access is always temporary, always contextual, and always secure. Watch this video to see how Falcon Privileged Access stops adversaries with just-in-time privileges. Key Takeaway: Falcon Privileged Access delivers real-time, risk-based enforcement for just-in-time access across hybrid Microsoft environments. CrowdStrike Leads in Unified Identity Protection With these innovations, CrowdStrike strengthens its position as a leader in unified identity protection. Falcon Identity Protection now delivers: Real-time prevention for insider threats and employee turnover Comprehensive NHI protection across hybrid identity environments Just-in-time privileged access with continuous risk monitoring for hybrid Microsoft environments CrowdStrike’s momentum in identity protection continues to earn recognition from leading analysts and, more importantly, our customers. We were recently named a Leader and Outperformer in the 2025 GigaOm Identity Threat Detection and Response Radar Report, which praised our “continued rapid development” and “strong roadmap.” As adversaries get smarter, CrowdStrike gets faster. By unifying identity, data, and threat protection, we give security teams the power to stop attacks before they start — and the visibility to investigate what others miss. Learn how to build a comprehensive identity protection strategy that stops breaches. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download report Related Content CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication CrowdStrike to Acquire Seraphic to Secure Work in Any Browser CATEGORIES Agentic SOC 48 Cloud & Application Security 139 Data Protection 21 Endpoint Security & XDR 351 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 116 From The Front Lines 198 Next-Gen Identity Security 67 Next-Gen SIEM & Log Management 111 Public Sector 40 Securing AI 25 Threat Hunting & Intel 210 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up CrowdStrike Leads in GigaOm Radar for Identity Threat Detection and Response CrowdStrike Named a Customers’ Choice in 2025 Gartner® Peer Insights™ Voice of the Customer for User Authentication Report Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All