Falcon Insight XDR and Falcon LogScale: What You Need to Know

CrowdStrike Falcon Insight XDR and CrowdStrike Falcon LogScale were hot topics at Fal.Con 2022. We weren’t surprised — both are transformational technologies. They’re also complementary, which spurred some questions about how they work together to solve the toughest IT and security challenges. Here, we dig into the details and clear up some common questions about what these tools do, when they should be used and the value they provide.

What Is Falcon LogScale?

 

Falcon LogScale is a purpose-built log aggregation, storage and analysis tool. Formerly known as Humio, Falcon LogScale is a CrowdStrike Falcon® module designed to easily ingest and aggregate log data from any source, including applications, desktops, servers, devices, networks and cloud workloads. This uniquely powerful tool handles multi-terabyte data loads each day and stands alone in the market for its unrivaled scalability and performance when working with large data volumes.

What Is Falcon Insight XDR?

 

With our industry-leading endpoint detection and response (EDR) as the foundation, Falcon Insight XDR extends EDR outcomes to key security domains across the Falcon platform and third-party data sources. Falcon Insight XDR correlates native and third-party cross-domain telemetry to deliver high-confidence detections, investigative efficiency and rapid response from a single, unified threat-centric command console.

When to Use Falcon LogScale

 

Falcon LogScale is versatile technology that can be used to:
  1. Accelerate application development. Log management can be used to detect errors and performance issues in application development environments. This gives developers real-time alerts so they can fix problems before the applications go live. Log management also supports application performance monitoring (APM) tools by allowing organizations to cost-effectively retain all data, thereby getting the most detailed view of an application at any given point.
  2. Monitor and hunt for security threats. The ability to “log everything” allows security personnel to better investigate potential breaches and conduct retrospective threat hunting over extended time periods. Log management tools can search for indicators of compromise (IOCs) with sub-second latency and drill down into the root cause of issues, giving security professionals insight to help stop attacks at the source and prevent similar attacks from happening in the future.

     

  3. Give support teams a real-time view of transactions. The value of log management extends beyond providing raw data to developers and security teams. After ingesting the data, Falcon LogScale can create live dashboards to address the needs of multiple teams. Support teams, for example, can get a list of possible errors on customer accounts, enabling staff members to identify and fix problems before they impact the customer experience.
  4. Monitor system performance. Logs can indicate which processes are consuming the most resources. They can also draw attention to overactive and wasteful infrastructure. If a system surpasses a pre-configured performance benchmark, log management tools can alert an automated response to provide more storage or processing resources to prevent a crash.
  5. Support compliance. Log management tools are engineered to collect and centralize data, which can help meet audit requirements. Falcon LogScale goes a step further and compresses data by 15x to 80x, allowing you to store compliance data using much fewer resources than legacy tools. The technology maintains data compression while data is being searched, further reducing costs via lower transaction times and CPU usage.
  6. Monitor user behavior. Log management can alert security teams if a user’s privileges are elevated — a classic IOC. Once a threat is detected, security teams can use log management tools to track the behavior of any individual IP address across the system and determine the extent of possible damage.

What Would I Use Falcon Insight XDR for?

 

Falcon Insight XDR is the industry’s most dominant EDR offering, now with fully integrated extended detection and response capabilities, allowing you to:

 

  1. Gather, aggregate and normalize threat data. Falcon Insight XDR brings together native CrowdStrike Falcon telemetry with security telemetry from supported third-party vendors to widen the aperture of visibility across the entire enterprise. Upon ingest, data is normalized to provide a common language for effective detection, investigation and response.
  2. Surface attacks missed by siloed approaches. With Falcon Insight XDR, rich threat intelligence and advanced analytics work across diverse data and domains, enabling you to detect stealthy cross-domain attacks. Out-of-the-box and custom detection capabilities enhance protection while reducing complexity and streamlining workflows.
  3. Unify investigation. Falcon Insight XDR allows you to search against cross-domain data — both normalized and raw telemetry — to hunt for suspicious activity or further investigate detections. Customers can pivot from CrowdStrike-generated detections, custom detections and searches to a graph explorer, viewing the entire cross-domain attack path and rich context, for quick understanding.
  4. Integrate response. Users of Falcon Insight XDR can trigger response actions across Falcon-protected hosts and through third-party solutions from a single, unified threat-centric command console. To further streamline remediation, Falcon Insight XDR orchestrates and automates workflows by integrating with Falcon Fusion, a cloud-scale unified SOAR framework.

How Do Falcon Insight XDR and Falcon LogScale Complement Each Other?

Both tools allow organizations to ingest data for multiple use cases. So how do they complement each other?

Types of Ingested Data

Falcon LogScale allows you to ingest any type of machine data using mechanisms such as log collectors, APIs and syslogs. The module also allows you to extract the required fields from the data for easier aggregation and visualization. Think of this as providing infinite possibilities to build visibility, create dashboards and gain insight from any type of data. Falcon Insight XDR allows you to bring in high-value security data that has been normalized within a common scheme for the explicit purpose of providing an unrivaled experience for security analysts to find and stop the most sophisticated attacks. This tailored data is purpose-built for detection and response — not every use case.

 

Long-term Data Retention

Falcon LogScale can retain data for as long as customers need, from several months to several years or longer. And because Falcon LogScale is built using an index-free architecture and advanced compression technology, customers can store data for pennies on the dollar. Falcon Insight XDR allows customers to store enough data to contain active attacks, supporting the aim to help organizations quickly detect and remediate present threats. When used together, customers can use XDR to stop breaches and LogScale for long-term retention for retrospective hunting or long-term historical lookback.

Alliance and Partnerships

Both solutions have their own integrations and partnerships. Falcon LogScale offers integrations to help customers with tasks like log collection, field extraction and visualization. Integration options are available within the Falcon LogScale platform marketplace. The CrowdXDR Alliance brings together industry-leading security and IT solutions to offer a first-of-its-kind technology ecosystem. The XDR Alliance, which has doubled in the past year to include 19 partners, gives joint customers a unified, threat-centric detection and response capability across their entire security and technology ecosystem.

Superior Protection for Less

Falcon Insight XDR and Falcon LogScale serve different use cases and provide a different set of values. Yet, they complement each other, and together they can replace most of what a SIEM does today. For most organizations, this joint capability provides superior protection from attack at a fraction of the cost and complexity as legacy SIEMs.

 

For example, if adversary activity is detected across multiple domains, and the threat is analyzed and remediated using Falcon Insight XDR, Falcon LogScale could be used to seamlessly search historical data for related activity across the associated artifacts, revealing insight such as dwell time to help prevent similar attacks in the future. While upstart observability vendors scramble to add cybersecurity use cases to their platforms, we’re moving from strength to strength, expanding the world’s most advanced cloud-native cybersecurity platform to enhance observability at unrivaled speed and scale.

 

Additional Resources

 

Breaches Stop Here