Falcon OverWatch Granted Patents for Two Innovative Workflow Tools

The breadth and depth of data available to CrowdStrike Falcon OverWatch™ threat hunters has the potential to be a double-edged sword. On one side, the wealth of data gives hunters the comprehensive visibility needed to uncover stealthy and novel interactive intrusion activity that can remain undetected by autonomous technology alone. On the other side, it leaves hunters searching for a needle in a rapidly expanding haystack. Falcon OverWatch’s patented hunting workflows shift the balance back in the hunters’ favor, enabling them to deftly wield this data with speed and at scale.

 

OverWatch was recently granted two patents, a recognition of the innovative and industry-leading workflows that enable threat hunters to hunt across the entire customer install base simultaneously and alert customers to potential intrusions in near real time. This is no small feat: In the last year alone, OverWatch directly identified and helped to disrupt more than 65,000 potential intrusions — approximately one potential intrusion every eight minutes.

The Patents

Beware the Burst: Cardinality Used to Surface Malicious Activity

 

Context is key when searching for malicious behavior. For example, while an event on its own may appear to be benign administrator activity, in combination with other events it may reveal the presence of a threat actor within an environment.

 

OverWatch’s patented hunting tool for cardinality-based activity pattern detection looks for concomitant bursts of potentially malicious activity patterns, and surfaces these for further human analysis. To support rapid analysis by threat hunters, the tool presents the data visually, grouping together activity patterns with a graphical representation of the fidelity value to illustrate the degree to which each of the activity patterns indicates possible malicious activity. But this leads to the question, how do we determine whether an event is suspicious, and the degree to which it is suspicious, when it’s viewed as a standalone event?

Ancestral Data Used to Reveal Malicious Intent

Some events are so common within enterprise environments that including them in the bursts would create more noise than insight. But these same events can also be key to identifying a potential intrusion. OverWatch’s patented hunting tool for security-violation detection was built to use artificial intelligence to predict whether an event is malicious on the basis of the ancestry of the command line. This tool classifies hunting leads before they go to hunters, helping to funnel only the relevant data for human analysis. This tool supports both hunting lead generation and optimization, using three distinct artificial intelligence (AI) models to analyze the data to look for behaviors associated with malware and targeted intrusion activity. One model is specifically trained on OverWatch malware data. The other two models look for behavior indicative of targeted intrusion activity. Of those two, one is calibrated to find unknown hunting leads — this model is more balanced, so while it funnels more data to analysts, it reduces the risk that novel malicious activity is missed. The other model is more narrowly calibrated to consistently identify known hunting leads.

 

The development of this patented hunting tool has enabled OverWatch to successfully scale, ensuring that OverWatch threat hunters can focus their attention on the data most likely to yield malicious findings. But no technology is 100% — artificial intelligence and automation alone cannot take the place of human insight and ingenuity. There continue to be low-volume hunting patterns that must be investigated by expert hunters to ensure that particularly rare or sophisticated activity is not overlooked.

 

OverWatch Threat Hunting: Greater Than the Sum of Its Parts

The stream of telemetry available to OverWatch hunters grows daily, now exceeding 1

 

trillion events per day. Through the power of AI, OverWatch’s patented hunting tools take in that sea of data and return just a fraction of that data — classified, grouped and graphically represented for hunters to sift through. This technology plays a critical role in ensuring that hunters can continue to operate at scale to quickly identify the earliest signs of an intrusion.
These patented hunting tools create space for threat hunters to focus on the tasks that humans do best. This includes taking proactive and experimental approaches to uncovering novel adversary activity, building knowledge of the latest adversary tradecraft, and continuing to distill hunting findings into hundreds of new behavioral-based preventions for the CrowdStrike Falcon® platform every year. Innovation and continual improvement are the backbone of OverWatch’s hunting operations, and this has been duly recognized by the award of these two patents.

Additional Resources