How CrowdStrike Deployed Next-Gen SIEM to Increase Search Speed by 150x and Find Issues in Seconds
Imagine you’re up against the world’s most advanced adversaries — those that use automation and AI, can drop malware in seconds and break out from compromised endpoints to navigate target environments in just over two minutes.
This is a day in the life of a CrowdStrike SOC engineer. Tasked with protecting a world-leading cybersecurity company, the CrowdStrike SOC team faces relentless and sophisticated threats, ranging from stealthy cybercriminals to nation-state adversaries targeting CrowdStrike executives and employees.
According to CrowdStrike CISO Justin Acquaro, “As a cybersecurity company, we can’t settle for subpar technologies. We need the best.”
For endpoint, identity, cloud and data security, the SOC team already had the best: the AI-native CrowdStrike Falcon® cybersecurity platform. However, with a largely remote workforce, unmanaged devices and hundreds of business applications to protect, the SOC team needed end-to-end visibility across the company’s security data — all in one place.
Traditional SIEM Resulted in Poor Performance and Escalating Costs
The legacy SIEM tool CrowdStrike had relied on for the previous decade wasn’t keeping pace. Because it wasn’t natively designed for the cloud, the SIEM could no longer deliver the high performance needed for modern threat hunting and investigations. Even after years of optimizing queries to boost search speed, it struggled to return search results quickly.
Scalability limitations and hefty SIEM costs prevented the team from logging high-volume events, such as traffic logs from network detection and response appliances.
With log volumes at CrowdStrike growing 30% every year, the team knew their scalability challenges would only expand.
“The modern SOC needs modern security tools, including SIEM platforms. The architectures of yesteryear were good at the time. However, the overwhelming amount of data coming in from cloud infrastructure, traditional infrastructure, analytics and AI has generated a tremendous amount of information that SOCs need to process,” said Acquaro.
Smooth Rollout
The CrowdStrike SOC team kicked off a project to replace its legacy SIEM with CrowdStrike Falcon® Next-Gen SIEM.* With its ability to collect up to one petabyte of data a day and search up to 150x faster than legacy SIEMs, the tool would easily solve their scalability and performance problems. Plus, it would provide world-class threat intelligence feeds and turnkey integration with the Falcon platform.
After building a design plan, the SOC team began migrating data to the Falcon platform. Routing Falcon platform endpoint, identity and cloud security logs was a breeze. The team also leveraged the CrowdStream data pipeline to quickly onboard third-party data sources.
The next step was migrating security content, such as alerts, saved queries, dashboards and reports. According to Ryan Bonfadini, CrowdStrike Director of Threat Intelligence and Detection Engineering, learning the query language and converting existing queries to CrowdStrike Query Language was a light lift. “It’s boolean-based, so it’s easy to pick up.” And because the Falcon platform’s Raptor release uses the same query language, the team could apply their newfound knowledge when investigating endpoint threats.
The extraordinary search speed of Falcon Next-Gen SIEM also simplified the setup process. “There were minimal configurations and overhead needed to get us massive performance increases with Falcon,” said Evan Nagata, Manager of Security Engineering at CrowdStrike.
CrowdStrike Senior Director of Information Security Tim Briggs agreed, saying: “We got great performance out of the box. We went from zero to fully operational very quickly.”
Full Visibility and Faster Response
Falcon Next-Gen SIEM delivers unprecedented scalability, allowing multiple users to simultaneously access dashboards and execute queries without noticeably impacting performance. “It scales forever, so all of your users can run queries whenever they want,” said Bonfadini.
The CrowdStrike SOC team was able to centralize all security data for full visibility and more efficient investigations. The team is now ingesting 50% more data into Falcon Next-Gen SIEM, including east-west traffic logs from their network detection and response appliances.
The biggest benefit, though, is Falcon Next-Gen SIEM’s blazing-fast search speed. Today’s adversaries are able to break out of compromised endpoints and move laterally in 62 minutes on average. Engineered for high performance, Falcon Next-Gen SIEM can ingest and process incoming data in under a second and return most query results virtually instantly. Even for more advanced analysis, such as a complex look back across 30 days of data, Falcon Next-Gen SIEM also excels, even when searching across 50% more data.
All of this has helped the SOC team consistently stay ahead when it comes to detection and response metrics. The team measures detection latency on a daily basis, and Falcon quickly detects threats and provides notifications. “With Falcon Next-Gen SIEM, we have successfully built a response time that is less than a few minutes,” said Briggs.
Born in the Cloud
With Falcon Next-Gen SIEM at the heart of CrowdStrike’s internal security strategy, the SOC team can now monitor live threats with sub-second ingestion latency, and detect and respond to threats in record time with search performance that’s much faster than legacy approaches. The team can also meet compliance requirements by retaining years of data.
“Falcon Next-Gen SIEM was born in the cloud. Unlike competitors, it was set to scale,” said Acquaro.
Falcon Next-Gen SIEM provides a blueprint for the SOC of the future. It allows CrowdStrike to collect and store all security data in one place while avoiding the hassle of siloed data lakes and cold storage. And with the Raptor release, the team will have the opportunity to unify all security operations on one platform.
“The days of using point products and building massive teams to manage these tools are over. Instead of building an army of people to stitch tools together, you can allocate people to actively defending your company,” concluded Acquaro.
*CrowdStrike started its SIEM deployment with CrowdStrike Falcon® LogScale and still uses it today for certain data sources and use cases. As of August 2024, CrowdStrike is in the process of migrating these use cases over to Falcon Next-Gen SIEM.