Building the Modern SOC: How CrowdStrike Deployed Next-Gen SIEM to Increase Search Speed by 150x and Find Issues in Seconds

What customers can learn from the global leader in cybersecurity using its own technology to find and stop threats faster

  • CrowdStrike Falcon Next-Gen SIEM delivers better scalability and 150x faster search speeds, even when searching across 50% more data.
  • Engineered for high performance, Falcon Next-Gen SIEM can ingest and process incoming data in under a second and return most query results virtually instantly.
  • Learn why CrowdStrike made the switch to Falcon Next-Gen SIEM and how you can deploy the same technology from the AI-native CrowdStrike Falcon XDR platform.

Imagine you’re up against the world’s most advanced adversaries — those that use automation and AI, can drop malware in seconds and break out from compromised endpoints to navigate target environments in just over two minutes

This is a day in the life of a CrowdStrike SOC engineer. Tasked with protecting a world-leading cybersecurity company, the CrowdStrike SOC team faces relentless and sophisticated threats, ranging from stealthy cybercriminals to nation-state adversaries targeting CrowdStrike executives and employees. 

According to CrowdStrike CISO Justin Acquaro, “As a cybersecurity company, we can’t settle for subpar technologies. We need the best.”

For endpoint, identity, cloud and data security, the SOC team already had the best: the AI-native CrowdStrike Falcon® XDR platform. However, with a largely remote workforce, unmanaged devices and hundreds of business applications to protect, the SOC team needed end-to-end visibility across the company’s security data — all in one place. 

Traditional SIEM Resulted in Poor Performance and Escalating Costs 

The legacy SIEM tool CrowdStrike had relied on for the previous decade wasn’t keeping pace. Because it wasn’t natively designed for the cloud, the SIEM could no longer deliver the high performance needed for modern threat hunting and investigations. Even after years of optimizing queries to boost search speed, it struggled to return search results quickly. 

Scalability limitations and hefty SIEM costs prevented the team from logging high-volume events, such as traffic logs from network detection and response appliances. As a result, CrowdStrike SOC analysts were forced to pivot between consoles and manually correlate data, slowing down threat hunting and analysis. 

With log volumes at CrowdStrike growing 30% every year, the team knew their scalability challenges would only expand. 

“The modern SOC needs modern security tools, including SIEM platforms. The architectures of yesteryear were good at the time. However, the overwhelming amount of data coming in from cloud infrastructure, traditional infrastructure, analytics and AI has generated a tremendous amount of information that SOCs need to process,” said Acquaro.

A Smooth Rollout 

The CrowdStrike SOC team kicked off a project to replace its legacy SIEM with CrowdStrike Falcon® Next-Gen SIEM. With its ability to collect up to one petabyte of data a day and search up to 150x faster than legacy SIEMs, the tool would easily solve their scalability and performance problems. Plus, it would provide world-class threat intelligence feeds and turnkey integration with the Falcon platform. 

After building a design plan, the SOC team began migrating data to the Falcon platform. Routing Falcon platform endpoint, identity and cloud security logs was a breeze. The team also leveraged the CrowdStream data pipeline to onboard third-party data sources quickly.

The next step was migrating security content, such as alerts, saved queries, dashboards and reports. According to Ryan Bonfadini, CrowdStrike Director of Threat Intelligence and Detection Engineering, learning the query language and converting existing queries to CrowdStrike Query Language was a light lift. “It’s boolean-based, so it’s easy to pick up.” And because the Falcon platform’s Raptor release uses the same query language, the team could apply their newfound knowledge when investigating endpoint threats.

The extraordinary search speed of Falcon Next-Gen SIEM also simplified the setup process. “There were minimal configurations and overhead needed to get us massive performance increases with Falcon,” said Evan Nagata, Manager of Security Engineering at CrowdStrike. 

CrowdStrike Senior Director of Information Security Tim Briggs agreed, saying: “We got great performance out of the box. We went from zero to fully operational very quickly.” 

Full Visibility and Faster Response 

Falcon Next-Gen SIEM delivers unprecedented scalability, allowing multiple users to simultaneously access dashboards and execute queries without noticeably impacting performance. “It scales forever, so all of your users can run queries whenever they want,” said Bonfadini. 

The CrowdStrike SOC team was able to centralize all security data for full visibility and more efficient investigations. The team is now ingesting 50% more data into Falcon Next-Gen SIEM, including east-west traffic logs from their network detection and response appliances. As a result, analysts don’t need to pivot between consoles or manually correlate data when investigating risky behavior or troubleshooting network issues.

The biggest benefit, though, is Falcon Next-Gen SIEM’s blazing-fast search speed. Today’s adversaries are able to break out of compromised endpoints and move laterally in 62 minutes on average. Engineered for high performance, Falcon Next-Gen SIEM can ingest and process incoming data in under a second and return most query results virtually instantly. Even for more advanced analysis, such as a complex look back across 30 days of data, Falcon Next-Gen SIEM also excels, even when searching across 50% more data.

All of this has helped the SOC team consistently stay ahead when it comes to detection and response metrics. The team measures detection latency on a daily basis, and Falcon quickly detects threats and provides notifications. “With Falcon Next-Gen SIEM, we have successfully built a response time that is less than a few minutes,” said Briggs.

Born in the Cloud

With Falcon Next-Gen SIEM at the heart of CrowdStrike’s internal security strategy, the SOC team can now monitor live threats with sub-second ingestion latency, and detect and respond to threats in record time with search performance that’s much faster than legacy approaches. The team can also meet compliance requirements by retaining years of data as hot storage. 

“Falcon Next-Gen SIEM was born in the cloud. Unlike competitors, it was set to scale,” said Acquaro.

Falcon Next-Gen SIEM provides a blueprint for the SOC of the future. It allows CrowdStrike to collect and store all security data in one place while avoiding the hassle of siloed data lakes and cold storage. And with the Raptor release, the team will have the opportunity to unify all security operations on one platform. 

“The days of using point products and building massive teams to manage these tools are over. Instead of building an army of people to stitch tools together, you can allocate people to actively defending your company,” concluded Acquaro. 

Additional Resources

Related Content