Getting Started Guide: Falcon Long Term Repository
New CrowdStrike offering redefines threat hunting with enhanced threat context, data storage and management
Limited data retention resulting from financial or technological constraints makes it hard for security teams to see the complete history of an attack. This lack of full context about a threat — or a potential threat — eventually catches up with organizations, leading to longer dwell times and increased risk of a breach.
CrowdStrike Falcon® Long Term Repository (LTR), formerly known as Humio for Falcon, allows CrowdStrike Falcon® platform customers to retain their data for up to one year or longer. Users can then correlate this deep well of information with other data sources to better detect potential threats and search the data with sub-second latency.
The innovative technology addresses one of the biggest challenges in threat hunting and security awareness: unknown unknowns. Without the context provided by log and event data from across your IT infrastructure, it’s increasingly difficult to investigate incidents and uncover potential attack paths. Despite this, historical retention is often a problem for security teams because of the costs and technological complexity of retaining this data.
Falcon LTR employs an index-free architecture designed to minimize the storage and computing resources required to ingest and retain data at any scale. It also uses advanced data storage techniques to compress data by 6-80x, reducing total cost of ownership.
If you’re a Falcon platform customer who wants more data to work with for a longer period of time, Falcon LTR might be right for you. This blog post is the first in a three-part series that will teach you the basics of Falcon LTR and how it can improve your threat hunts, investigations and observability use cases.
Let’s dive in.
I’ve got a data warehouse. Why do I need Falcon LTR?
Most organizations will ingest log data into their own data warehouse, perform custom analytics and investigations, and define an event-retention policy based on the storage available. Falcon LTR improves upon this approach in four main ways:
- Longer data retention. Falcon LTR allows you to keep data for as long as you need, including more than one year. With longer data retention, security teams can identify potential threats faster and conduct sub-second searches on log data. This speed enables threat hunting and troubleshooting at an unprecedented scale.
- Reduced cost. Legacy log management platforms make it cost prohibitive due to extensive infrastructure and storage requirements to retain log data long term. Falcon LTR offers long-term retention that requires minimal storage and computing resources, thus costing much less than what you might be used to.
- Fast and custom search. Humio, the log management technology that powers Falcon LTR, offers a feature-rich query language and index-free architecture. This allows customers to get immediate answers from their Falcon data via real-time dashboards, custom searches and prebuilt integrations.
- Smarter investigations. By ingesting your Falcon data into Falcon LTR, it instantly becomes searchable alongside other data sources, such as firewall logs and network telemetry. Now, findings from one log source can be used to trigger associated searches across other logs sources — enabling proactive threat hunting and investigations.
How does Falcon LTR work?
Falcon LTR relies upon a mechanism that transports Falcon data into Falcon LTR. This mechanism is called Falcon Data Replicator (FDR). Customers who license Falcon LTR get free access to FDR to ingest their Falcon logs. Please review the technical support feature guide to gain a full understanding of the requirements before enabling FDR.
Below is a high-level overview of the FDR data flow. As you can see, endpoints generate raw event data which is ingested into CrowdStrike Threat Graph®. FDR places the raw event data into an AWS S3 bucket, and enables users to bring that data into Falcon LTR for long-term retention and analysis.
“With Falcon LTR, we were able to save approximately $150,000 in the first year. Also, the ability to save data for an extended time period is critical. When we detect an indicator of compromise, we can go back in time and analyze the entire attack chain to accelerate investigations and pinpoint issues more quickly.” —Tom Sipes, Director of IT Security and Compliance, Tuesday Morning
How do I get Falcon LTR?
To start, contact your CrowdStrike account manager or CrowdStrike Support, and ask to have FDR enabled on your account. The team will create a CrowdStrike-managed AWS S3 bucket for short-term storage purposes, as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket. By default, this S3 bucket has a seven-day retention policy because data is intended to be pulled out for longer-term retention, which Falcon LTR provides.
To learn more about Falcon LTR capabilities and licensing, contact your CrowdStrike account manager.