Securing the Generative AI Boom: How CoreWeave Uses CrowdStrike to Secure Its High-Performance Cloud

CoreWeave deploys CrowdStrike Falcon® Cloud Security on the AI-native, unified CrowdStrike Falcon® platform

CoreWeave is a specialized GPU cloud provider powering the AI revolution. It delivers the fastest and most consistent solutions for use cases that depend on GPU-accelerated workloads, including VFX, pixel streaming and generative AI. 

CrowdStrike supports CoreWeave with a unified, AI-native cybersecurity platform, protecting  CoreWeave’s architecture by stopping breaches. What follows is a summary of how CoreWeave uses CrowdStrike Falcon Cloud Security to secure both its cloud infrastructure and the cloud workloads of its customers, as shared in a presentation at Fal.Con 2023.

Watch the Fal.Con 2023 recording: How CoreWeave Secured Cloud Infrastructure and AI Applications with Falcon Cloud Security

Complete Visibility and Protection

To meet the growing demand for its cloud services, CoreWeave needed a modern security platform that met two main requirements: It had to be capable of scaling with CoreWeave, and it couldn’t cause any performance slowdowns, as organizations rely on CoreWeave for its highly efficient processing power. 

After a successful proof of concept with CrowdStrike — in which CoreWeave engineers observed no performance impact after deploying the Falcon sensor on a test cluster — CoreWeave licensed the Falcon platform along with several platform modules, including CrowdStrike Falcon® Insight XDR endpoint detection and response, CrowdStrike Falcon® Prevent next-generation AV and Falcon Cloud Security. 

Within two weeks, the Falcon sensor had been deployed across all worker nodes at CoreWeave, providing the visibility and protection needed. 

On stage at Fal.Con 2023, CoreWeave’s CISO talked about the importance of visibility to see every asset, including endpoints, cloud nodes, apps working on the endpoints and services running on cloud nodes. He also discussed the value of a unified cloud-native application protection platform (CNAPP) to provide one console and one platform for managing all of the different areas of a cloud workflow — down to containers, pods and nodes.

For CoreWeave, the foundation of strong cloud security starts by deploying the Falcon sensor at the bottom of its tech stack. 

Figure 1. CoreWeave deployed the Falcon sensor at the bottom of its tech stack (click to enlarge)

Once CoreWeave deploys its systems into the Kubernetes cluster, the Falcon DaemonSet runs across every node. This does two things: Every time CoreWeave powers up a new node and brings it into its fleet, the company automatically gets detection and response capabilities from CrowdStrike. And by having the Falcon sensor at the bottom layer, the company doesn’t have to worry about higher-level networking issues impacting its security.

How CoreWeave Responds to Detections

CoreWeave responds to a Falcon alert in three steps: detect, investigate and triage.

For detections, CoreWeave relies in part on alerts generated by both CrowdStrike® Falcon OverWatch™ — a CrowdStrike service that provides 24/7 managed threat hunting — as well as CoreWeave security staff who monitor Falcon dashboards. 

When an alert comes in, CoreWeave security staff can see the hostname that may have been compromised and the container ID — both of which help determine what triggered that alert. From there, the team can drop that container ID into the search of Falcon Cloud Security to see details such as host ID and container name, allowing it to zero in on where the container is running in the infrastructure. 

This capability allows security teams to quickly identify and remediate the potential threat. Because CoreWeave effectively sells its cloud infrastructure to customers, CoreWeave uses this information to communicate with any customer whose workload was potentially compromised so they can triage it together and stop the threat before any damage is done.

One Platform for Endpoint-to-Cloud Protection

Every Falcon product module CoreWeave uses is deployed on the unified, AI-native Falcon platform. By consolidating its cybersecurity with CrowdStrike, CoreWeave has been able to respond to threats faster, reduce complexity and streamline provisioning. Critically, having one sensor deployed across its entire IT infrastructure — from endpoint to cloud — gives CoreWeave the context needed to respond to potential threats appropriately. 

Figure 2. The Falcon platform centers around a streamlined, single-agent architecture (click to enlarge)

In many cases, the Falcon platform kills the threat automatically. As CoreWeave’s CISO explained, this saves the company hundreds of hours a year in unnecessary triage. 

For instances that require CoreWeave to triage, the team can act decisively based on context provided by the Falcon platform, which collects and analyzes trillions of endpoint events per week from millions of sensors deployed across 176 countries. CoreWeave supplements this information with CrowdStrike threat intelligence to better understand the nature of the situation. 

All told, CrowdStrike’s industry-leading threat intelligence helps CoreWeave understand any adversaries targeting the company and its customers, enabling CoreWeave to stop them.

This encapsulates the value of the Falcon platform for CoreWeave. The company has its host and servers, which are covered with detections. It’s then able to increase the value of those detections with CrowdStrike threat intelligence to figure out what’s happening and how to fix it.

With CrowdStrike, CoreWeave is able to provide a highly performant, scalable and secure cloud infrastructure to power the generative AI boom and beyond. 

Additional Resources

Related Content