Improve Threat Hunting with Long-Term, Cost-Effective Data Retention
October 6, 2022Arfan Sharif Observability & Log Management
What if you could easily extend the retention of your CrowdStrike Falcon® detection data for a year or longer? Would that help with compliance? Investigations? Threat hunts?
In Part 1 of this series, we covered the basics of Falcon Long Term Repository (Falcon LTR). To recap, Falcon LTR is an option available to Falcon customers. It offers a simple and cost-effective way to retain your Falcon detection data long term, which has historically been a costly and complex endeavor for security teams.
This post will share how Falcon LTR can be used to search your long-term Falcon detection data for potential threats.
The Falcon LTR Maturity Journey
Falcon LTR is a versatile piece of technology that follows a maturity journey.
Early in the journey, customers can benefit from long-term, cost-effective data storage of their Falcon detection data for compliance purposes. Regulations are tightening across most industries. Today, companies must store data for longer, while the volume and complexity is also on the rise. Workstation events. Browser telemetry. User behavior. A growing network of containers. It takes more effort than ever to wrangle and store the data needed for compliance.
Built using the index-free architecture and advanced compression technology of Falcon LogScale, Falcon LTR offers a better, faster, cheaper way to store your Falcon detection data for compliance purposes. This is a popular introductory use of the technology.
Next in the maturity journey — and the focus of this post — is threat hunting. Falcon telemetry is a rich source of information for threat hunts. Having long-term Falcon detection data at your fingertips can help you investigate potential breaches and determine how they can be prevented in the future.
With Falcon Data Replicator, which allows you to seamlessly transport your Falcon detection data into Falcon LTR, CrowdStrike makes the process of exporting and storing Falcon detection data faster, easier and more cost-effective.
So what can threat hunters do with this wealth of long-term telemetry? Let’s get into it.
Historical Threat Hunts with Falcon LTR
Here are three common threat hunts you can do with your long-term Falcon detection data.
Newly installed applications
Falcon LTR gives you a fast and easy way to track the installed applications on your system. This helps with two things. One, you can verify if users are updating their applications. Two, you can look for questionable apps and ask the user why they installed it and what they’re doing with it. Unsafe apps can be identified and removed. The tool also allows you to filter out expected software providers, such as Microsoft or Adobe, to quickly get a list of nonstandard software providers that may have tricked users into installing them.
IP to process mapping
It’s not enough to see that you’ve got a threat intelligence match on an IP; you need to map the actual process that’s connected to the IP. Beyond threat intelligence matches, if you see a Microsoft Office product connecting to a system in a country you don’t do business with, for example, or a PowerShell connecting to a remote IP, these could be situations worth investigating. Falcon LTR offers a package containing a number of prebuilt queries, dashboards and workflows to easily map IP to processes for enhanced threat hunting.
To combat the growing body of threat intelligence available to threat hunters, adversaries are increasingly creating their executables dynamically. This produces files with high entropy. Falcon LTR allows you to search the user’s space for anything algorithm-derived, including DLLs, batch files and executables, and uncover situations where employees may have fallen prey to phishing attacks or installed something they shouldn’t have.
Sub-Second Searches at Petabyte Scale
As we’ve seen, Falcon LTR is a valuable tool for searching your long-term Falcon detection data. But CrowdStrike Falcon® platform customers also realize tremendous speed-to-value when implementing Falcon LTR because of our groundbreaking smart agent and cloud-native architecture. Falcon platform customers can simply add Falcon LTR to their license and turn the capability on immediately.
Falcon LTR also makes searching data much faster than traditional setups. The reality today is that most security professionals are frustrated with having to open numerous apps to investigate potential threats. Falcon LTR gives users a single interface to search their Falcon detection data at petabyte scale with sub-second latency.
In this post, we examined the benefits of using Falcon LTR for historical threat hunts. In the third post in the series, we’ll explore the final step of the maturity journey: correlating your Falcon detection data with other data sources for even more powerful threat hunting.
- Read Part 1 and Part 3 in this Falcon LTR blog series.
- Visit the Falcon Long Term Repository product page to learn the benefits of storing and analyzing your long-term Falcon platform detection data.
- Watch The Readout: Falcon Long Term Repository, featuring CrowdStrike executives George Kurtz and Michael Sentonas.
- Learn how CrowdStrike is driving the convergence of security and observability with the introduction of Falcon LogScale and Falcon Complete LogScale.