CrowdStrike’s Strategic Counter-Adversarial Research Team (SCAR): Developing the Technology Falcon OverWatch Threat Hunters Need
As a human-led managed threat hunting service, CrowdStrike Falcon OverWatch™ is built around the best and brightest analysts in the industry who lead the fight against today’s sophisticated adversaries. But while humans remain the critical ingredient that makes OverWatch so successful, these hunters are also supported by best-in-class technologies that enable them to work at their fullest potential.
These technologies are not created by accident. Rather, a dedicated group of specialized individuals within OverWatch is responsible for arming threat hunters with the technologies and tools they need to stop threat actors in their tracks. This group of innovators make up the Strategic Counter-Adversarial Research team — otherwise known as SCAR.
OverWatch’s Personal Pit Crew
If OverWatch were a race car team, SCAR would be the pit crew. SCAR’s mission is to ensure that OverWatch is constantly operating at peak performance. Researchers within SCAR are critically evaluating the current workflows to find ways to improve them.
“We at SCAR have the time and space to figure out how to do things better,” explains Patrick Hogan, Senior Security Researcher on the Falcon OverWatch SCAR team.
In the same way a pit crew is always looking to modify the race car to ensure it’s at peak operational performance for the driver, SCAR researchers innovate and improve the technology that is foundational to OverWatch’s threat hunting capability. By expanding OverWatch’s overall capacity for intentional innovation and creation, OverWatch ensures that its threat hunters are able to access best-in-class technology, which enables them to hunt to the highest degree.
“The type of activity we see at OverWatch cannot be simply passed to a machine, because at the other end of that keyboard is a person,” explains David Zawdie, Principal Security Researcher at OverWatch SCAR.
Because OverWatch’s mandate is to hunt for activity that is designed specifically to evade autonomous technological detection, it is critical that OverWatch threat hunters are given the resources they need to hunt quickly and effectively. The patented workflows and tools available to OverWatch analysts enable them to hunt across the entire CrowdStrike customer base simultaneously, alerting customers of malicious activity within seconds.
Innovating the Technology Threat Hunters Need
SCAR researchers work diligently every day to refine OverWatch’s current technological workflows, while also researching and developing new tools that will be necessary to stop future attacks. They have one eye on the present and one eye on the future at all times.
“Part of what SCAR researchers do is look toward the future and think through future ways that we at OverWatch can do things,” said Hogan. “We also look to the future of the threat. Where is the threat going next? What will OverWatch need to stop it?”
Conducting applied research, unbounded by specific technologies, to enhance OverWatch’s ability to expose and counter adversary’s activities, SCAR researchers work to develop novel detection technologies and tooling to optimize analyst workflows, enabling OverWatch threat hunters to work smarter, not harder. This includes reverse engineering malware to learn more about its nuances to build better preventions, and prototyping new hunting capabilities to see if they meet the high standard set by the hunting organization.
Additionally, SCAR researchers intentionally engage with teams throughout CrowdStrike. With thousands of employees at CrowdStrike, this is no easy feat. The cross-departmental collaboration, however, is crucial to ensuring the success of OverWatch and CrowdStrike as a whole. By representing OverWatch’s needs to teams across CrowdStrike, SCAR researchers ensure that the products and features CrowdStrike develops complement the workflows and tools OverWatch threat hunters use daily. This strengthens CrowdStrike’s ability to deliver excellent customer service and ultimately stop breaches.
“We help prioritize initiatives and advocate for the needs of OverWatch — for both our hunters and our customers,” said Zawdie. “This helps us all stay connected and accomplish our mission of stopping breaches.”
While every customer environment is an entity unto itself, the scalability of OverWatch’s workflows and tools — developed and maintained by SCAR — empowers threat hunters to effectively leverage trillions of data points into concrete hunting leads. This enables them to observe activity in one customer environment, and then hunt for that exact activity across the entire customer base simultaneously.
OverWatch’s calculated emphasis on technological innovation is what enables the team to meet the steep challenge of protecting thousands of unique customer environments. To accomplish its mission, OverWatch is supported by a foundation of cutting-edge technology. Creating and maintaining this technological foundation is the value SCAR provides not only to OverWatch and CrowdStrike but to all of its customers on a daily basis.
- Read more about how OverWatch uses the human element to augment technology to protect customers against both known and unknown threats in this CrowdStrike blog.
- Read about the latest trends in threat hunting and more in the 2021 Threat Hunting Report.
- Learn more about Falcon OverWatch proactive managed threat hunting.
- Watch this video to see how Falcon OverWatch proactively hunts for threats in your environment.
- Learn more about the CrowdStrike Falcon® platform by visiting the product webpage.
- Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.