Drawing benefits from CrowdStrike’s network effect requires handling large amounts of data — volumes and volumes of it. 

In fact, CrowdStrike stores more than 15 petabytes of data in the cloud that it uses to make decisions about upward of 1 trillion security events a day. In today’s threat landscape, stopping breaches and detecting attacks requires pulling in as much data about attacker tactics and tools as possible and correlating and analyzing it to identify indicators of attack (IOA). But that information needs to be organized.

Without structure, connecting the dots between security events can be a burdensome, manual process. To solve this problem, the CrowdStrike Falcon® platform combines people, process and technology working as one — the power of cloud-based big data, artificial intelligence and machine learning, enriched by human expertise — to stop threats from becoming breaches.   

Transformational Cloud-Powered Security Analytics

We designed and implemented CrowdStrike Threat Graph™ to store, query, and analyze relevant security events. Threat Graph is a cloud-based, massively scalable graph database that enables CrowdStrike to visualize and evaluate mountains of event data generated by the thousands of endpoints and cloud workloads protected by our Falcon platform. It is through Threat Graph that Falcon gets its ability to identify and stop attacks in progress.

Falcon agents feed telemetry from all these sources to Threat Graph, which combines it with threat intelligence from CrowdStrike’s Threat Intelligence team and various third parties. Since it is in the cloud, Threat Graph can scale to meet the requirements of the massive data volumes it deals with, allowing it to process billions of events each day. 

Seeing Is Believing

The strength of this approach is the ability to see what is occurring and map dependencies between events. Users can view and trace process execution on any device, container, or workload in their environment. This level of visibility permits security teams to pinpoint any suspicious or anomalous activity in the full context of the affected machine.

Threat Graph uses that comprehensive insight into activity to visualize event data and enable analysts to find inconsistencies and identify potential security threats in seconds. It also can provide a window into the past as well. Since the state of each endpoint, workload, container, and environment is kept over time, the database can be leveraged to retrace historical events. For example, suppose an attack is discovered today. In that case, its roots can be traced backward in time, allowing analysts to perform an in-depth forensic analysis of the situation regardless of when the security event itself occurred. In this way, Threat Graph provides visibility into both real-time and past events.

As soon as data is written to the database, automated analysis begins. Multiple detection methods and algorithms are run against the data simultaneously, which provides quicker results. These detections take many forms, from behavioral and static analysis to signature matching to machine learning algorithms. The machine learning capabilities are vital for identifying IoAs. These indicators can be thought of as the actions a threat actor needs to take to be successful. Each new IOA discovered leads to new detections being added to the analysis process and increases Threat Graph’s ability to quickly and automatically detect similar attacks. To determine what is an IOA, the Threat Graph leverages information about the context, relationships, and sequence of events of a potential attack.

The machine learning algorithms allow CrowdStrike to examine not only the features of a file but also its behaviors and the sequence of code execution in the customer’s environment. With the graph data model, these algorithms can help uncover relationships between events that are not directly linked but may represent evidence of an attack when taken together. 

The Human Touch

Supporting these technical capabilities is CrowdStrike’s managed threat hunting service. As the CrowdStrike team catalogs indicators of compromise (IOCs) and indicators of attacks (IOAs), each of them becomes a new trigger threat hunters can use to uncover potential attacks. A trigger points analysts to a specific system or area of the network for further investigation when there are signs of suspicious activity. Threat Graph automates the discovery of triggers, reducing the amount of time it would take in-house security teams to make similar determinations. Once these triggers are presented to the managed hunting team, they can turn back to the Threat Graph for further investigation. Unlike traditional databases, which are mainly effective at answering predetermined questions on a big data scale, graph databases can handle ad hoc queries easily so that threats can be found more efficiently and quickly.

Before Threat Graph’s creation, an analyst would have to collect endpoint, workload, and container telemetry, add information from threat intelligence feeds, write their own correlation rules, and then examine the data to determine how the events might be related. Replacing that slow, tedious process with the automated analysis enabled by Threat Graph allows organizations to benefit from a stronger, smarter approach to cyber-defense. 

Learn more about how you can benefit from the cloud-powered analytics of the CrowdStrike Security Cloud — get the CrowdStrike Security Cloud eBook now.

Additional Resources

• Learn what industry analysts are saying about CrowdStrike.
• Learn more about the power of the CrowdStrike Falcon® platform.
• Get a full-featured free trial of CrowdStrike Falcon® Prevent™ and see how true next-gen AV performs against today’s most sophisticated threats.