CrowdStrike Redefines True XDR With Humio Acquisition
February 18, 2021Michael Sentonas Executive Viewpoint
Read about the acquisition of Humio here.
People in our industry joke about buzzword bingo when attending a conference or listening to a vendor presentation. Some of the best and worst buzzwords are also acronyms and I’m sure anyone following cybersecurity trends will have heard the acronym XDR, for extended detection and response. XDR has already become one of those terms that has seen a huge increase in popularity in a short amount of time, but in practice — similar to the early overuse of ML — it is being used to mean many different things.
I’d like to explain how CrowdStrike and Humio joining forces will further expand the Falcon Security Cloud XDR capabilities, but first let’s clear up what XDR is, was, and should be.
The State of XDR
As more applications moved to the cloud, as more employers embraced SaaS and remote work — not to mention the now ubiquitous end-to-end encryption of communication — network security and hardware vendors began to lose their guaranteed access to network traffic. Without real-time access to the clear-text, they needed the visibility and data and the source of truth that can only come from telemetry on the endpoint itself. This sparked the thought that network events could be a potential source of data to be correlated with traditional EDR data to reach new heights of visibility and detection fidelity.
Early XDR solutions were driven by those network vendors adding their network telemetry together with endpoint, and suggesting this provided extra visibility. A typical use case with network telemetry was the detection of lateral movement by correlating malicious activity on multiple hosts that have exchanged data. While this is a valid use case, most of this data is already available on the endpoint to any reasonably mature endpoint protection platform. CrowdStrike’s approach is to use the network data available to the Falcon sensor that is correlated down to the process level, not just the host, providing investigators with a more complete picture of the details of suspect activity.
An important reason why this example of XDR correlation has been possible in our system for so long is because the components involved were designed to work together.
More recently we hear legacy vendors talk about what XDR means to them. In many cases it’s about monitoring and analyzing events from their product suite. There is a temptation to allow XDR to be nothing more than the superficial integrations the industry has seen before. It is already starting to mirror the same problems that plagued the SIEM products of the past. The need to manually stitch together data from separate systems has already led to bloated data lakes filled with largely unusable data. It’s led to platforms that require expert knowledge to configure, to integrate, and to query, to say nothing about the loss of valuable information and context that comes with converting and normalizing data.
Most of the XDR solutions today are unable to deliver the concise, actionable insights that organizations need, to realize the true promise of XDR. They lack key requirements such as cloud-scale AI to effectively analyze the vast data set required to defend enterprise organizations. They lack the purpose-built graph database needed to manage the combination and correlation of events, adversarial intelligence and human analysis, and they focus on collecting everything they can as part of their ingestion of unneeded, irrelevant data.
Unsurprisingly, organizations are left with large, complex data sets that lack context and hide the important insights security teams require, and they come to CrowdStrike to solve these problems.
Don’t just build a bigger haystack
It is safe to say that the way IT organizations work today is unrecognizable compared to 10 or even 5 years ago. One of the biggest changes we have seen is the move of applications, infrastructure and data into the cloud. Organizations have moved beyond using individual private clouds, to hybrid and public clouds, and to using cloud workloads where the work functions, applications and services are processed by a remote server or instance at any given time, with users or applications interacting via the Internet. The traditional server is replaced by the container workload, a form of operating system virtualization where an application and all of the dependencies that are required for it to run are packaged in a self-contained unit.
From a security architecture perspective, all this change has brought a drastically different attack surface with a vast number of event sources, feeds, and telemetry enrichments that defenders need to manage themselves, just to keep even a basic grip on security visibility and response.
The critical challenge in cybersecurity is to not be burdened with too much data. This is a fundamental architecture problem that needs to be solved by every security vendor. If the system being designed is overwhelmed with too much data, vendors must make trade offs. We see vendors limit data to improve product margins, limit data to reduce bandwidth challenges, or even suppress and hide data to not overwhelm the analyst. The choices and tradeoffs made by security vendors using legacy architectures in a cloud-native world are limiting the security capabilities, reducing the effectiveness of security teams, and leaving organizations blind to attacks.
Richer data, and the correlations that it can unlock, are the key to XDR.
Focused on the Adversary — Not the Acronym
As the pioneers of EDR (endpoint detection and response), we have spent the last decade building upon that endpoint data by adding more network visibility, and telemetry from all workloads, regardless of where they are: on premise, in the cloud, or even deployed in a container. We moved beyond traditional control points and data feeds, to correlate user identity and the services and infrastructure we use everyday, to expand our scope and enrich our existing knowledge.
This is not simply merging data such as network and endpoint information together, but knowing and understanding which information is vital, when and where. This is the most important element of any modern EDR, or XDR platform: the design choice to stream, capture, and store the information that we know is of use and will allow us to make actionable decisions about real-world scenarios.
Our approach to the next generation of XDR is unique to CrowdStrike because we already correlate telemetry from all types of workloads, together with identity and asset information in our Threat Graph, which no one else can do. Of course, the strength of any platform is demonstrated by its ecosystem, and the CrowdStrike Store further enriches the telemetry we already have by integrating with third-party apps at the click of a button.
Welcome to CrowdStrike, Humio
A future-proof security platform requires the ability to acquire and use data sources at will to detect and respond to the ever-evolving attack surface.
It is important to understand that every workload is different, and so is every attack surface. This is why CrowdStrike provides an array of capabilities to allow customers to manage and patch vulnerabilities, to run enterprise IT operations, asset management and IT hygiene, and prevent physical infrastructure attacks and data exposure. We do this through the very same cloud-native security platform we originally pioneered for endpoint security, and that we have evolved over the past decade to address new and adjacent customer needs.
I’m delighted to announce that CrowdStrike has agreed to acquire Humio, a leading provider of high-performance cloud log management and observability technology, to help accelerate our plans to deliver more of the innovation that customers need in this next generation of XDR.
Joining forces with Humio will not only elevate our ability to solve security use-cases, it builds on the momentum we have already achieved with Falcon Spotlight and Falcon Discover, where we continue to grow our ability to address broader use cases outside of security.
We conducted a thorough market review of competing solutions and were blown away by Humio’s mature technology architecture and their proven ability to deliver at scale, making it ideal to enhance CrowdStrike’s Security Cloud.
Through a platform that spans endpoints, identities, applications, the network edge, and the cloud, CrowdStrike is building a unified data layer to power the next generation of enterprise security and IT platforms. With the ability to ingest and analyze both first- and third-party data, and to answer complex questions at the speed of the cloud, CrowdStrike will continue to innovate and advance its powerful data platform to solve real-world customer problems. I am very excited for what our combined future holds.
By leveraging new ingest pipelines and cloud log management, we will continue to help developers, security analysts, and IT professionals gain complete observability to answer any question, explore threats and vulnerabilities, and gain valuable insights from all computer-generated data in real-time.
With the correlation-at-scale of Threat Graph, and the smart-filtering and on-sensor protection capabilities of the Falcon agent, our prevention and detection capabilities will find threats faster and enhance how the CrowdStrike platform addresses enterprise IT challenges. We will continue to bring the full force of our vendor authority to give customers the guidance and confidence to respond to incidents at speed, and make sure they don’t need to struggle with the complexity of building rules and tuning their products to stay on top of threats.
CrowdStrike and Humio share a vision that contextual data can help solve critical enterprise problems, across cybersecurity and beyond. After we close this transaction, our joint forces will deliver a combination of capabilities that are truly unmatched in the industry and I am very excited for what our combined future holds as we will quickly and significantly extend the use cases already addressed by the Humio platform.