How CrowdScore Increases Efficiency
Introduction
This article and video will review CrowdScore – a feature that fundamentally changes the way customers interact with the Falcon platform. CrowdScore leverages the power of CrowdStrike’s cloud-native platform to help companies address common challenges and be more effective in investigating and remediating incidents.
Video
Challenges
These are a few of the top challenges that security teams face today.
- Strategic Awareness – As organizations continue to work individual, disjointed alerts, they risk falling into a reaction only mode. They lack a big picture, situational awareness to help enable more strategic security and resource decisions.
- Alert fatigue – Many companies have too many detections and not enough time. Analysts are ineffective at finding and addressing the most critical incidents among the noise.
- Time to investigate – Investigations can require a lot of time and resources. Reducing investigation time is critical to stopping incidents before they become breaches.
In the following sections, we will see how the CrowdScore helps address each of these challenges.
CrowdScore Provides Organizational Threat Level
CrowdScore provides an immediate indication of the current threat level to help organizations prioritize time and resources. CrowdScore delivers security leaders a simple metric designed to understand an organization’s threat level on a real time basis. Along with the metric, there is a historical trend line as well as a summary of change over the last seven days. By establishing a baseline and monitoring trends, teams can be more informed about the threat level state. Organizations can use this score and trend information not only for status reporting but also to make strategic decisions on resource engagement – especially when threat levels are high.
Prioritized Incidents Address Alert Fatigue
With CrowdScore, related detections are compiled into incidents. This summary view gives us an active, real time list of the incidents impacting the organization. Each incident is given score to illustrate the level of criticality and help prioritize efforts. Below, the first incident with a score of 10 is actually comprised of 52 individual detections.
Using the MITRE terminology, the incident driven workflow provides a summary of the activities associated with the incident as well as information about the impacted host and event timeline.
If we look closer at a specific incident, there is also a detailed timeline view of the incident with additional information like username and command line details as well as an option to edit the incident. This gives Security teams the ability to update the status, assign the incident to an analyst or add tags to help group and track incidents based on things like type and impact.
Incident Workbench Reduces Investigation Times
The incident workbench automates the work involved in collecting the data needed to understand the scope of an emerging threat. From the timeline, we can open a graphical view of the incident including a replay feature. At the top of the screen, we can move through the total duration of the attack and see events highlight in order as time advances.
In the pane on the left, you have the option to add different overlays to the existing process tree. Options like Thread Injections and Users help illustrate exactly what took place during the attack. The Users overlay shows what user account was used for every point in the incident.
There are also options to see exactly what events involved network operations, disc operations and DNS requests. For each event, you can get more details by hovering over the graph. Here we see a powershell command that was blocked due to encoded, malicious payload.
We can also expand an event to get more details like command line, hash and operations as well as pivot to an event search. All of this context and visualization helps analysts quickly understand the attack.
CrowdScore also helps with response. Directly from this view, analysts can take action on the host in question by using Network Containment or connecting via Real Time Response.
Closing
CrowdScore delivers prioritized incidents to streamline the triage process and help analysts focus on the most critical threats first. The Incident Workbench provides visualizations and context to speed investigation and response times. With CrowdScore, security teams can get an immediate sense of the current threat level and take action accordingly. CrowdScore enables security teams to both identify and respond to individual threats quickly and efficiently, while empowering organizations with information about their overall threat level.
