Back to Tech Center

CrowdStrike for Security Operations

January 2, 2019

Tech Center
CrowdStrike Tech Center

Introduction

This document and video will demonstrate how the CrowdStrike solution empowers the Security Operations Center to detect and understand events quickly so that they can get proactive and take action to protect the organization.

Video

 

Threat Hunting

CrowdStrike’s EDR solution provides unparalleled visibility into local system events. While existing engines detect a great deal of malicious behavior, the adversary is always looking for new ways to gain access. Falcon OverWatch is there 24×7 to provide human insight and analyze events in search of potentially malicious activity that was not previously detected. When there is a detection, Falcon Overwatch will provide a direct message to SOC personnel via the Falcon Message Center or an email.

Message Center

SecOps OverWatch email

Event Visibility

The link in the email takes us directly to the event details.  There, we see the detailed visibility that Falcon Insight offers.  In addition to the process tree, we see the MITRE tactic & technique as well as the objective and severity.

SecOps Detection

Falcon Insight also provides response actions including remote remediation and network containment.  Network Containment helps to prevent lateral movement or external communications during your investigation.

SecOps Remediation

Incident Research

Once the incident has been identified and contained, we need to understand more about what has taken place. Using Falcon Discover, we can quickly understand if the user’s account might have been compromised. We can search on the username in question to track all login activity across all protected systems.

SecOps Discover account

Similarly, Falcon Insight can help us understand if there has been network access to related domains or IP’s from other machines. This is especially useful to understand if this is part of a persistent or long term attack where other machines might have been previously impacted.

SecOps domain

Intelligence Context

For activity that is attributed to a specific adversary, Falcon Intel’s actor profiles provide helpful information based on known behaviors of the actor.  Things like commonly targeted industries, Command and Control domains, and frequently leverages vulnerabilities can help you get proactive and take steps to protect your environment from future attacks.

Actor

Vulnerability Assessment

Falcon Spotlight gives you the ability to quickly assess the environmental status on specific vulnerabilities. Having this real time information is invaluable when you are responding to a threat or taking proactive action against known attackers. Sharing it with the patch management team can help them prioritize patch remediation plans.

Spotlight

Conclusion

CrowdStrike’s proactive threat hunting, EDR, cyber threat intelligence, IT hygiene, and vulnerability assessment tools work together to improve incident response and remediation times. Through fast detection, clear understanding and actionable measures, the Security Operations Team will be more effective and empowered to improve the company’s overall security posture.

More resources

Related Content