Falcon OverWatch is a team of dedicated, proactive threat hunters that work on your behalf. They constantly search the entire CrowdStrike Threat Graph for anomalous or otherwise new attacker activity. This augments the detection and protection offered by both the Falcon Host product and your in-house Security Operations Center. Often, human investigation is required to identify truly cutting-edge attack techniques.
How It Works
Falcon OverWatch is a team of cyber security experts that does proactive threat hunting across the entire CrowdStrike architecture. This adds a human element to the offering that is often necessary to counter the attackers conducting advanced attacks. The team hunts 24/7 and leverages efficiencies offered by the Falcon Platform to focus their efforts on only the most advanced attacker activity. If such activity is found, they immediately contact you and facilitate remediation and response. This approach allows advanced threat activity to be found in minutes rather than in days, weeks or months – drastically reducing dwell time for the attacker and cost for you.
- CrowdStrike Falcon Tech Center
- Contact CrowdStrike
- Request a CrowdStrike Falcon Host Endpoint Protection Demo
- Take the CrowdStrike Falcon Host Endpoint Protection Tour
- Register for Falcon Host Endpoint Protection Live Demo
- Falcon Host Endpoint Protection
- Falcon OverWatch CrowdCast
- CrowdStrike Proactive Services
How Falcon Overwatch Proactively Hunts for Threats in Your Environment
Well, we started Overwatch as an acknowledgement that there needs to be a human layer of our platform. If you want to take a look at your cyber actors out there, whether it’s nation state sponsored, it’s cyber criminals, or it’s hacktivists, or anything in between, they generally employ some sort of stack, if you will. We got people on top using processes to operate their tools and trade craft.
So on our side we wanted to mirror what the attackers are doing and provide a defensive platform kind of in line that mirrors the attack platform.
So we have the amazing Falcon platform that I think everybody has learned about up til now. That’s where we’re going to have a lot of our trade craft, our behavioral, our middle layer. That’s where we employee a lot of our processes for finding bad activity.
Next gen AV I consider to be the lowest level of tools, and artifacts, and things like that. It’s our prime engine for detecting the lowest level of the attack tools.
And at the very top you have the humans. It’s Overwatch. It’s people who are sensitized to human activity from the other end coming from the attacker. We like to call it hands on keyboard activity, things that aren’t predictable, things that aren’t infallible. They’re not automated. So they emit a completely different type of signature, a completely different type of fingerprint.
So ultimately when we created Overwatch, we had something we didn’t want to do and something we did want to do. What we didn’t want to do is create a 24 by 7 tactical, traditional, SOC, Security Operation Center.
And the reason why is because we didn’t want to build a team that was focused just tactically resolving individual alerts as they came across. Rather we wanted to build a more strategically focused team. So a team that could see the forest from the trees. A team that could recognize a change in the patterns of detections. A team that could actually be proactive in nature.
So with Falcon Host and continuous monitoring, or continuous telemetry coming from our sensor, what we have is the ability to actually ask virtually any question that we want to ask of a customer’s environment. And we call that hunting.
Sometimes a question might look like we’ve identified an intrusion, and we want to figure out where else that intrusion has spread, so we can ask the data at that point in time.
Another question we might want to ask is I have an idea for a pattern. I have this detection methodology I think could find target activity, or this latest ransomware campaign. And I want to test it against security data. So we use our Falcon Host data to test against this hypothesis for an IOA.
Another method that we might actually do hunting is simply to perform advanced analytics, looking for outliers. The industry might call it process stacking, or registry hive stacking, things like that, where essentially you’re doing a frequency analysis of certain points of activity on endpoints to determine what the outliers are, and then examine those outliers to figure out if they’re malicious.
So we perform all three forms of hunting, and all the while paying attention to what’s happening on the platform, what automatic detections are coming from the platform where it’s doing its job. And we combine all those things into kind of a fused picture of what’s happening in the environment.
Because of that we’ve been able to find targeted attacks into several of our customers literally every day of the year. We’re able to quickly identify it. From the point that we identify our first trigger to look into some sort of activity to determine if there is a malicious actor on the other end to the time where you send the initial notification to customers with a certain amount of context about what’s happening is generally within 30 to 60 minutes.
If you consider some of the stats you’re reading out there, from the Verizon reports and whatnot, you see dwell times of advanced actors being months, sometimes years. And we’re catching them and telling you about them within 30 to 60 minutes on average.
So, again, for me that’s more proof of the pudding. It’s an affirmation that the way we’re going about the problem is the right way. So we use automation where we need to. We use humans where we absolutely need humans. And where we need humans is to make judgment calls.