Falcon OverWatch is a team of dedicated, proactive threat hunters that work on your behalf. They constantly search the entire CrowdStrike Threat Graph for anomalous or otherwise new attacker activity. This augments the detection and protection offered by both the Falcon Host product and your in-house Security Operations Center. Often, human investigation is required to identify truly cutting-edge attack techniques.
How It Works
When the Falcon OverWatch team discovers a breach attempt, they immediately contact you. This is done in three ways. First, they push an alert to the Falcon Host management interface. This creates an event so that automated tools and processes can immediately see the high urgency alert. Second, the OverWatch team makes direct contact by email and phone. This is more than just a message to say that an alert was triggered. The communication will include all detail and context around the breach attempt, leveraging forensic data collected by Falcon Host. This rapidly reduces investigation timeframes and enables faster response. Finally, the OverWatch team can work with you via our support portal. This can be used for ongoing case management and root cause analysis.
- CrowdStrike Falcon Tech Center
- Contact CrowdStrike
- Request a CrowdStrike Falcon Host Endpoint Protection Demo
- Take the CrowdStrike Falcon Host Endpoint Protection Tour
- Register for Falcon Host Endpoint Protection Live Demo
- Falcon Host Endpoint Protection
- Falcon OverWatch CrowdCast
- CrowdStrike Proactive Services
How Falcon Overwatch Works with You When a Breach Attempt is Discovered
So the customer can experience Overwatch in about three different ways. One way is through their traditional processes they’ve built around checking the Falcon UI for detections. Overwatch has the ability to push detections to a customer’s UI. It will say Falcon Overwatch detection on there.
As well, they’re able to push more malware-related things. If we opportunistically discover more run-of-the-mill malware, the team will go ahead and push that to the customer’s UI. It will show up as known malware. So sometimes, there is a little bit of– there is some workflows generated and some actionable content in the UI that does come from Overwatch even though it may not directly call it out.
Whenever you see Falcon Overwatch detection in the UI, it will be accompanied by an email notification. And the email notification is the second area you can experience Overwatch. The emails will generally be probably something that customers aren’t used to seeing from a managed service provider. They aren’t going to be– they aren’t simply going to call out the alert name and tell you the priority, and then that’s about it, and essentially, good luck.
What these emails contain are what we discovered, why we discovered it, what we think it is. Even if we’re not sure if it’s commodity, or it’s targeted, or if it’s ransomware, or something in between, we’ll tell you exactly what we think it is or don’t think it is. Sometimes, we’ll even tell customers, hey, this does not seem legitimate. We’ve looked at your environment. We’ve baselined it. This is abnormal, even for your administrators.
So the email notifications will contain as much context as we can possibly provide. Sometimes, we’ll pull open source intelligence to point to, perhaps, an open source tool that are used by pen testers, for example.
But at the very least, in the case of an intrusion, things actually become very straightforward. We’re going to tell you there is an intrusion. We’re going to tell you who we think it is and what we think they’re after. We’re going to tell you how far they got. We’re going to tell you how many accounts we think are compromised, and what systems that we can see have been compromised, and the method they’re using to laterally move.
So within the first notification– again, this can come in the first 30 to 60 minutes– if there is a real intrusion that could lead to a mega breach, you will have a notification that it’s extremely actionable and it’s almost an intrusion or an incident response time line, or it’s a very quick incident response triage or scoping. So again, with traditional IR processes and in a traditional SOC or in a cert, it can take days and days to collect data to learn about the intrusion and then to build the coveted timeline.
And we’re able to provide it– again, with the continuous telemetry from the Falcon Host sensor, we’re able to provide that within minutes. And we’re able to fuse it and actually communicate it to the customers. And it’s an ongoing thing. So there’s the initial notification of an intrusion, but then there’s the ongoing partnership to mutually discover, mutually analyze what else the actor is doing on that network.
The third way you can experience Overwatch is through the support process. We like to use the technical support channel, so firstname.lastname@example.org, to handle all inbound requests, whether it’s detection related– something you see in your UI, and you want to know a bit more about detection– or if you’re actually experiencing technical support issues in the traditional sense.
Overwatch is very engaged with our support team. There’s a very strong relationship there. And oftentimes– most of the time, whenever there’s a detection-related question, or if there’s a question on how a customer can query data in EAM or in the Investigations app, those questions are directly answered by Overwatch analysts, simply because there’s an acknowledgement in the company that the Overwatch analysts, the Overwatch hunters are the subject matter experts of the platform and of the platform’s data.
So they’re able to very quickly answer questions with our own internal best practices and provide that through the support channels to help out. But we like to identify the three areas of Overwatch output as hunt, investigate, and advise. So ultimately, you can experience Overwatch in a variety of ways. But the pure intent that we’re trying to perform here is to help you stop the mega breach.