CrowdStrike Falcon® Forensics: Ditch Inefficient Incident Response Tools for Good

December 17, 2020

| | Endpoint Security & XDR
There’s nothing like the pressure incident responders encounter when an attacker attempts to breach their organization. They often struggle with numerous tools and manual, time-consuming efforts to collect and consolidate the data before they can even begin to analyze it. Pivoting between tools and manual processes adds complexity and slows response, increasing adversary dwell time and risk. CrowdStrike has recognized this risk and developed a new solution to address it — CrowdStrike Falcon® Forensics

 

a single solution that enables IR teams to investigate and triage an incident before untold damage occurs. Developed by the CrowdStrike Incident Response team, Falcon Forensics was created to solve the lack of robust solutions available for IR teams.

 

Speed, skill and efficiency are critical components in any organization’s incident response (IR) process, and when an event or set of incidents is detected, the race is on. However, the collection of tools in an IR team’s arsenal is large and the sheer number of tools a responder has to juggle can be problematic. A responder may use one tool to collect raw artifacts, another to parse them, and then others to index or manually review the mass of data. When the heat is on, responders should be spending that time investigating and analyzing the activity around the incident, not wasting valuable time using a disparate set of tools to collect and organize the data they need. With CrowdStrike Falcon® Forensics, such delays and impediments are no longer a problem. CrowdStrike has been accredited by the U.S. National Security Agency (NSA) for Cyber Incident Response Assistance, has been certified as an investigator for CREST IR, and has a world-class response team. Our IR team has found the availability of a holistic forensics data collection and analysis solution severely lacking, not to mention that most solutions are simply not built to handle enterprise-wide triage. They wanted a solution that would serve other leading response teams in the best way possible. The solution they developed resulted in Falcon Forensics, enabling IR teams to move fast and efficiently, collecting the right data quickly and parsing large quantities of artifacts with new ease.

 

 

Falcon Forensics streamlines the collection of point-in-time and historic forensic triage data for robust analysis of cybersecurity incidents. Responders can quickly identify relevant data with preset dashboards to speed investigations. This solution changes the game for IR teams, giving them the freedom to collect, parse and analyze that data at the speed they require without relying on old tools and multiple solutions that don’t serve their needs.

 

Falcon Forensics Hosts Timeline Dashboard uses visuals to quickly show activity (click image to enlarge)

Straightforward Forensic Data Collection and Analysis

 

There is beauty in simplicity — but simplicity doesn’t mean basic. Falcon Forensics offers both simplicity and robustness that IR teams have been asking for but not receiving. Going further than just collecting event data, it provides a way to collect, parse, analyze and research the entire incident timeline in a single solution. Instead of using multiple collection and ingestion methods, and another set of tools to sort through and organize the collected data, responders can now use Falcon Forensics to replace those methods and tools. Falcon Forensics offers multiple preset dashboards, customizable groupings and other visualizations so researchers can dive deeply and quickly into their investigations. Incident responders can take advantage of CrowdStrike’s threat intelligence for added context on threats and actors specifically relevant to each organization.

 

As with everything developed at CrowdStrike, we’ve simplified the often-overlooked processes of deployment and maintenance by streamlining them for Falcon Forensics. Deployment is easy via CrowdStrike’s Real Time Response, providing the ability to deploy to ten endpoints or tens of thousands, depending on your needs. Maintenance isn’t an issue, as Falcon Forensics relies on a dissolvable executable, removing itself after data collection is complete and leaving minimal traces on an endpoint. And, of course, it leverages the CrowdStrike® cloud for data processing.

Falcon Forensics Can Immediately Help Your Team

 

Now more than ever, it’s time to capitalize on the skillset of your IR team. Eliminate the tools and workflows that increase workloads and slow response time. Use Falcon Forensics to provide your team with everything they need to collect, sort and analyze the artifacts relevant to the incident in question. For more information about Falcon Forensics, contact your sales representative, or visit the product webpage.

 

Additional Resources: