Falcon OverWatch has a different purpose than MSSPs because traditionally, those are used to manage a customer’s security products such as firewall, IDS/IPS, SIEMs and web gateways, etc. While they provide some basic detection and alerting services, these are largely based on the managed security product alerts, leaving the customer responsible for investigating, prioritizing and determining what needs to be done to respond to an incident. Historically, MSSPs have focused primarily on monitoring perimeter security solutions such as firewalls, UTMs (unified threat management) and web gateways, an approach which has proven inefficient since skilled attackers are capable of infiltrating organizations without being detected by those solutions.
Falcon OverWatch, on the other hand, does not manage the customer's’ security products. Instead, OverWatch proactively searches for threats on the customer’s behalf, going above and beyond the passive, automated detection offered by current security technologies. OverWatch searches, finds, investigates and can even respond to “smoking gun” indicators that point to attacks that would otherwise go undetected. OverWatch also provides actionable alerts with recommendations for remediation, providing a detailed analysis that allows customers to determine what happened and how to respond to the incident. In addition, MSSPs historically do not detect advanced attacks. However, on a daily basis, OverWatch detects attacks that have gone unnoticed by the customer’s MSSP. This can be verified with CrowdStrike® adversary emulation services, which allow customers to test their MSSP’s abilities to detect advanced attacks.