What is Falcon Insight?
Falcon Insight™ is the EDR (Endpoint Detection and Response) module of CrowdStrike® Falcon® endpoint protection. Falcon Insight acts like a DVR on the endpoint, recording activity to catch incidents that evaded prevention measures. It ensures customers have comprehensive, real-time visibility into everything that is happening on their endpoints from a security perspective — eliminating the risk of “silent failure,” which allows intruders to remain in your environment undetected. Falcon Insight detects indicators of attack (IOAs) that might have evaded other defenses and enables proactive threat hunting, both in real time and historically, across an entire environment. Beyond detecting sophisticated modern attacks quickly, Falcon Insight also helps you respond to and remediate threats effectively, getting you back to business quickly.
How much work is involved in configuring Falcon Insight to begin detecting incidents?
Falcon Insight is an intelligent EDR solution that can automatically detect incidents without requiring any fine-tuning or configuration prior to being fully operational. It achieves that by combining full endpoint visibility with IOA behavioral analytics to analyze events in real time and automatically detect traces of suspicious behavior, giving it the ability to pinpoint attacker activities that might otherwise go unnoticed. Thanks to IOAs, it’s no longer necessary for security teams to figure out what to look for and then build their own searches.
Although Falcon Insight does not require configuration or fine-tuning, it also offers users the ability to write their own custom searches, going back up to 90 days. This is useful for security teams that want to proactively hunt for threats in their environments. Because Falcon Insight is built on cloud-native architecture, query results are returned in five seconds or less.
Can I use Falcon Insight for incident response (IR)?
Absolutely, CrowdStrike Falcon is used extensively for incident response. Falcon Insight provides remote visibility across endpoints throughout the environment, enabling instant access to the “who, what, when, where and how” of an attack. In addition, Insight empowers responders with the ability to respond to and remediate threats in real time, reducing exposure and time-to-recover. The cloud-based architecture of Falcon Insight significantly accelerates incident response and remediation, enabling security teams to access forensics information, even if the endpoint is destroyed.
What is silent failure?
Silent failure takes place when an attack slips through an organization’s defenses without any alarms being raised, allowing attackers to dwell in an environment for days, weeks or months without detection. Falcon Insight provides protection against silent failure by recording all activities of interest on an endpoint and providing deeper inspection, both in real-time and after the fact. This in-depth, proactive analysis finds malicious patterns of activity that may not have been detected otherwise.
What information does Falcon Insight obtain from a customer’s environment?
CrowdStrike Falcon is designed to maximize customer visibility into real-time and historical endpoint security events by gathering the event data needed to identify, understand and respond to attacks — but nothing more. This default set of system events focused on process execution is continually monitored for suspicious activity. When such activity is detected, additional data collection is initiated to better understand the situation and enable a timely response to the event, as needed or desired. Note that the specific data collected changes as Falcon Insight advances its capabilities in response to changes in the threat landscape. Information related to activity on the endpoint is gathered via the Falcon agent and made available to the customer via the secure Falcon web management console.
How current is the information offered in Falcon Insight?
The information is constantly collected in real time, giving security teams the ability to “shoulder surf” an adversary or attacker. This ensures that the information displayed is always the most current and relevant. This is in contrast to EDR solutions that need to query endpoints, which results in information that is only as good as the last query or scan performed.
How far back can I see using Falcon Insight?
All the telemetry data collected from all endpoints can be kept for up to 90 days.
Can I use the information collected by Falcon Insight in my own security products, such as a SIEM?
Yes, the Falcon Data Replicator API provides complete event data that customers can ingest into their local data warehouse/data layer. In addition, a broad set of sophisticated and easy-to-use APIs enable applications to connect with the Falcon platform and other external data sources.
Can I proactively hunt with Falcon Insight?
Yes, the Falcon Insight cloud architecture enables proactive threat hunting at an unprecedented scale. Threat hunting increases an organization’s protection against attackers and plays a critical role in early detection of attacks and adversaries. Falcon Insight allows security teams to hunt across data collected for up to 90 days, returning query results within seconds and easily pivoting from one clue to the next.
In addition, organizations that don’t currently have the security resources to conduct their own threat hunting can still benefit from it thanks to Falcon OverWatch™, the managed threat hunting component of the Falcon platform. The Falcon OverWatch team of experienced security experts works on the customer’s behalf 24/7 to proactively hunt for threats and stop breaches.
What kind of infrastructure do I need to implement Falcon Insight?
Customers do not need to deploy any infrastructure for Falcon Insight. Falcon Insight uses the Falcon platform, which is 100 percent cloud-delivered. This allows customers to be protected faster and drives down total cost of ownership (TCO) by eliminating on-premises hardware acquisition, deployment and maintenance. Cloud-based security also makes it impossible for the attacker to acquire the CrowdStrike technology in an attempt to tamper with or try to bypass it. Should an attacker try to defeat Falcon, his attempts are sent to the cloud instantly, where they are detected. Cloud-based security allows CrowdStrike to see more of the threat landscape. This broader vision gives Falcon more data to analyze and this, in turn, improves its protection capabilities.
How can Falcon Insight help me respond to and remediate threats?
Falcon Insight offers a set of built-in operations to execute on systems during an incident response situation. Some of these response operations are used while investigating a threat in order to build a complete understanding of the threat’s risk and scope. These operations help responders to understand threats more quickly and completely. Other operations are used to take an action on a system to contain or remediate a threat. This can be done by stopping malicious processes, deleting files, cleaning up the Windows registry or containing network traffic, for example. These commands help responders act quickly and decisively. Together they help to dramatically shrink the time to respond to sophisticated threats.