What is Falcon OverWatch?
CrowdStrike Falcon OverWatch™ is a managed hunting service responsible for detecting intrusions, malicious activities and adversaries that may otherwise go undetected. In addition, Falcon OverWatch proactively hunts for stealthy and destructive malware campaigns, notifying customers and providing protection, as appropriate.
I already have an MSSP, why would I need Falcon OverWatch?
Falcon OverWatch has a different purpose than MSSPs because traditionally, those are used to manage a customer’s security products such as firewall, IDS/IPS, SIEMs and web gateways, etc. While they provide some basic detection and alerting services, these are largely based on the managed security product alerts, leaving the customer responsible for investigating, prioritizing and determining what needs to be done to respond to an incident. Historically, MSSPs have focused primarily on monitoring perimeter security solutions such as firewalls,
UTMs (unified threat management) and web gateways, an approach which has proven inefficient since skilled attackers are capable of infiltrating organizations without being detected by those solutions.
Falcon OverWatch, on the other hand, does not manage the customer’s’ security products. Instead, OverWatch proactively searches for threats on the customer’s behalf, going above and beyond the passive, automated detection offered by current security technologies. OverWatch searches, finds, investigates and can even respond to “smoking gun” indicators that point to attacks that would otherwise go undetected. OverWatch also provides actionable alerts with recommendations for remediation, providing a detailed analysis that allows customers to determine what happened and how to respond to the incident. In addition, MSSPs historically do not detect advanced attacks. However, on a daily basis, OverWatch detects attacks that have gone unnoticed by the customer’s MSSP. This can be verified with CrowdStrike® adversary emulation services, which allow customers to test their MSSP’s abilities to detect advanced attacks.
Can Falcon OverWatch really make a difference?
Every day, Falcon OverWatch identifies and stops attacks that no other security defenses have been able to detect, let alone block. On average, Falcon OverWatch stops more than 15,000 breach attempts per year.
Does Falcon OverWatch have to do a baseline evaluation of my environment before it can begin investigating?
With the CrowdStrike Falcon® agent, there is no need to establish a baseline. During the course of an investigation, Falcon OverWatch compares the activity of each user, process or workstation to others within the customer’s environment.
A typical example would unfold as follows: Falcon OverWatch observes that a user, “Bob,” has used RDP (Remote Desktop Protocol) to access a server and executed some suspicious commands. Falcon OverWatch investigates all logins to that system, comparing interactive and RDP logins, as well as investigating Bob’s usage of RDP across the entire environment. In another example, OverWatch finds a suspicious process and proceeds to investigate how many times and where a suspicious file executed in the environment. As a managed hunting service, Falcon OverWatch can take this analysis one step further, searching to determine how prevalent this file is across the entire dataset and if it is exhibiting similar characteristics elsewhere.
Does OverWatch work with any of the other CrowdStrike teams?
OverWatch routinely engages with CrowdStrike Services, incident response, and threat intelligence teams. The OverWatch team collaborates bi-directionally with the Falcon Intelligence™ and security response teams, assisting with attribution and identification of the activities and malware found during their investigations. In incident response cases where Falcon OverWatch is engaged, the team works closely with CrowdStrike Services to exchange information derived from investigations.
What are retroactive investigations and when are they performed?
Retroactive investigations occur when Falcon OverWatch looks back over historical data for evidence of an intrusion. These investigations happen quite frequently. During the course of an intrusion, investigation artifacts such as IPs, domains, hashes, and others are collected. These artifacts are loaded into the CrowdStrike intelligence database to generate alerts in Falcon platform customer UIs going forward. Falcon OverWatch also searches for any historical occurrences of these indicators, investigating any hits and notifying the customer when appropriate.
How does Falcon OverWatch scale with increases in customers and event volumes?
Falcon OverWatch is highly efficient in its ability to scale event volume, systems, and staffing. With a focused mission of finding targeted and stealthy intrusions, Falcon OverWatch is not only analyzing detections in Falcon platform, but also uses proprietary OverWatch internal detection and analytics tools. That gives OverWatch the ability to tune its detection platform and eliminate false positives, which increases detection fidelity while decreasing analyst load. Finally, Falcon OverWatch leverages an extensive amount of intelligent automation, eliminating routine tasks and increasing the signal-to-noise ratio wherever possible.
Does Falcon OverWatch offer different levels of service?
Falcon OverWatch offers tiered levels of service that build on each other, allowing organizations to choose the option that best fits their business requirements and resources:
- Falcon OverWatch Standard is the entry level of service, with 24/7 proactive hunting that provides email notification and alerting from the Falcon OverWatch team within moments of a detection.
- Falcon OverWatch Premium is CrowdStrike’s highest level of OverWatch, including all standard services, escalated alert notification and direct contact. Proactive health checks and solution configuration, direct OverWatch team-member access, and quarterly briefings and security recommendations ensure you stay ahead of attackers and stop the mega breach.