As attackers set speed records in breakouts and power download times, every security operations center (SOC) team must take into consideration how AI may help speed time of their favor.
It takes just two minutes and 7 seconds to maneuver laterally inside a system after gaining access, and just 31 seconds for an attacker to download a toolkit and launch reconnaissance operations on a compromised system. These numbers come from George Kurtz, president, CEO and co-founder of CrowdStrike. He provided the statistics during his RSAC 2024 Keynote Next Generation SIEM: Converging Data, Security, IT, Workflow Automation and AI.
“The speed of today’s cyberattacks requires security teams to quickly analyze massive amounts of knowledge to detect, investigate and reply to threats more quickly. This is the failed promise of SIEM (Security Information and Event Management). “Customers are hungry for higher technology that delivers immediate value and more functionality with a lower total cost of ownership,” Kurtz said in his keynote. “The majority of critical security data is already within the Falcon platform, saving the time and price of transferring data to a legacy SIEM. Our single-agent, single-platform architecture brings together native and third-party data with AI and workflow automation to deliver on the promise of AI-native SOC,” he said.
Older SIEMS exacerbate data challenges
Attackers have gotten increasingly adept at finding gaps between endpoint and identity security. Endpoint data often comprises invaluable insights that, when aggregated over time, can predict intrusion and security breach attempts.
“One of the most important security issues is a knowledge issue, and that's certainly one of the explanations I began CrowdStrike. That’s why I created the architecture now we have, and it’s incredibly difficult for SOC teams to sift through these massive amounts of knowledge and volumes to seek out threats,” Kurtz told the audience.
Legacy SIEMs are quickly becoming more of a liability than an asset to SOC teams that depend on them. SOC analysts have long referred to the necessity to use multiple conflicting systems as “swivel chair integration.” Going from one screen to the subsequent and comparing incident data takes priceless time, while systems often produce conflicting data. SOC analysts must then run each data source through tools to see if the danger assessments match. Legacy SIEMs are also known for his or her slower search speeds and limited visualization options.
“It can take days for the info to be collected and it might take days for the queries to really be processed. “So if you would like to find an alert and investigate it, you may't wait for days, especially while you're trying to categorise an incident, and all of it relies on the concept of the right way to bend time and the right way to actually move faster than the adversary,” said Kurtz in his keynote speech.
Kurtz used the allegory of how quickly wireless plans evolved from limited minutes to unlimited usage limits to clarify how next-generation SIEMs will be cost-effective. Kurtz believes next-generation SIEMs should enable scalable data collection without exponential cost increases and enable higher security decisions without financial constraints. According to Kurtz, next-generation SIEM must break the cost-productivity curve so customers can scale and leverage every data source available.
The goal: shorten time in favor of the defenders
When starting a series of CrowdStrike Falcon Next generation SIEM Last week on the RSAC 2024 innovation trade show, Kurtz went into detail about why it's so necessary that defenders have the apps, tools and platforms they should make the time work of their favor. A key message from his keynote is that it’s time to remove the barriers of legacy SIEM and empower security operations centers (SOCs) with AI-powered expertise. CrowdStrike is offering all Falcon Insight customers 10 gigabytes of third-party data ingestion per day at no additional cost to experience the speed and performance of Falcon Next-Gen SIEM for the primary time.
AI is a core a part of the Falcon Next-Gen SIEM architecture. Kurtz explained that their approach to AI as a part of next-generation SIEM is to automate data evaluation and normalization, enrich data to higher discover and prioritize threats, and support advanced threat detection and automatic response mechanisms.
Kurtz says that an AI-native SOC is, by definition, self-learning. He says every company has lots of insights about its people, threats and environment. He warned that firms mustn’t rely solely on vendors to supply this data and insights. “The system should actually learn what a malicious insider looks like in your organization. It should learn more concerning the threats you cope with and the way they’re exploited. And it’s a part of the adaptive retraining of the system over time,” Kurtz explained.
CrowdStrikes' SIEM goals to speed up SOC performance
CrowdStrike positions its Falcon by demonstrating faster search performance and reducing total cost of ownership Next generation SIEM versus the numerous legacy SIEMs in use today.
With as much as 150x faster search performance and 80% lower total cost of ownership than legacy SIEMs and solutions positioned as SIEM alternatives, CrowdStrike gets to the guts of what most SOCs value most about legacy SIEM systems: slow performance and response times.
Key areas of innovation include generative AI, workflow integration, rapid data capture, and enhanced incident workbench solutions to further support SOC analyst productivity. Each area is summarized below:
Generative AI and workflow automation:
- Charlotte AI for all Falcon data: CrowdStrike's generative AI security analyst Charlotte AI is now available for Falcon data in Next Gen SIEM. SOC analysts can request Falcon data within the Falcon platform, product documentation, or knowledge bases in plain text to seek out an answer in seconds.
- Investigate with Charlotte AI: Automatically correlates all associated context to a single incident and generates an LLM-powered incident summary for security analysts of all levels, speeding investigations.
- New generation AI prompt books: New out-of-the-box prompt books speed up detection, investigation, search and response for many analyst workflows. Teams can define custom prompts to standardize and reuse detection and response workflows to maneuver from incident to motion faster.
- Native SIEM and SOAR integration: Falcon Fusion's recent SOAR interface gives SOC analysts the flexibility to tug and drop playbooks and workflows to speed up detection, investigation and response. A growing library of integrations and actions automate critical security and IT use cases across teams and tools in Falcon Next-Gen SIEM.
- Automated investigations and threat hunting: Falcon Fusion SOAR automates the threat hunting workflow. Falcon Next-Gen SIEM analysts can robotically query all data and visualize or orchestrate actions from Falcon and third-party tools to shut the loop.
Fast data ingestion for improved detection and response:
- Expanded data ecosystem: New connectors in Falcon Next-Gen SIEM integrate third-party IT and security data into the Falcon platform.
- New cloud connectors: Includes full AWS, Azure and GCP connectors. AWS covers all major cloud services similar to GuardDuty, Security Hub and S3 Access Logs. Microsoft Defender for Cloud and Exchange Online are Azure connectors.
- Automated data normalization: New parsers simplify data onboarding. Third-party automated data normalization on the brand new CrowdStrike Parsing Standard enables fast, accurate detection and response across all data sources.
- Automated SIEM data onboarding: New data management features make it easy to grasp the health, volume and standing of knowledge ingestion, in addition to manage and edit custom parsers to simply incorporate recent data sources, including local log collectors.
A contemporary analyst experience with Incident Workbench innovations:
- Automated Incident Enrichment: New automated enrichment capabilities add context to indicators that SOC analysts add to an incident to get the complete context of the Falcon platform, including adversary TTPs, host and user data, and vulnerabilities, reducing investigation time.
- Case management and incident collaboration: Custom views, direct access to advanced event search from the Incident Workbench, severity and naming changes, and automatic change notifications when one other analyst adds a note improve SOC analyst collaboration and usefulness.
- Add threat intelligence with custom lookup files: Add threat intelligence or custom content to Falcon Next-Gen SIEM to drive searches without manual processes.