With cyber attackers breaking records for speed, every Security Operations Center (SOC) team must explore how AI can shift the odds in their favor.
Recent insights from George Kurtz, CEO and co-founder of CrowdStrike, highlight alarming statistics: attackers can move laterally within a system in just two minutes and seven seconds after gaining access, and they can download a toolkit within 31 seconds to commence reconnaissance on compromised systems. Kurtz shared this during his keynote at RSAC 2024, titled Next-Gen SIEM: Converging Data, Security, IT, Workflow Automation & AI.
The Urgency of AI in Cybersecurity
Kurtz emphasized the necessity for security teams to swiftly analyze vast datasets to detect and respond to threats. “The speed of today’s cyberattacks challenges the capabilities of traditional SIEM systems,” he remarked. “Organizations are seeking advanced technology that offers faster return on investment while reducing total ownership costs. The critical security data is primarily housed within the Falcon platform, minimizing the time and expenses associated with transferring data to outdated SIEM solutions. Our unified architecture integrates both native and third-party data using AI and workflow automation, ultimately fulfilling the potential of an AI-native SOC.”
Challenges with Legacy SIEMs
As attackers refine their methods, gaps between endpoint and identity security deepen. Endpoint data can provide critical insights to predict intrusion attempts if effectively aggregated. “A significant issue in cybersecurity is managing data complexity,” Kurtz noted. “That’s why I founded CrowdStrike. SOC teams struggle to navigate overwhelming volumes of data to identify threats.”
Legacy SIEMs have become liabilities for SOC teams reliant on them. Analysts often engage in “swivel chair integration,” switching between conflicting systems that waste time. They must run data from multiple sources through various tools to verify risk scores, which results in delays, particularly during urgent incidents. Kurtz pointed out, “Querying data can take days, during which crucial alerts may slip through the cracks. It’s vital to find ways to outpace adversaries.”
Using cell phone plans' evolution as an analogy, Kurtz argued that next-gen SIEMs should enable scalable data ingestion without dramatically increasing costs, allowing organizations to make informed security decisions without financial constraints. He stressed the need to break the cost productivity curve, empowering clients to utilize all available data sources effectively.
Empowering Defenders with AI
Kurtz launched CrowdStrike Falcon Next-Gen SIEM innovations at RSAC 2024 to demonstrate the necessity of equipping defenders with the right tools to enhance operational efficiency. His keynote underscored the importance of removing the limitations posed by legacy SIEMs and fortifying SOCs with AI capabilities. Notably, CrowdStrike is offering Falcon Insight customers 10 gigabytes of third-party data ingestion daily at no extra cost to showcase the speed and effectiveness of next-gen SIEM.
AI is integral to the Falcon Next-Gen SIEM architecture, automating data parsing and normalization, enriching datasets for improved threat identification, and supporting advanced threat detection and automated response mechanisms. “An AI-native SOC learns continuously,” Kurtz explained. “Each organization possesses unique insights about its employees and environment, and organizations should not solely rely on vendors for this intelligence. The system must recognize what a malicious insider looks like within its context and adapt over time.”
Accelerating SOC Performance
CrowdStrike’s Falcon Next-Gen SIEM aims to enhance SOC performance by offering up to 150x faster search capabilities and an 80% lower total cost of ownership compared to traditional SIEMs. This addresses significant pain points for SOCs: slow performance and response times.
Key innovations in Falcon Next-Gen SIEM include:
Generative AI and Workflow Automation:
- Charlotte AI: CrowdStrike’s generative AI assistant can provide Falcon data and documentation in plain language, streamlining response times for analysts.
- Investigative Efficiency: The AI automatically correlates related context into a single incident, generating summaries that speed up investigations.
- Custom Promptbooks: Analysts can define reusable detection and response workflows, enabling rapid incident resolution.
- SOAR Integration: New Fusion SOAR UI allows SOC analysts to streamline workflows via a drag-and-drop interface, improving operational efficiency.
- Automated Investigations: Automated workflows enhance threat-hunting and integrate actions across Falcon and third-party tools.
Rapid Data Ingestion:
- Expanded Ecosystem: New connectors integrate various third-party IT and security data into the Falcon platform.
- Cloud Connectors: Comprehensive connections for AWS, Azure, and GCP streamline data access and monitoring.
- Automated Data Normalization: Simplified data onboarding ensures rapid and precise detection across all sources.
- Efficient Data Management: Enhanced capabilities simplify monitoring and managing data ingestion status and health.
Enhanced Analyst Experience with Incident Management:
- Automated Enrichment: Contextual information is added automatically to incidents, expediting investigations.
- Collaboration Tools: Improved views and notifications facilitate coordinated responses among analysts.
- Threat Intelligence Integration: Analysts can incorporate custom threat intelligence into searches seamlessly.
CrowdStrike’s innovations position the Falcon Next-Gen SIEM as a vital solution for enhancing SOC efficiency and responsiveness in a rapidly evolving cybersecurity landscape.