CrowdStrike Falcon X takes aim at incident response

SAN FRANCISCO -- CrowdStrike wants to improve incident response times for enterprises, and it's turning to security automation to make it happen.

At RSA Conference 2018 on Monday, the cybersecurity vendor launched CrowdStrike Falcon X, a new offering that automates threat analysis in order to quicken enterprise responses to cyberattacks. CrowdStrike -- which is appearing in several sessions at RSA Conference on new exploits, adversaries and response techniques this week -- has become one of the more visible cybersecurity vendors in the industry following its investigative work on the Democratic National Committee's 2016 data breach. Now, the company is broadening its reach with new initiatives around incident response.

Dmitri Alperovitch, CTO of CrowdStrike, based in Sunnyvale, Calif., said organizations often struggle to respond to a security incident and contain it before threat actors move laterally and gain a foothold inside the corporate environment.

"The most efficient companies with 24/7 security operations center and SOC 3 analysts will typically take three to four hours to do incident response," Alperovitch told SearchSecurity. "For the companies that don't have that, it could take them three or four days -- or more."

In CrowdStrike's 2018 Global Threat Report, the company stated that based on 25,000 observed incidents in 2017, the average "breakout time" for an intruder to successfully jump off the initial point of compromise was approximately 1 hour and 58 minutes.

With Falcon X, Alperovitch said the process takes about three minutes. When malware is detected on an endpoint, CrowdStrike Falcon X automatically "detonates" the sample and then runs it through CrowdStrike's malware search engine to compare it against other samples. The automated analysis, which includes customized threat intelligence, then sends the information to the security team, as well as other security products, so the malware can be effectively identified and blocked across the organization.

"Our goal is to reduce incident response time," Alperovitch said. "We're dramatically simplifying and optimizing this by automating it."

Falcon X is part of CrowdStrike's Falcon platform, a cloud-based assortment of endpoint security products, including antivirus, vulnerability management and threat intelligence, which are delivered through a single agent. Alperovitch said the company is broadening the Falcon platform beyond endpoint security. "Our strategy has been to keep the agents small and continue adding modules to the cloud service," he said.

In addition to CrowdStrike Falcon X, the company also introduced a new product geared toward small and medium-sized businesses. Dubbed CrowdStrike Falcon Endpoint Protection Complete, the product includes the endpoint security module of the Falcon platform, as well as dedicated security professionals to assist customers with incident response.

"SMBs are largely unable to protect themselves, because they don't have a lot of the basics," Alperovitch said. "They may not have any SOC analysts on staff."

Alperovitch added that incident response has received more attention and investments from enterprises recently, which is a positive sign. However, he said most enterprises struggle to identify and address incidents in a timely manner.