CrowdStrike launches cloud threat hunting service

CrowdStrike on Tuesday launched Falcon OverWatch Cloud Threat Hunting, a new standalone service dedicated to detecting advanced cloud security threats.

The new threat hunting service, which was introduced at AWS re:Inforce 2022 in Boston, is the latest offering under Falcon OverWatch, CrowdStrike's managed threat hunting service.

CrowdStrike described Cloud Threat Hunting as "the industry's first standalone threat hunting service for hidden and advanced threats originating, operating or persisting in cloud environments."

"Leveraging CrowdStrike's agent-based and agentless Cloud Native Application Protection Platform (CNAPP) capabilities, Falcon OverWatch cloud threat hunters investigate suspicious and anomalous behaviors and novel attacker tradecraft," the company said in a press release. "Falcon OverWatch Cloud Threat Hunting conducts 24x7x365 operations and can prevent incidents and breaches while proactively alerting customers to cloud-based attacks."

The vendor-agnostic service is designed to hunt threats in AWS, Microsoft Azure and Google Cloud Platform as well as other popular cloud services. CrowdStrike said the service will have indicators of attack (IOA) for specific cloud threats such as control plane attacks and container escapes.

In an email to SearchSecurity, Param Singh, CrowdStrike's vice president of Falcon OverWatch, affirmed the idea that the service was the first of its kind, despite other cloud threat hunting services already existing.

"Many 'threat hunting' offerings on the market simply offer insights driven from automation and advanced analytics -- capabilities already built into CrowdStrike's core technology solutions by default," he said. "Falcon OverWatch is truly a unique and differentiated proactive service, spearheaded by its highly skilled, human-led operations and unmatched telemetry and visibility from the CrowdStrike Security Cloud."

CrowdStrike offered several examples of activity the service is built to prevent, including exploits stemming from zero-day vulnerabilities that compromise cloud workloads and attacks that exploit IT assets in order to pivot to cloud systems.

Singh said two main factors have driven the need for a standalone cloud threat hunting service. "The security industry has a skill shortage, and organizations have increasingly complex cloud environments," he said, adding that cloud threat operations are increasingly outpacing the efforts of the security industry.

CrowdStrike also introduced enhancements to its CNAPP offering, CrowdStrike Cloud Security. New features include support for Amazon Elastic Container Service within AWS Fargate, software composition analysis, and image registry scanning for IBM Cloud Container Registry, JFrog Artifactory, Oracle Container Registry, Red Hat OpenShift, Red Hat Quay, Sonatype Nexus Repository and VMware Harbor Registry.

On the customer end, Singh said Cloud Threat Hunting can either act as a standalone capability for organizations or augment existing resources already in place in customer environment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.