With attackers setting speed records for breakouts and tool download times, every security operations center (SOC) team needs to consider how AI can help bend time in their favor.
It takes just two minutes and seven seconds to move laterally within a system after gaining access, and just 31 seconds for an attacker to download a toolkit and start reconnaissance operations on a compromised system. These figures are from George Kurtz, president, CEO, and co-founder of CrowdStrike. He provided the statistics during his RSAC 2024 keynote Next-Gen SIEM: Converging Data, Security, IT, Workflow Automation & AI.
“The speed of today’s cyberattacks requires security teams to rapidly analyze massive amounts of data to detect, investigate and respond to threats faster. This is the failed promise of SIEM [security information and event management]. Customers are hungry for better technology that delivers instant time-to-value and increased functionality at a lower total cost of ownership,” said Kurtz in his keynote. “The vast majority of the critical security data is already resident in the Falcon platform, saving the time and cost of data transfer to a legacy SIEM. Our single-agent, single-platform architecture unifies native and third-party data with AI and workflow automation to deliver on the promise of the AI-native SOC,” he said.
“One of the main problems in security is a data problem, and it’s one of the reasons why I started CrowdStrike. It’s why I created the architecture that we have, and it’s incredibly difficult for SOC teams to be able to sort through this massive amount of data and volumes to find threats,” Kurtz told the audience.
Legacy SIEMs are quickly becoming more of a liability than an asset to SOC teams relying on them. SOC Analysts have long called the need to use multiple, conflicting systems “swivel chair integration.” Having to turn from one screen to the next and compare incident data burns valuable time, while the systems often produce conflicting data. SOC Analysts then have to run each data source through tools to see if the risk scores match. Legacy SIEMs are also known for having slower search speeds and limited visualization options.
“It can take days to ingest data can take days to actually get through queries. So if you want to find and investigate an alert, you can’t be waiting days, particularly when you’re trying to triage an incident and it all goes back to that concept of how do you bend time and how do you actually move faster than the adversary,” said Kurtz during his keynote.
Kurtz used the allegory of how quickly cell phone plans progressed from limited minutes to unlimited caps on use to explain how next-generation SIEMs can be cost-effective. Kurtz believes next-gen SIEMs should allow for scalable data ingestion without exponential cost increases, driving better security decisions free of financial constraints. Kurtz says next-gen SIEM needs to break the cost productivity curve so customers can scale and ingest every source of available data they have.
The goal: Bend time in favor of defenders
In launching a series of CrowdStrike Falcon Next-Gen SIEM innovations last week at RSAC 2024, Kurtz went all in on why it’s so important that defenders have the apps, tools and platform they need to bend time in their favor. A core message of his keynote is that it’s time to remove the roadblocks of legacy SIEM and strengthen Security Operations Centers (SOCs) with AI-driven expertise. CrowdStrike is offering all Falcon Insight customers 10 gigabytes of third-party data ingest per day at no additional cost so they can first experience the speed and performance of Falcon Next-Gen SIEM.
AI is a core part of Falcon Next-Gen SIEM architecture. Kurtz explained that their approach to AI as part of next-gen SIEM is to automate data parsing and normalization, enrich data to better identify and prioritize threats, and support advanced threat detection and automated response mechanisms.
Kurtz says that, by definition, an AI-native SOC is self-learning. He says every company has many learnings about their employees, threats and environment. He cautioned that companies shouldn’t just rely on vendors to provide that data and insights. “The system should actually learn about what a malicious insider looks like in your organization. It should learn about the threats you deal with and how they’re exploited. And it’s part of the adaptive retraining of the system as time goes on,” Kurtz explained… Read Full Article at VentureBeat
By Louis Columbus