Threat Hunting (Falcon OverWatch)

CrowdStrike's Falcon OverWatch employs new detection logic based on human eyes to respond to new threats that cannot be handled by traditional SoC services.

It is a function that realizes multi-layered defense by proactively finding threats from normal logs on the premise that there are advanced threats that have slipped through the functional detection of NGAV & EDR.

Attack methods have become more sophisticated in recent years, and attacks are launched through internal reconnaissance and lateral movement (horizontal deployment) with actions that are difficult to distinguish from normal actions using standard commands/regular tools after intrusion into the environment. If these behaviors are detected by the function, over-detection will occur frequently, which may lead to overlooking important threats.

Therefore, threat hunting is important to expose threats that evade functional detection.

Issues with conventional SOC (Security Operation Center) services

• Regularly monitor FW (firmware), IDS (intrusion detection system), content detected by EDR, and error logs of NW devices/terminals, etc.
  ⇒ After judging the behavior Logs judged to be normal There is a possibility that threats may be overlooked because the
• 24/365 monitoring, identification of detected security threats and notification of details
  ⇒ Discoverable security threats are Detection logic for installed products cannot respond to new threats

Falcon OverWatch and SOC cooperation image

• Falcon OverWatch: Early detection of new threats that have not been fully reflected in the product
• SOC service: Integrates, compiles, and notifies the content detected in the customer's environment