How Falcon Overwatch Works with You When a Breach Attempt is Discovered
Articles Blog

How Falcon Overwatch Works with You When a Breach Attempt is Discovered

August 27, 2019

So the customer can
experience Overwatch in about three different ways. One way is through their
traditional processes they’ve built around checking
Falcon UI for detections. Overwatch has the ability
to push detections to a customer’s UI. It will say Falcon Overwatch
detection on there. As well, they’re able to push
more malware-related things. If we opportunistically discover
more run-of-the-mill malware, the team will go ahead and
push that to the customer’s UI. It will show up
as known malware. So sometimes, there
is a little bit of– there is some
workflows generated and some actionable
content in the UI that does come from Overwatch even though it may not directly call it out. Whenever you see Falcon
Overwatch detection in the UI, it will be accompanied
by an email notification. And the email notification
is the second area you can experience Overwatch. The emails will generally
be probably something that customers aren’t used to
seeing from a managed service provider. They aren’t going to
be– they aren’t simply going to call out the alert
name and tell you the priority, and then that’s about it,
and essentially, good luck. What these emails contain
are what we discovered, why we discovered it,
what we think it is. Even if we’re not sure if it’s
commodity, or it’s targeted, or if it’s ransomware,
or something in between, we’ll tell you
exactly what we think it is or don’t think it is. Sometimes, we’ll even
tell customers, hey, this does not seem legitimate. We’ve looked at
your environment. We’ve baselined it. This is abnormal, even
for your administrators. So the email notifications
will contain as much context as we can possibly provide. Sometimes, we’ll pull open
source intelligence to point to, perhaps, an open source tool
that are used by pen testers, for example. But at the very least, in
the case of an intrusion, things actually become
very straightforward. We’re going to tell you
there is an intrusion. We’re going to tell
you who we think it is and what we think they’re after. We’re going to tell
you how far they got. We’re going to tell
you how many accounts we think are compromised, and
what systems that we can see have been compromised,
and the method they’re using to laterally move. So within the first
notification– again, this can come in the
first 30 to 60 minutes– if there is a real
intrusion that could lead to a mega breach,
you will have a notification that it’s extremely
actionable and it’s almost an intrusion or an
incident response time line, or it’s a very quick incident
response triage or scoping. So again, with
traditional IR processes and in a traditional
SOC or in a cert, it can take days
and days to collect data to learn
about the intrusion and then to build
the coveted timeline. And we’re able to
provide it– again, with the continuous telemetry
from the Falcon Host sensor, we’re able
to provide that within minutes. And we’re able to fuse it
and actually communicate it to the customers. And it’s an ongoing thing. So there’s the initial
notification of an intrusion, but then there’s the
ongoing partnership to mutually discover,
mutually analyze what else the actor is
doing on that network. The third way you can
experience Overwatch is through the support process. We like to use the technical
support channel, so [email protected], to
handle all inbound requests, whether it’s detection related–
something you see in your UI, and you want to know a
bit more about detection– or if you’re actually
experiencing technical support issues in the traditional sense. Overwatch is very engaged
with our support team. There’s a very strong
relationship there. And oftentimes–
most of the time, whenever there’s a
detection-related question, or if there’s a question on
how a customer can query data in EAM or in the
Investigations app, those questions are directly
answered by Overwatch analysts, simply because there’s an
acknowledgement in the company that the Overwatch analysts,
the Overwatch hunters are the subject matter
experts of the platform and of the platform’s data. So they’re able to
very quickly answer questions with our own
internal best practices and provide that through the
support channels to help out. But we like to identify the
three areas of Overwatch output as hunt, investigate,
and advise. So ultimately,
you can experience Overwatch in a variety of ways. But the pure intent that
we’re trying to perform here is to help you stop
the mega breach.

Leave a Reply

Your email address will not be published. Required fields are marked *