LAS VEGAS — Security vendor CrowdStrike has had a busy year, raising $100M in new funding and releasing a major update of its Falcon security platform. At the Black Hat USA conference here, CrowdStrike announced its latest innovation, a new cybersecurity search engine.
Falcon has had search capability before, though Dmitri Alperovitch, co-founder and Chief Technology Officer of CrowdStrike, explained that the new module is something quite different. "We previously had five-second search capabilities as part of our Investigate module on data streaming from our customer’s endpoints," Alperovitch told eSecurityPlanet. "Customers could instantly discover artifacts present on their systems and investigate suspected intrusions."
"What they could not do was instantly search hundreds of terabytes of data, such as malware, that we collect from all over the world in order to research new attack types and better understand relationships between malware," he added.
There are multiple commonly deployed open-source tools, including ElasticSearch and Apache Lucene, that are often used in enterprise search indexing, though that's not what CrowdStrike is using for Falcon.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The Falcon Search Engine is built on patent-pending indexing technology," Alperovitch said. "It does not use commercial search tech like Elastic Search or Solr/Lucene, which are good for indexing text-based data but are not well-suited for binary data such as files/malware."
A common challenge with search capabilities can often be that over time the search index grows to be quite large. Alperovitch explained that CrowdStrike Falcon Search Engine is run on CrowdStrike's cloud-based platform – all of the data is stored in the cloud so there is practically limitless scalability.
"We use cutting-edge tech like proprietary and highly scalable graph databases to ensure seamless elasticity without compromising speed," he said. " Falcon is built for true cloud scale; more like Google than like a traditional security company."
In addition to being able to find current items, the Falcon search capability also includes an index of more than 700 million malware samples going back many years. Alperovitch explained that the the historical perspective is critical for researchers to understand if they are dealing with something new and unique or just a variant of some previous malware family.
"On the endpoint protection side, we absolutely keep a historical record of everything that we record and, thanks to our CrowdStrike Threat Graph technology, customers can get 5 second visibility into that data no matter how large their deployment is," Alperovitch said.
The new Falcon MalQuery services is available to existing CrowdStrike customers as an additional service and can be purchased as a standalone offering by new customers. Alperovitch said there is an annual subscription fee and customers access the service using the Falcon MalQuery app located within the Falcon Management console.
"It's also important to note that you can use Falcon search engine even if you don't use our endpoint protection product," Alperovitch said. "This means any malware researcher can get value from it, even if they are running something else for endpoint protection."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.