Since we founded CrowdStrike, one of the things I’ve been most proud of is our collective ability to work with customers to drive the industry forward. Leadership isn’t just about being the loudest voice or making outlandish marketing claims. It’s about listening and working with customers to help them solve their toughest problems to achieve a common goal: to stop violations.
This week with the GA release of Falcon XDR, I’m proud to say that CrowdStrike is once again leading the industry in cutting through the hype and delivering the next generation of automated XDR. Using our same single, lightweight agent architecture, Falcon XDR enables security teams to bring in third-party data sources for a fully unified solution to quickly and efficiently hunt and eliminate threats across multiple security domains.
Best of all for our customers, Falcon XDR is an extension of the industry leading EDR. Why is this important? It’s plain and simple — if you don’t start with EDR, you don’t have XDR.
How we got here
In February 2021, following the SUNBURST supply chain attacks that rocked the industry and still reverberate today, I testified to the United States Senate Special Committee on Intelligence on the attack, and more importantly, the keys to a strong cybersecurity posture that would help organizations stop sophisticated attacks. In my testimonial, I highlighted XDR as a key innovation that security teams need to keep pace with the sophistication of today’s adversaries:
“Security teams require contextual awareness and visibility into all of their environments, including cloud and ephemeral environments. The XDR concept aims to bring order to a sometimes chaotic array of security tools by deriving actionable information wherever it exists within the enterprise. As this committee will understand, XDR generates intelligence from what might otherwise be nothing more than information overload.
In the year since I delivered this testimonial, the industry has heard just about every promise about XDR from over 30 vendors (and counting) who have claimed the XDR capabilities. The same time, opponents have continued to become more sophisticated, more adept at exploiting the architectural limitations of legacy systems, and more astute in using stolen credentials and identities to advance their attacks.
The problem for our industry is that many XDR marketing claims fail to deliver – or even deliver a product. Security teams continue to struggle to turn disparate security data into the high-quality detections needed to identify, hunt, and eliminate today’s complex threats. Breaches continue to occur at a prolific rate.
I believed then and believe now that XDR can bring tremendous benefits to understaffed security teams who fight the good fight every day. But it must be rooted in reality, and it must solve the specific problems that security teams face, not exacerbate them.
Noise filtering: moving from hype to reality
Security expenses are not unlimited and every investment counts. But choosing the right XDR solution is more than just a tax liability – it could mean the difference between stopping the breach or making headlines. This is why it is important to separate what XDR really isand what it is not.
XDR is not just about integrating data into a single console. This doubles down on the failed promise of SIEM. Security teams really need another stagnant lake of data to sift through in hopes of finding a correlated detection? Adding even more events just creates a bigger mess for security teams to wade through and makes threat hunting even harder. Security teams have a tough enough job, and this approach makes it even tougher.
XDR is not a rebranding effort. We’ve seen it time and time again…and again…and again. Many vendors jumped on the hype cycle and repackaged existing products to increase their valuation or try to fit into the various and different definitions of XDR analysts. These rebranding efforts were rarely followed by an actual product release. Calling an old product by a different name doesn’t magically change what it is. You can pull all first-party product event data into one location or aggregate data from many products into one central location, but that doesn’t mean you provide XDR. You have to do something with the data. XDR doesn’t just consolidate existing alerts, it generates new ones.
It’s not XDR, it’s a double-down on yesterday’s failed practices that threaten to further compound the problems security teams face by flooding them with more data, more alerts, and more. of complexity. Plus, it creates more noise in the market, which then falls on the client to try to figure out what’s real and what’s not. How does this help the customer?
At its core, XDR is the evolution of EDR, and as I said earlier, it has to start with EDR technology and build on that foundation. XDR must give security teams relevant telemetry from systems and applications across an organization’s IT security ecosystem to improve and accelerate visibility, detection, and response actions beyond the endpoint, empowering security teams to stop violations more quickly. XDR must also provide proactive and automated responses to threats across the entire security stack.
Falcon XDR: Setting the industry standard
With the GA version of Falcon XDR, we’ve raised the bar by delivering a solution that delivers on its promise and empowers security teams to quickly identify, track and eliminate today’s most sophisticated threats. . With Falcon XDR, we have listened to our customers and provided:
Extended XDR from industry-leading EDR technology. CrowdStrike invented EDR and continues to be the undisputed leader in modern endpoint protection. the Falcon platform was purpose-built in the cloud to leverage CrowdStrike Security Cloud’s vast telemetry and use cloud-scale AI to automatically detect and remediate everything from malware to highly sophisticated attackers. For years, our customers have been exploiting “XDR” type use cases. We didn’t jump at this opportunity to rebrand, we used it as an opportunity to continue to innovate and deliver more of what our customers need.
XDR that makes sense of structured and unstructured data. We are not creating another data lake for security teams to search, and hope and pray that they find a relevant detection. Using the power of Humio, customers can seamlessly ingest third-party security data from the broadest range of sources, including network security, email security, identity, cloud infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), cloud access security broker (CASB) and more. And to ensure customers have the most relevant telemetry, we continue to develop the Alliance CrowdXDRworking with industry leaders to create a common standard for data sharing.
The best of native and hybrid XDR. Sophisticated attackers constantly evolve their attacks to avoid detection. 80% of breaches are now identity driven and cloud attacks continue to rise. Successful XDR requires telemetry that aligns with adversary tactics, targets, and critical areas of enterprise risk. Falcon XDR offers this, with its unique approach, the best of native and hybrid approach. Falcon XDR collects native telemetry from all Falcon modules (including cloud, identity, vulnerability, etc.) and extends and correlates this data with third-party (hybrid) sources. This gives security teams a clear, unified picture of an attack path to quickly identify and eliminate threats.
XDR with fully automated response. Falcon fusion, our SOAR framework, is natively integrated into the Falcon platform and is provided free of charge to customers. This allows customers to create real-time active notification and response capabilities, as well as customizable triggers based on incident detection and categorization. Most importantly, it alleviates security team fatigue by increasing efficiency and agility.
We believe Falcon XDR lives up to the hype and gives security teams exactly what they need: the richest combination of frictionless proprietary and third-party security data, the ability to produce custom detections with fast and automated response, and a better way to hunt threats and stop breaches.
Our CTO Mike Sentonas has a related blog post which dives deeper into demonstrating how Falcon XDR achieves this. I encourage you to read it to see the CrowdStrike difference.
We’re glad you’re trying Falcon XDR. But in true CrowdStrike fashion, that’s just the beginning. We will continue to stay focused on your most pressing problems and deliver market-changing innovations that solve them.
George Kurtz is CEO and co-founder of CrowdStrike.