CrowdStrike offers variable data retention periods — ranging from 15-90 days — that depend on the type of data and the specifics of your contract, after which it is not available. This can mean that understanding an incident requires searching both current CrowdStrike data resident in the application, as well as older, historical records that are no longer in the application.
CrowdStrike is a key control for strong security operations, but leveraging historical data from CrowdStrike presents two major challenges:
You have two options:
- CrowdStrike data could be stored directly in your SIEM in order to continue to have the data available to security operators. But with the amount of data created and the high cost of SIEM storage, the cost is prohibitive; typically an extra $400,000 a year per 10,000 employees.
- OR, CrowdStrike can be stored in less expensive cloud storage solutions like Amazon S3 Buckets. CrowdStrike offers a separate paid subscription service known as CrowdStrike Falcon Data Replicator to offload data into S3 Buckets. This is much more cost effective, around $20,000 annually, but leads to our second problem.
- Search and/or retrieval is difficult for the archived data. Analysts will have to download the files and then rely on doing raw text searches (grep, sed, awk, etc.) to find results.
- Once the results have been found, the analyst will have to manually put the results into context; determining relationships via network connections, timing, users, etc., as well as combining with data from other data sources — SIEM, HR, threat intelligence, etc.
Query enables analysts to be five times more efficient with single-search and rich-visual context. An investigation that would have normally taken hours, now takes minutes.
in Amazon S3