Back to BlogHow to Select a SIEM for CrowdStrike
While CrowdStrike Falcon Endpoint Protection can protect against ransomware, malware and other emerging cyber threats, relying solely on it won’t provide a holistic view of your environment in the way that a security information and event management (SIEM) platform will.
A variety of SIEM vendors integrate with CrowdStrike Falcon Endpoint Protection, but not every integration is seamless. When looking for a SIEM, you’ll need one that will play nicely with your existing CrowdStrike environment.
What Is CrowdStrike Falcon Endpoint Protection?
First, it’s important to understand what CrowdStrike Falcon Endpoint Protection entails. It is a cloud-based endpoint security platform, providing advanced detection and prevention for Windows, macOS and Linux (MITRE).
It includes a suite of security tools, including next-generation antivirus (NGAV), threat intelligence, device control, firewall control, endpoint detection and response (EDR), threat hunting, IT hygiene and incident response services. CrowdStrike’s branded names for these products are Falcon Prevent, Falcon Insight, Falcon Device Control, Falcon OverWatch, Falcon Discover, Falcon Spotlight and Falcon X.
Why Do You Need a SIEM With CrowdStrike?
As a CrowdStrike customer, you may be wondering why you need a SIEM at all. Your EDR/NGAV is already designed to thwart cyberattacks such as ransomware and malware, so what’s the point of layering another platform on top of it?
There are many use cases for integrating a SIEM with CrowdStrike, including:
Enhance visibility. A SIEM correlates and alerts on all of the data from disparate data sources — including firewalls, cloud services, identity management, and an endpoint detection and response (EDR) platform such as CrowdStrike — to provide visibility across your environment.
Rather than replace your existing EDR platform, a SIEM like Blumira runs alongside it to provide complementary detection and response capabilities. Blumira gathers more detail than Sysmon or many other NGAV can, combining curated detection and response and system log collection into one package.
Additionally, Blumira Agent can extend the capabilities of its cloud SIEM by providing more advanced Windows logging and visibility into remote endpoints.
Cut through the noise of alerts. The robust nature of CrowdStrike Falcon is a double-edged sword. The platform collects an overwhelming amount of data that can be difficult to digest, especially for a smaller IT or security team with no SOC and less expertise or time to manage it. Admins also need deep expertise to run queries.
Layering on another product to reduce noise seems counterintuitive, but Blumira is designed to eliminate alert fatigue, using tactics such as automation, pre-built workflows and playbooks, and prioritized, contextual alerts. Blumira’s platform compares data across your different systems to prioritize only the most important findings and alert your team to potential threats, which is a major time-saver.
Meet compliance and cyber insurance requirements. Enhanced security visibility isn’t the only reason why an organization would need to run a SIEM for CrowdStrike; compliance and cyber insurance requirements also come into play. By default, CrowdStrike Falcon stores endpoint telemetry for 90 days, which doesn’t meet the log retention requirements for many compliance frameworks, including:
- HIPAA: 6 years
- PCI DSS: 1 year
- ISO 27001: 3 years
- NIST: 3 years
- SOX: 7 years
- GLBA: 6 years
Blumira’s flat fee, subscription-based pricing model is not based on log ingestion, enabling customers to make decisions based on true security needs rather than budget. We retain one year of log data by default in our SIEM + Endpoint Visibility and XDR editions — with the option to upgrade for longer retention — so there’s no need to export logs every three months and store them in a different location. While other SIEM providers charge their customers if they want to access their own logs, Blumira customers can access and review all of their current and past findings with our convenient dashboards.
Evaluating a SIEM for CrowdStrike Falcon
CrowdStrike partners with a variety of SIEM solutions, including Splunk, LogRhythm, Securonix, and Exabeam. Each of these integrations require CrowdStrike’s proprietary SIEM Connector. Setting up the Falcon SIEM Connector involves selecting the right configuration file, adding API client credentials, and parsing the data.
A partnership with CrowdStrike does not automatically mean that an integration is seamless, however. Admins should consider whether there is available support on both the CrowdStrike side and the SIEM vendor side. Data parsing can be finicky and time-consuming, especially for less experienced IT and security teams.
How Blumira SIEM Integrates With CrowdStrike Falcon
Connecting Blumira with CrowdStrike Falcon doesn’t require as much interaction with Linux — just a basic setup with our sensor install command and a short instruction set for the API integration.
Note: Our integration pertains to the newer CrowdStrike OAuth2-Based APIs, not the legacy Streaming APIs that CrowdStrike is retiring.
Here are the high-level instructions for setting up Blumira SIEM with CrowdStrike Falcon:
- Install a Blumira sensor with Ubuntu
- Next, in the CrowdStrike Falcon Console, create a new API client and gather the Client ID and Client Secret.
- Configure your existing Blumira sensor with a new module to connect to the CrowdStrike API using the credentials you obtained.
Read the full instructions on our Support site.
Once you can configure the integration between Blumira and CrowdStrike, you can easily stream endpoint security event logs from CrowdStrike Falcon Endpoint Protection to Blumira’s platform for threat detection and actionable response.
One example finding in Blumira’s platform, seen above, is the detection of malicious code. In this case, Blumira has detected a malware application running in the environment. It provides information about where the finding was found, and what type of finding/the priority level.
This particular finding is categorized as a Threat, meaning it poses an immediate and real threat to the security of data or resources, and it has been detected with a very high level of confidence. Blumira provides additional steps to mitigate or remediate a threat through workflow questions, also known as a security playbook.
The threat has also been categorized as Priority 3, meaning Blumira recommends that organizations respond within the next few business days unless notified otherwise. Threats designated as Priority 3 are considered lower priority alerts with the potential for malicious activities, but no further action has been performed or other exploits have been identified.
Customer Story: Fechheimer
One of Blumira’s customers, uniform manufacturing company Fechheimer, leveraged Blumira’s CrowdStrike endpoint monitoring integration to cut through the noise of too many alerts and improve security operations.
Fechheimer was using a variety of services for threat detection and log management, but they lacked visibility, proper alerting and log aggregation. They needed a better solution for their limited IT/security team.
Fechheimer’s first pentest highlighted many security gaps for the company. Based on the findings from the test, their IT team was able to make quite a few changes within the company and wanted to ensure they were working.
Subsequent pen tests have resulted in significant improvements, proving Fechheimer had greatly reduced their surface exposure with the help of Blumira. Blumira’s platform has also alerted Fechheimer to incidents that would otherwise go unnoticed, like system scanning, firewall attacks, null session attacks and more. They value the accessibility to Blumira’s security team, and the platform’s pre-built playbooks that guide them through remediation.
Why Blumira?
Blumira’s cloud-based SIEM + XDR with threat detection and response is built for small and under-resourced teams. We do things differently by providing more value for better cybersecurity outcomes, including:
- Automate Tasks For You – We do all the heavy lifting for your team to save them time, including parsing, creating native third-party integrations, and testing and tuning detection rules to reduce noisy alerts.
- Faster Time to Security – Our unique approach to detections notifies you of threats other security tools may miss, sending you real-time alerts in under a minute of initial detection to help you respond to threats faster than ever.
- Easily Meet Compliance – With a year of data retention and deployment that takes minutes to hours, we help you meet cyber insurance and compliance easily and quickly with the team you have today.
Blumira’s Free Edition can be configured and set up in about 10 minutes, and you’ll have access to our detection rules written by experienced Incident Detection Engineers. You’ll be able to see and respond to suspicious activity for free.