AWS Partner Network (APN) Blog

CrowdStrike’s Charlotte AI – Enhancing productivity of Cyber Security Analysts with Generative AI built-on AWS

By Jenn Reed, Principal Security Partner Solutions Architect – AWS
By Ayan Ray, Sr. Partner Solutions Architect, Generative AI – AWS

 CrowdStrike-APN-Blog-Logo-Tile-2024
Connect with CrowdStrike-1

Adversaries are rapidly evolving their tactics to evade detection and maintain persistence. CrowdStrike’s Global Threat Report reveals that the average breakout time, the duration between initial access and lateral movement within a user’s environment, has dropped from 1 hour and 58 minutes in 2019 to just 62 minutes in 2023. Though the initial access can occur in as little as 2 minutes, the threat actors can persist undetected for an average of over 280 days.

In the current threat landscape, security teams must enhance their threat detection and response capabilities. CrowdStrike addressed this challenge by developing Charlotte AI, a generative AI security analyst that enables users of the CrowdStrike Falcon platform to swiftly surface hidden threats, accelerate decision-making for analysts across skill levels and automate manual or error-prone tasks.

What is Charlotte AI?

CrowdStrike® Charlotte AI™, is a conversational AI assistant for security analysts, which enables users of the CrowdStrike Falcon platform to use plain language questions to swiftly surface hidden threats, accelerate decision-making for analysts across skill levels and automate manual or error prone tasks.

Solution Cyber security power by Generative AI

CrowdStrike partnered with AWS to develop Charlotte AI, and other critical components of the Falcon platform on AWS. Building its machine learning environment on AWS enables CrowdStrike to test and train models with the dynamic flexibility to adapt to handle throughput, bandwidth, and parallel processing. CrowdStrike regularly processes petabytes of data, collected from customer endpoints, cloud workloads, identity providers, applications, data stores, and networks, which is stored across the Falcon platform. This is contextualized against ever-growing threat intelligence assembled by CrowdStrike’s malware researchers, threat hunters and Managed Detection and Response (MDR) teams. Each source is processed leveraging Amazon EMR to transform the data and apply predictive machine learning to produce near real-time detections. This information is stored across its distributed NoSQL store and Amazon Simple Storage Service (S3) object storage. Leveraging Amazon Sagemaker, CrowdStrike fine tunes multiple Large Language Models (LLMs) for each data source. It leverages Amazon SageMaker Large Model Inference (LMI) containers running embedding models to create vector embeddings which are then stored in Amazon OpenSearch Service vector store. These vector embeddings perform semantic similarity searches to retrieve relevant contextual information. This information is then passed to high performing Foundation Models (FMs) from leading AI providers like Mistral, Meta and Anthropic to generate meaningful suggestions for security analysts. Built on AWS, CrowdStrike is able to implement fine-grained access control and governance process within CrowdStrike’s Falcon platform.

CrowdStrike Charlotte AI Architecture Diagram

Figure 1: CrowdStrike Charlotte AI Architecture Diagram

About LMI containers

LMI containers are a set of high-performance Docker Containers purpose built for large language model (LLM) inference. With these containers, you can leverage high performance open-source inference libraries like vLLM, TensorRT-LLM, Transformers NeuronX to deploy LLMs on AWS SageMaker Endpoints. These containers bundle together a model server with open-source inference libraries to deliver a comprehensive LLM serving solution.

About Amazon OpenSearch Service

Amazon OpenSearch Service is a scalable, flexible, and extensible open-source software suite for search, analytics, security monitoring, and observability applications, licensed under the Apache 2.0 license. The OpenSearch k-NN plugin provides core vector database functionality for OpenSearch. With OpenSearch Service’s vector database capabilities, you can implement semantic search, Retrieval Augmented Generation (RAG) with LLMs, recommendation engines, and search rich media.

Through its Generative AI development on AWS, CrowdStrike is able to support security operations use cases that allow security teams to adapt and respond within minutes.

Use case 1: Using Generative AI to Get Fast Answers to Pressing Questions

Cybersecurity risk oversight is a growing priority for boards of directors. Security leaders are frequently required to provide timely, relevant and actionable information on their organization’s security posture. Charlotte AI assists security teams by extracting, analyzing and summarizing information from their Falcon modules, providing near real-time insight into their risk profile. This risk profile incorporates insights from emerging threat intelligence, risk level against critical vulnerabilities, identities, and device compliance.

With Charlotte AI, teams streamline information gathering and reporting, saving hours of work. A study of early access users showed that Charlotte AI enabled security teams to obtain answers on threats and risks facing their organization 75% faster than manual methods. Using a plain-language query, Charlotte AI empowers security teams to attain near real-time answers to pressing questions, such as querying for vulnerabilities associated with a known threat actor or querying Charlotte AI for functionality questions using CrowdStrike documentation. In “What is my exposure to vulnerabilities used by Scattered Spider?” you will see how analysts can ask a simple question to determine their vulnerability to the Scattered Spider exploit.

Use Case 2: Accelerating Security Analyst Onboarding and Training

Charlotte AI also elevates the skills of junior security analysts and analysts unfamiliar with the Falcon platform, advancing their proficiency in CrowdStrike technology, and converting novice users into power users. This reduces on-boarding times and the learning curve to for new users to make use of the Falcon platform. For example, security teams can ask Charlotte AI to write a query in CrowdStrike’s query language and specify parameters to include, receiving a ready-to-review script. Figure 2 is an example of a Charlotte AI request to generate a CrowdStrike Query Language query to search for an encoded command line in PowerShell. Query writing is an error-prone process, often requiring analysts to spend cycles reviewing, testing and revising queries. Early adopters reported that Charlotte AI expedited their process of writing queries by 57%.

example of Charlotte AI creating query to look for a powershell execution

Figure 2: Charlotte AI PowerShell execution query

Charlotte AI not only provides a script to execute within seconds, but also explains how it interpreted the user’s query to structure the resulting script. This is important for AWS customers that run Windows containers and instances, as their security teams may not have the experience using CrowdStrike to run the appropriate Falcon Query.

example of what the Charlotte AI toggle "shoe response details" provides

Figure 3: Charlotte AI show response details

Within Charlotte AI’s conversational interface, every question has a “show response details” toggle, where the user can inspect the underlying data source that Charlotte AI used to assemble the answer to the user’s question. In Figure 3 security analysts can see which data sources (and filters) Charlotte AI queried to answer the question “Which hosts have TeamViewer installed?”. Charlotte AI’s built-in traceability and transparency are critical guardrails for authorizing safe, responsible adoption of generative AI. This capability allows security analysts to review Charlotte AI’s “work” and revise their query if needed, so analysts can continuously refine prompt engineering with the Falcon platform.

Use Case 3: Simplifying Complex Security Operations and Streamlining Mundane Tasks

For experienced CrowdStrike Falcon platform users, Charlotte AI serves as a force-multiplier, allowing defenders to optimize their time and focus on high-impact areas by automating manual, time-consuming operations. Figure 4 illustrates the “Investigate with Charlotte AI” feature within CrowdStrike’s incident workbench in which users can automate the process of creating and analyzing incidents. This embedded feature of CrowdStrike’s Endpoint Security and Next-Gen SIEM offerings can invoke Charlotte AI to investigate events. This reduces analyst fatigue and provides a straightforward threat summary with an accompanying attack graph illustrating interconnected activity in a user’s environment. Because cloud intrusions events often occur from a compromised endpoint or identity, AWS customers are to understand the timeline, events and exploits across a hybrid environment.

Investigate with Charlotte AI examples

Figure 4: Investigate with Charlotte AI

Customer Success Story

Inductive Automation turned to the CrowdStrike Falcon platform to protect and secure their data, systems and software. The company develops industrial supervisory control and data acquisition (SCADA) software for many global brands including Airbus, Coca-Cola, GlaxoSmithKline, Johnson & Johnson, Kraft, Shell and Unilever, as well as hundreds of public sector utilities. Its flagship product, Ignition, was the first universal industrial automation application platform.

Inductive Automation has a complex IT environment, with a large percentage of its employees in skilled technical roles, making the enforcement of security mandates challenging at times. While most servers are Linux, the company also has Microsoft Windows and Apple Mac systems. Most applications are run on premises but there is a sizable and growing AWS environment used for customer-facing functions like product activation, ticketing and licensing.

With the increasing new levels of speed and sophistication of adversaries, Jason Waits, CISO of Inductive Automation, knew he needed to equip his team to meet the challenge. This meant that any security solution needed to be able to flex, adapt, and scale to support the company’s growth and constantly evolving business model. He also needed to equip his lean team of security analysts to proficiently navigate a growing arsenal of security tools. Charlotte AI empowers his team to use plain language questions to query their Falcon modules and operate with speed and agility, without needing to have a dedicated expert for individual tools. Waits added that being able to query in plain language can also be incredibly valuable in time-sensitive incidents, where even the most experienced analysts can freeze up and forget how to write a specific query. Charlotte AI allowed him to focus on teaching his security team to ask the right questions, instead of focusing on individual tool mastery.

Conclusion

Generative AI has the power to be a force multiplier for security teams. From advancing proficiency of security novices to increasing productivity for experienced security analysts, CrowdStrike is using cutting-edge generative AI capabilities to transform security operations. By partnering with AWS, CrowdStrike is able to accelerate analyst workflows, deliver AI-native protection to thousands of organizations of all sizes and industries, and to deliver world-class protection that matches the speed, scale and sophistication of modern adversaries.

CrowdStrike Falcon Platform stops breaches with a unified agent and agentless approach to cloud security, extending from code to cloud in a single platform. Experience Charlotte AI with a in depth videos, tutorials and training at CrowdStrike Tech Hub, learn more about AWS and CrowdStrike Falcon Platform, and signup for a cloud security health check.

.

CrowdStrike APN Blog Connect Banner


CrowdStrike – AWS Partner Spotlight

CrowdStrike is an AWS Advanced Technology Partner and AWS Competency Partner that protects critical areas of enterprise risk — endpoints and cloud workloads, identity and data. By leveraging real-time indicators of attack, threat intelligence, adversary tradecraft and telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Contact Partner | Partner Overview | AWS Marketplace | Case Studies