How CrowdStrike is leveraging AI to empower security teams

Amid evolving cyber threats, cyber security companies are increasingly turning to artificial intelligence (AI) to enhance the capabilities of security operations teams.

Take CrowdStrike, for example. The endpoint security firm launched its Charlotte AI generative AI (GenAI) assistant in May 2023, which is touted to help security analysts complete tasks such as threat hunting and triaging up to 52% faster by automating complex workflows through natural language commands.

“We believe you can have the greatest impact on defence when you combine AI-based systems with human-based systems,” said Elia Zaitsev, chief technology officer at CrowdStrike. “It’s the synergy of them working together that outperforms either one of them operating on their own.”

Specifically, Zaitsev said Charlotte AI can help security analysts with query writing, creating correlation rules, searches and remediation scripts, similar to how coding assistants are being used by developers to write code using different syntaxes within a platform.

But the benefits of CrowdStrike’s AI-powered tools go beyond just enhancing analyst efficiency.

Zaitsev said the company has also developed specialised AI agents to tackle specific cyber security challenges, such as an AI-powered command line analysis tool that can decode and explain obfuscated malicious code created by adversaries to throw defenders off course.

“You can now have Charlotte AI not just decode the malicious code, but explain to you what its function is and even ask questions about whether it downloaded a file to the disk, executed something or called out to an external network – without having to manually reverse engineer it,” he explained.

CrowdStrike’s multi-agent AI architecture combines large language models (LLMs) for general instruction-following with smaller, specialised agents, including machine learning-based classifiers that are optimised for nuanced cyber security tasks. This approach enables the company to leverage the strengths of different AI models while mitigating the hallucination risk of LLMs.

“What you want when you’re building a conversational system for very specific and complex tasks in cyber security is for the large foundational models to be the front door that understands what the user is asking for, and then figure out which of these agents, or combinations of multiple agents, are going to answer the question and execute the job,” Zaitsev said.

Underpinning CrowdStrike’s AI capabilities is the company’s extensive security dataset built over more than a decade of incident response and threat hunting. Zaitsev said the human-annotated dataset gives CrowdStrike an advantage in training its own generative AI models, as well as other models like ExPRT.AI, which uses deep learning to help enterprises identify critical vulnerabilities and prioritise patching based on the likelihood of exploitation.

Zaitsev also highlighted CrowdStrike’s approach to addressing the challenge of leveraging threat intelligence, a pain point for many organisations which do not always have skilled analysts on hand to make sense of intelligence reports, identity what matters to them and take the necessary action to mitigate potential threats.

“That is a classic application of GenAI because it’s very good at quickly taking a large amount of unstructured data and pulling out the key points,” he said, adding that Charlotte AI can invoke a threat intelligence agent that can make sense of intelligence reports, summarise key insights and automate the process of identifying relevant vulnerabilities and security recommendations.

Dave Gruber, principal analyst at TechTarget’s Enterprise Strategy Group, noted in a commentary that with Charlotte AI, “CrowdStrike is paying attention and investing in generative AI aggressively and demonstrated its potential value. Threat intelligence and customised threat insights feel like a place where CrowdStrike can differentiate here, but we’ll need to wait and see.”

Charlotte AI’s per-user pricing model, however, may cause organisations to scrutinise the purchase decision, he said, adding: “I don’t love this model, given the importance and overall value of the solution. Personally, I’d prefer to see Charlotte AI simply become an embedded, horizontal feature across the entire platform, with no add-on pricing required. I think this would serve both customers and CrowdStrike better”.

According to a recent study by Enterprise Strategy Group, 93% of cyber security professionals agree that GenAI can help them to improve their knowledge, skills and capabilities, with 92% believing their organisation would be willing to replace existing security technologies based on the GenAI capabilities of another similar product.

But while the technology can help to automate security processes, the study also found that nearly three-quarters (71%) of respondents would have a staff member review AI-generated recommendations before taking the remediation action manually.