When Tahir Ali became CTO and CISO at Montage Health in 2021, he inherited a unique set of cybersecurity challenges. For one, the healthcare sector was getting bombarded with attacks, including distributed denial of service (DDoS), phishing and social engineering attacks. 

At the same time, the California-based nonprofit healthcare system was integrating more networked medical devices, employee-owned devices, AI applications and cloud services into its infrastructure. While these innovations brought operational efficiencies and a better patient experience, they also expanded the attack surface. 

Against this backdrop, Ali performed a security assessment of his available tools and resources. What he found was a set of non-integrated, legacy security tools that struggled to detect and stop modern attacks. Furthermore, he didn’t have the 24/7 coverage needed to defend against increasingly aggressive threat actors.

Ali began searching for a strategic partner to provide both a modern cybersecurity platform and 24/7 managed detection and response. That’s when he found CrowdStrike. 

Consolidating with CrowdStrike

The search for a strategic cybersecurity partner didn’t take long. Ali compared four vendors and landed on CrowdStrike after a successful proof of concept (POC). 

“One big consideration during the POC was agent performance. We run a lot of virtual desktop infrastructure (VDI), so we didn’t want our endpoint agent slowing down login or boot-up times,” explained Ali. “CrowdStrike was the superstar of the POC, so we bought it.”

Montage Health quickly deployed the lightweight CrowdStrike Falcon® agent to its 5,000+ endpoints, replacing its legacy security software with the AI-native Falcon platform. The modular architecture of the Falcon platform enabled the healthcare system to start with CrowdStrike Falcon® Insight XDR for extended detection and response, then easily add new protections using the same agent and command console.

“Our push was to get to a full security platform from a single vendor, but I wasn’t willing to sell my soul for it,” explained Ali. “Because our CrowdStrike XDR deployment was so successful, we had confidence to move forward with additional Falcon platform modules.” 

Montage Health soon deployed CrowdStrike Falcon® Identity Protection, CrowdStrike Falcon® Discover for IT hygiene, CrowdStrike Falcon® Prevent next-gen antivirus and CrowdStrike Falcon® Intelligence. This suite of innovative solutions gave Montage Health industry-leading protection across critical attack surfaces, plus many other benefits of cybersecurity consolidation, including increased speed, and lower cost and complexity. 

Next-Gen SIEM for Unmatched Speed and Scale

In 2021, Montage Health became an early adopter of CrowdStrike Falcon® LogScale for next-gen SIEM and log management. Built for the speed and scalability requirements of the modern SOC, Falcon LogScale offers real-time alerting, fast search and world-class threat intelligence for up to 80% less cost than legacy log management solutions. 

“It used to take us weeks to investigate an incident. Now it takes us 25 minutes and we know exactly what happened. Queries are faster too … it’s maybe a gazillion times faster,” joked Ali. 

Falcon LogScale is built on a unique, index-free architecture that delivers security logging at petabyte scale. Montage Health started with a small instance of Falcon LogScale and was able to easily scale up once it saw what the solution could do. 

“Before LogScale, it would take us 3 to 4 months to scale our log management capabilities, including all the servers, storage, monitoring and backup needed to grow a few hundred terabytes. With LogScale, we can add 300 to 400 terabytes of additional scalability in days,” said Ali. “From my perspective, LogScale is faster than any other product out there.”

With 20 years of experience in IT and security, Ali has used a number of SIEM and log management solutions throughout his career. For him, Falcon LogScale delivers the optimal mix of performance and interoperability. 

“Falcon LogScale gives us total visibility of our environment. Compared to other SIEMs I’ve used, Falcon LogScale performs better, is more customizable and requires less overhead,” said Ali. “When we switched to Falcon LogScale, the difference was obvious. Plus, it integrates seamlessly with the Falcon platform, which made it that much more attractive to us.” 

Better Security by the Numbers

For Montage Health, having innovative cybersecurity technology is only half the battle. The company also relies on CrowdStrike Falcon® Complete for 24/7 managed detection and response. With Falcon Complete, Montage Health gets both around-the-clock protection and the expertise needed to stop even the most sophisticated cyberattacks. 

All told, the combination of the Falcon platform and Falcon Complete has revolutionized the culture of security at Montage Health, allowing the nonprofit to deliver the same high level of excellence in security as it does in the clinical setting. 

The data bears this out: Monthly investigations have dropped from 102 to 56. Monthly events requiring Montage Health to investigate have dropped from 11 to 2. And the time required to investigate and triage each event dropped from several hours to only 53 seconds.

“I know it sounds crazy but it’s all true,” concluded Ali. “We’re very happy with CrowdStrike.”

Additional Resources

• Read other stories of how CrowdStrike is helping organizations stop breaches.
• Visit the Falcon LogScale webpage to learn more about the world’s leading AI-native platform for SIEM and log management.
• Read the recent IDC study, The Business Value of the CrowdStrike Falcon XDR Platform, and recent CrowdStrike blog post, CrowdStrike Falcon Platform Delivers $6 Return for Every $1 Invested.
• Get a full-featured free trial of CrowdStrike Falcon® Prevent and see how true next-gen AV performs against today’s most sophisticated threats.

To unlock the speed and scalability of CrowdStrike Falcon® LogScale next-gen SIEM, you must first bring your data into the powerful, cloud-native solution. And with log sources multiplying and data volumes skyrocketing, you need an easy way to collect, parse and enrich your data.

Data onboarding can be complex and time-consuming in traditional SIEM tools. Data engineering teams must contend with countless evolving log sources, formats and ingestion methods. Painful setup processes can overwhelm even the most experienced teams and lead to deployment delays, cost overruns and employee burnout.

We’ve recently introduced an array of advancements for Falcon LogScale to help you ease setup, avoid headaches and power faster security insights. Here are the most notable new features.

1. Get Started Faster with New Marketplace Packages

The Falcon LogScale Marketplace lets you fast-track the setup of next-gen SIEM with turnkey packages that include prebuilt parsers, dashboards, alerts, actions and saved queries. Installed in just a few clicks from the Falcon LogScale user interface, packages in the Falcon LogScale Marketplace make it easier than ever to unlock the potential of your entire security ecosystem.

In the last three months, we have launched over 30 new Falcon LogScale packages to help you use new data sources faster. These packages include parsers that normalize data to a common schema based on an OpenTelemetry standard. The schema allows analysts to search data without knowing the specifics of the data format, and hunt across data sources with ease. 

With this rapid release of new Falcon LogScale packages, our vision of delivering a comprehensive marketplace for next-gen SIEM is becoming reality. We plan to publish even more ready-to-use content this year to help ease adoption, scale your SIEM deployments and relieve overburdened staff.

2. Simplify Data Onboarding with CrowdStream

CrowdStream, a native capability of the CrowdStrike Falcon® XDR platform, transforms how you onboard and manage your log data by directly connecting any data source to Falcon LogScale. Sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to route data to Falcon LogScale to accelerate the adoption of next-gen SIEM while minimizing the complexity and cost of connecting data sources.

CrowdStream not only accelerates the adoption of Falcon LogScale, it gives you visibility and control over your data. You can granularly mask or truncate sensitive data for compliance purposes. In addition, CrowdStream can enrich data with threat intelligence or geolocation information, and optionally remove extraneous fields, null values and duplicate events.

Leveraging Cribl’s observability pipeline technology, CrowdStream offers out-of-the-box integrations to collect data from a broad set of applications and devices. It can also normalize data into a consistent format before it’s routed to Falcon LogScale, making data immediately actionable for threat hunting and investigations. With CrowdStream, Falcon LogScale provides end-to-end data pipelining and event management to address a broad set of security and compliance use cases with ease.

CrowdStream is available now. Falcon LogScale customers with cloud-native deployments receive 10GB/day of data streaming at no additional cost. Unlimited data streaming is available with the purchase of an additional CrowdStream subscription beginning in February 2024.

3. Easily Extend Detection and Response to Cloud Assets with Amazon S3 Integration

More than 80% of breaches involve data stored in the cloud. As adversaries shift their focus to the cloud, you must expand your realm of visibility and control to your cloud environment.

A perfect place to start is with Amazon Web Services (AWS) data. If your organization is like countless others, you use Amazon S3 object storage to retain your cloud data. You probably store cloud logs, such as AWS CloudTrail, Amazon CloudWatch and VPC Flow Logs, in Amazon S3 buckets. Because many cloud-delivered applications and services can write logs to S3 buckets, you can forward security-relevant logs from a variety of sources to S3 storage and then pull this data into your security and observability tools.

A new Amazon S3 log ingestion feature in Falcon LogScale lets you automatically retrieve logs from S3 buckets for analysis and visualization. Flexible configuration options let you select compression, preprocessing and parser of your choice depending on the format of your data. These step-by-step instructions explain how to set up this powerful new feature in Falcon LogScale and start hunting for cloud threats at blazing-fast speed.

4. Remotely Manage and Monitor a Massive Fleet of Falcon LogScale Collectors

The Falcon LogScale Collector provides a robust, reliable way to forward logs from Linux, Windows and macOS hosts to Falcon LogScale. Gathering data from a variety of sources, including files, command sources, syslog and Windows events, the Falcon LogScale Collector swiftly sends events with sub-second latency between when a line is written on the host and when it is forwarded to Falcon LogScale.

We’ve introduced a number of enhancements that raise the bar for Falcon LogScale Collector management. For example, a new fleet management feature lets you manage Falcon LogScale Collector instances from the Falcon LogScale management interface. The Falcon LogScale Collector also now gathers CPU, memory and disk usage metrics, allowing administrators to identify and troubleshoot issues. Recent optimizations increase agent performance and resilience, and de-duplicate redundant log data.

Experience Next-Gen SIEM 

As the future of log management and next-gen SIEM, Falcon LogScale lets you collect up to 1 petabyte of data per day and query data up to 150x faster than legacy SIEMs. Between the new Marketplace packages, flexible CrowdStream observability pipeline, Amazon S3 ingestion and Falcon LogScale Collector advancements, we’ve taken Falcon LogScale to the next level, enabling you to spend more time stopping threats and less time onboarding data.

We’ve also added in-product tutorials and filter alerts, and elevated the user experience with dashboard widgets, PDF reporting and table drill-down options. For a complete list of features, see the Falcon LogScale release notes.

Our ultimate goal is to offer the world’s most effortless, automated data onboarding across all data sources, and we’re investing inordinate resources to achieve it. The innovations announced in this post are just the beginning.

Additional Resources

• Start a 15-day free trial of Falcon LogScale to experience the future of log management and next-gen SIEM.
• Join our next biweekly next-gen SIEM showcase to view a live demo of Falcon LogScale.
• Download the CrowdStrike eBook, 8 Things Your Next SIEM Must Do, to understand the critical capabilities to look for when evaluating SIEM solutions.
• See Falcon LogScale in action by watching this fast-paced demo.