Meet Metron Security at Black Hat 2025

As the security industry converges on Las Vegas for Black Hat USA 2025 (August 2-7), we're excited to connect with security teams ready to move beyond vendor sprawl into streamlined, intelligent security operations.

Ready to transform your security stack? Let's discuss how Metron Security can accelerate your security operations:

• Integration Services: Eliminate data silos with our proven integrations across Microsoft Sentinel, ServiceNow, IBM Resilient, and more. We'll show you how to create unified security operations from your existing tool investments.

• Log Forge: Transform raw security data into actionable intelligence with our lightweight HTTP REST API server designed to mimic real cybersecurity platform APIs and accelerate threat detection.

• Schema Vault: Stop rebuilding data models for every new security tool. Our centralized schema management connects your app to every type of apps, ensuring consistent data structures across your entire security ecosystem.

• AI Annotation: Enhance your AI-driven threat analysis with expert data annotation that extends beyond security logs to power diverse ML applications while maintaining human oversight.

The consolidation trend is accelerating — organizations are choosing integration platforms that unify their security investments rather than replacing them.

Under the Lens — CrowdStrike

Adding to your organization's security playbook can seem overwhelming. There are so many tools, platforms, and ways to integrate them, it's hard to tell what will help you most right away.

Fortunately, numerous providers offer comprehensive, multi-tool suites that can cover a range of security needs. In this month's edition, we're taking a closer and curated look at the CrowdStrike suite of security products.

CrowdStrike is a provider of AI-native cybersecurity solutions that pioneered adversary-driven security through the CrowdStrike Falcon platform. The name applies both to the company and their comprehensive cybersecurity platform that delivers unified protection across endpoints, cloud, and identity infrastructure.

It offers comprehensive cybersecurity protection through its cloud-native Falcon platform, which consolidates traditional point solutions into a single-agent architecture.

CrowdStrike Falcon Prevent provides next-generation antivirus capabilities, while Falcon Insight delivers endpoint detection and response. Falcon OverWatch offers managed threat hunting services, and Falcon Complete provides comprehensive managed detection and response capabilities. Falcon Cloud Security ensures cloud workload protection, and Falcon Identity Protection secures identity infrastructure across the enterprise.

Together, these solutions create a unified AI-powered cybersecurity platform.

Let's examine the key security solutions within CrowdStrike's portfolio:

• Endpoint Security:

  • Falcon Prevent delivers next-generation antivirus capabilities with machine learning-based threat detection, exploit blocking, and malware prevention.

  • Falcon Insight provides comprehensive endpoint detection and response (EDR) functionality with real-time monitoring, threat hunting capabilities, and forensic analysis tools.

  • Falcon Device Control enables organizations to manage and secure USB devices, removable media, and peripheral connections through granular policy controls.

  • Falcon for Mobile extends endpoint protection to mobile devices with threat detection, device management, and security policy enforcement across iOS and Android platforms.
    
    

• Cloud Security:

  • Falcon Cloud Security delivers comprehensive cloud workload protection through agent-based and agentless monitoring that secures containerized applications, virtual machines, and cloud infrastructure.

  • Container Security provides specialized protection for containerized environments with vulnerability scanning, runtime monitoring, and compliance management specifically designed for Kubernetes and container orchestration platforms.

  • Falcon Identity Protection secures identity infrastructure by monitoring privileged access, detecting identity-based attacks, and providing real-time visibility into user behavior.

  • Falcon Identity Threat Detection offers advanced analytics and behavioral monitoring for identity-based threats, detecting anomalous authentication patterns and suspicious privileged access activities across enterprise identity systems.
    
    

• Threat Intelligence & Hunting:

  • Falcon Adversary Intelligence provides actionable threat intelligence with attribution data, indicators of compromise, and tactical information about active threat actors.

  • Falcon Adversary OverWatch offers 24/7 managed threat hunting services delivered by expert security analysts who proactively hunt for threats, investigate suspicious activities, and provide immediate threat notifications for advanced persistent threats.

  • Falcon Search Engine & MalQuery delivers comprehensive malware analysis and search capabilities.
    
    

• Security & IT Operations:

  • Falcon Next-Gen SIEM provides cloud-native security information and event management with AI-powered analytics, automated threat detection, and integrated response capabilities that scale with enterprise security operations requirements.

  • Falcon LogScale offers high-performance log management and analysis with real-time search capabilities.

  • Falcon Discover provides asset discovery and inventory management with real-time visibility into IT infrastructure.

  • Falcon Fusion SOAR delivers security orchestration, automation, and response capabilities that integrate with existing security tools to streamline incident response workflows and automate repetitive security tasks.

  • Generative AI Security Analyst leverages artificial intelligence to assist security analysts with threat investigation, incident analysis, and response recommendations.

  • Data Protection ensures sensitive data security through classification, monitoring, and loss prevention capabilities that protect confidential information across endpoints, cloud environments, and data repositories.

  • XIoT Security extends security coverage to extended Internet of Things (XIoT) devices, including operational technology, industrial control systems, and IoT endpoints that traditional security tools cannot adequately protect.

CrowdStrike continues to expand its platform capabilities with significant investments in AI and machine learning technologies that enhance threat detection accuracy while reducing false positives. The company's approach to adversary-driven security research ensures that platform capabilities evolve in direct response to emerging threat actor techniques and tactics.

The unified platform architecture represents a strategic shift away from traditional security tool sprawl toward consolidated security operations that reduce complexity, improve visibility, and enable faster threat response. Organizations should evaluate how CrowdStrike's single-agent approach aligns with their security architecture requirements and consider the operational benefits of platform consolidation against existing security investments.

Optimizing CrowdStrike Platform Usage

To achieve optimal security outcomes with CrowdStrike Falcon, organizations should focus on implementation strategies that harness the platform's cloud-native architecture and AI-driven capabilities, among them:

• Streamline Endpoint Security Architecture:

  • Consolidate existing endpoint security tools by migrating to Falcon's unified sensor, eliminating agent sprawl and reducing system resource consumption.

  • Configure cloud proxy settings and sensor communication parameters to optimize bandwidth usage while maintaining real-time threat detection capabilities, particularly for distributed environments with limited connectivity.

  • Implement Falcon Device Control policies early in deployment to establish baseline USB and removable media governance, preventing data exfiltration risks during the transition from legacy endpoint tools.

  • Integrate Falcon for Mobile to extend unified endpoint protection across iOS and Android devices, ensuring a consistent security posture for hybrid workforce environments.

    
    

• Tune Detection Policies for Operational Excellence:

  • Begin with CrowdStrike's recommended baseline policies, then progressively adjust prevention settings based on your environment's unique application portfolio and user behavior patterns.

  • Establish clear escalation procedures for detection events, ensuring security teams can quickly differentiate between genuine threats and legitimate business activities that trigger behavioral analytics.

  • Configure Falcon Insight EDR workflows to automatically enrich detection events with contextual information, enabling faster incident triage and reducing mean time to response (MTTR).

  • Leverage the Generative AI Security Analyst to assist with threat investigation and incident analysis, allowing human analysts to focus on complex decision-making while AI handles routine analysis tasks.

    
    

• Harness Threat Intelligence Integration:

  • Leverage Falcon Adversary Intelligence with attribution data and tactical information about active threat actors to automatically enhance detection without manual indicator management.

  • Engage Falcon Adversary OverWatch managed threat hunting services for continuous monitoring of advanced persistent threats, particularly for organizations lacking dedicated threat hunting capabilities.

  • Utilize Falcon Search Engine & MalQuery to proactively analyze suspicious files against CrowdStrike's threat intelligence database, improving organizational understanding of malware families targeting your industry.

    
    

• Optimize Cloud Security Posture:

  • Deploy Falcon Cloud Security with both agent-based and agentless monitoring to ensure comprehensive coverage across containerized applications, virtual machines, and cloud infrastructure.

  • Implement Container Security for Kubernetes environments with automated vulnerability scanning and runtime monitoring, integrating security checks into CI/CD pipelines for continuous protection.

  • Configure Falcon Identity Protection to monitor privileged access and detect identity-based attacks, establishing baseline user behavior patterns before implementing restrictive access controls.

Security Application and Version Updates

• Google SecOps launched their Dashboards, providing powerful new capabilities for data visualization, investigations, and threat hunting. Key features include the availability of SOAR data, downloadable reports, custom drilldowns, Markdown widgets, and a library of 51 curated dashboards to get you started.
  The platform also introduced the ability to share case queue filters. This means you can now save and share specific filter criteria—like assignee roles—with individual users, SOC roles, or your entire organization, making collaboration more efficient
  Their official release notes consist of more details on the update.
  

• AWS has announced the preview release of an enhanced AWS Security Hub, offering advanced correlation, contextualization, and visualization capabilities to prioritize and respond to security issues at scale.
  Key Highlights:

  • Enhanced Insights: The new Security Hub unifies and enriches security signals from services like Security Hub CSPM, Amazon Inspector, Amazon Macie, and Amazon GuardDuty. It then transforms these into actionable insights with intuitive visualizations, including customizable widgets, exposure summaries, threat trends, security coverage, and attack path visualizations.

  • OCSF Adoption: This release leverages the Open Cybersecurity Schema Framework (OCSF), an open-source standard co-founded by AWS with Splunk, IBM, and others. OCSF enables seamless integration and normalized security findings, improving data interoperability.

  • Prioritized Risk Management: Security Hub now focuses on prioritizing critical issues by correlating vulnerabilities, threats, and misconfigurations to highlight exploitable paths. It features exposure findings and integrates with ticketing systems for automated response workflows.

  • Deep AWS Integration: The enhanced Security Hub integrates effortlessly with existing AWS security services, providing comprehensive visibility across your cloud environment.

    
    

• Oracle and AWS jointly announced the general availability of Oracle Database@AWS in US East (N. Virginia) and US West (Oregon) Regions, enabling customers to run Oracle Database services directly within Amazon Web Services infrastructure. This combines Oracle's database capabilities with AWS's cloud infrastructure. Key highlights of this release include:

  • Native AWS Integration: Oracle Database services, including Exadata Database Service on Dedicated Infrastructure and Autonomous Database on Dedicated Exadata Infrastructure, now run within AWS data centers, with Oracle managing the infrastructure and low-latency private network between Oracle Database services and customer Amazon VPCs within the same Availability Zone.

  • Unified Data and Analytics Capabilities: Zero-ETL integrations connect Oracle Database@AWS to Amazon Redshift for analytics, machine learning, and AI services, while supporting Oracle Database 23ai features like AI Vector Search combined with AWS services, including EC2, ECS, and Amazon EKS for cloud-native application development.

  • Streamlined Operations and Procurement: Single billing through AWS Marketplace using private offers, provisioning through AWS and OCI consoles/APIs, monitoring via Amazon CloudWatch and EventBridge, automated backups to Amazon S3, and resource sharing through AWS Resource Access Manager for simplified management across AWS Organizations.

    
    

• Splunk has released version 5.6 of the Machine Learning Toolkit (MLTK), introducing native integration with third-party Large Language Models and bringing generative AI capabilities directly into Splunk search workflows. Key highlights of this release include:

  • LLM Connector Framework: Direct integration with major AI providers, including OpenAI, Anthropic, Gemini, Amazon Bedrock, and Ollama, through a new Connection Management interface, requiring only provider URLs and access credentials for setup.

  • AI Search Command: Introduction of the new AI search command enables embedding Splunk data into LLM prompts for enhanced data analysis, error log explanation, alert prioritization, and automated insights generation within existing search pipelines.

  • Enhanced Control Systems: Built-in throttling mechanisms, including request timeouts, maximum row processing limits, and token consumption caps, provide granular control over external LLM usage, while role-based access controls ensure secure deployment across enterprise environments.

  • ONNX Model Enhancements: Upgraded ONNX apply feature now supports multi-variate output predictions and REST API model uploads, streamlining integration with existing ML deployment pipelines and expanding traditional machine learning capabilities.

• ServiceNow released the Industrial Core plugin (sn_ot_core), establishing foundational capabilities for operational technology environments with dedicated data models and site-based licensing architecture. This represents ServiceNow's strategic expansion into OT management beyond traditional IT service workflows. Key highlights of this release include:

  • Mandatory Integration Dependencies: Starting with Yokohama release recertification, all partner applications integrating with OT functionality must declare dependency on the Industrial Core plugin, ensuring consistent licensing handling and future model compatibility across the ServiceNow OT ecosystem.

  • UI-Based Class Mapping Management: Introduction of a new configuration template that moves class mapping management from script-based approaches to a user-accessible table within the ServiceNow Governance Console (SGC), providing customers direct visibility and control over class mappings through the interface.

  • Site-Based Licensing Model: Implementation of OT-specific licensing requirements designed to align with how operational technology deployments actually scale, while maintaining existing ITOM/OT SU licensing alongside the new Industrial Core licensing structure.

Insights: From Our Integration Factory

• Microsoft Sentinel +  Identity Attack Path Management (APM): Enables secure, automated ingestion of Active Directory (AD) security data from the ISPM platform into Microsoft Sentinel, transforming posture insights and attack path data into native Sentinel events.
  Core Functions: Data Ingestion, Alert Correlation, Workbook-based Visualization, Event Detection, AD Attack Path Mapping, and Security Posture Visibility enhance threat detection, reduce investigation time, and streamline SOC workflows.
  Trigger & Flow: Event-driven or scheduled API calls enable near-real-time processing of ISPM data into Sentinel for continuous monitoring.
  Authentication & Security: OAuth2 or API key with role-based access controls — ensures secure, standards-based connectivity between ISPM and Microsoft Sentinel, aligning with enterprise security and compliance requirements.
  Impact: Unified AD threat visibility, streamlined incident investigation, and enhanced risk analysis bridge the gap between specialized AD monitoring and enterprise SIEM workflows to improve SOC efficiency and reduce response times.
  

• ServiceNow + Digital Risk Protection Platform (DRPP): This integration enables automatic conversion of external threat alerts into structured ServiceNow incidents for seamless case tracking and escalation.
  Core Functions: Threat intelligence ingestion, contextual incident creation, and SOC workflow alignment, ensuring relevant threat data is operationalized within existing ITSM processes for effective handling.
  Trigger & Flow: API-driven alert forwarding and incident status callbacks support continuous synchronization between DRPP detections and ServiceNow records with minimal delay.
  Authentication & Security: Secure API integration using API key-based mechanisms with scoped permissions meets enterprise-grade access and auditability standards.
  Impact: Accelerates threat triage, maintains synchronized state between detection and response tools, and reduces swivel-chair effort. This helps unify external threat visibility with internal response mechanisms for improved threat lifecycle governance.