A Comprehensive Look at the Fabulous EDR CrowdStrike Falcon
Our organization being a university where thousands of students and hundreds of staff turn up daily, puts our critical assets at risk of being compromised by an insider. CrowdStrike Falcon helps us identify the source of a threat accurately, blocks the triggering file or script before it can cause damage. The AI / ML based detections are very helpful because they catch threats that other vendors may fail at. The scope of our use case is endpoint monitoring and threat management.
- AI / ML based malicious activity detections
- Detection information presented clearly and concisely on dashboard
- Easy filtering of detections on hostname, detection name, severity, date, time, hash, technique etc
- traces full process chain instead of just showing the source file or script which really helps in tracing the main security concern of machine
Cons
- If some malicious app uses microsoft's signed binary like onedrive, cmd, wscript CrowdStrike would tag the microsoft binary as malicious and fails to provide the actual file that tried to execute these.
- For example if a
- malware.exe tries to run this command
- cmd /c bitsadmin
- CrowdStrike would tag cmd or bitsadmin as malicious and does not mention malware.exe at all sometimes
- There are two different dashboards (updated and deprecated) which causes confusion among my team, all must be on same page and use single dashboard.
- Support is very slow in responding to problems and depend on automated bots which really frustrates when a major issue arises.