CrowdStrike Falcon: The most balanced and feature-rich XDR
May 30, 2024
CrowdStrike Falcon: The most balanced and feature-rich XDR
Score 9 out of 10
Vetted Review
Verified User
Software Version
Falcon Complete
Modules Used
- LogScale
- Falcon Intelligence
- Falcon Discover
- Falcon Spotlight
- Falcon Overwatch
- Falcon Device Control
- XDR
- Falcon Prevent
- Falcon Insight
- Discover for Cloud and Container
- Falcon Complete
- Falcon Forensics
- Falcon Sandbox
Overall Satisfaction with CrowdStrike Falcon
CrowdStrike Falcon is the Extended Detection and Response (XDR) solution we use to secure our corporate assets and production servers. It single-handedly gives us the necessary protection and visibility into all our assets. I am security engineer and I use CrowdStrike Falcon everyday. My scope is to use it to investigate abnormalities in our assets and alerts it generates. The alerts comes with a great amount of details which is mostly helpful. Furthermore, it helps us keep an eye on unwanted applications installed by users and help get rid of it.
Pros
- The detection is CrowdStrike Falcon is quite accurate. Based on how we configured we do get false positives but as per my experience it barely missed anything that is confirmed malicious. The way it understands the context of an artifact and classifies it being benign or malicious is brilliant.
- CrowdStrike Falcon Real-Time-Response console is very powerful and usable too. It doesn't feel much different whether the endpoint that is being remote-accessed is using Mac, Linux, or Windows. It is quite resilient to spotty connections too.
- The agents installed on the machines are quite silent and can be set to unobtrusive both in terms of computation and notifications to user.
- The interoperability with other AVs or EDRs is amazing too. I have seen many instances where it worked together so well without contradicting that it was hard to remember the existence of the second EDR. It only fired up when the second EDR tried to access some sensitive locations.
- The UI although a little complicated got many things right. It handles large amount of asset information quite comfortably. Doesn't lag or freeze the browser for a regular computer too.
Cons
- CrowdStrike Falcon keeps on changing the UI of the Falcon Management Console quite frequently. It is very hard to create instructional documents as they get deprecated that fast.
- They lack some basic AV features like running an On-Demand Scan for anything other than some Windows versions.
- The alerts especially the Machine Learning ones sometime give too much information to investigate and doesn't point out what in particular is suspicious. It causes us to waste time looking up hundreds of DNS, IP, etc to find the culprit
- They don't have a manual way of quarantining a file which is again basic.
- The behavior-based rule creation got a sharp learning curve as it is based on Logscale/Humio query language. Need a good query builder.
- It increased our visibility on the assets helping us to get rid of another asset telemetry collection tool used by IT.
- It got an exposure module and it helped getting rid of an API subscription.
- It integrates well with other toolset we have through APIs and correlate on its own inbuilt SIEM thereby helped putting less load on our main SIEM for correlation.
- Integrating with Our Email Protection System using their free API and use Falcon SIEM for threat hunting on files coming from email.
- Use Exposure to detect reused credentials and help get then changed.
- Use the Indicator Graph tool to find which endpoints are connected to a set of artifacts that are collectively known to be malicious or makes it vulnerable.
- Crack down on third party applications causing data leaks.
- VMware Carbon Black EDR, Palo Alto Networks Cortex XDR and SentinelOne Singularity
In my opinion,
CrowdStrike Falcon does a better job of detection than Carbon black in all forms. Compared to SentinelOne XDR, CrowdStrike Falcon does a better job of finding potential threats even though the machine learning based detection cause more False Positives than the former. It also provides more customization in policies. Compared to Cortex XDR, CrowdStrike Falcon is on the same level. However, Cortex provides more granular policy selection and is helpful for tuning.
CrowdStrike Falcon does a better job of detection than Carbon black in all forms. Compared to SentinelOne XDR, CrowdStrike Falcon does a better job of finding potential threats even though the machine learning based detection cause more False Positives than the former. It also provides more customization in policies. Compared to Cortex XDR, CrowdStrike Falcon is on the same level. However, Cortex provides more granular policy selection and is helpful for tuning.
Do you think CrowdStrike Falcon delivers good value for the price?
Yes
Are you happy with CrowdStrike Falcon's feature set?
Yes
Did CrowdStrike Falcon live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of CrowdStrike Falcon go as expected?
I wasn't involved with the implementation phase
Would you buy CrowdStrike Falcon again?
Yes
Comments
Please log in to join the conversation