CrowdStrike Falcon offers detection, prevention, monitoring and search capabilities to protect against advanced and persistent threats. Combining comprehensive threat intelligence from the Falcon OverWatch team with next-generation antivirus capabilities, endpoint detection and response and managed hunting, this software goes beyond alert triage into the realm of proactive threat hunting.
The management interface includes multiple dashboards, each intuitive and easy to navigate. The Host Dashboard offers a high-level overview with environments broken into several views, presenting analysts with the most efficient at-a-glance view of actionable information. The Sensors Dashboard has all analysts need to get started.
The Threat Chain functions as one of the most useful components of the platform. It groups hosts together and offers a step-by-step analysis of affected processes as well as plain English incident descriptions. These user-friendly explanations quickly cut through the more technical details to show analysts what occurred in a suspicious event and why the platform has flagged it. Analysts may drill into each data point to uncover more information and execution details, such as malicious file or command activities and the identity of any processes still running. If an event requires response, analysts can easily act directly from the process tree.
We are very impressed with the interoperability between alerts and bad actors. A red bar over a detected alert means that it has been associated with a known actor. Analysts can then pivot to the bad actor profiles to learn more information on known bad actor groups, including the date of their last known activity, the nations and industries they prefer to target, and more. These pages even document which kill chain processes or tools the groups have attacked in the past. These bad actor profiles are easily searchable and include reporting capabilities.
The advanced endpoint detection, response and threat hunting capabilities of CrowdStrike Falcon are unparalleled. For advanced and customized prioritization, Spotlight cross-references known vulnerabilities with operating systems and software products used within an organization. CrowdStrike’s malware database MalQuery lets security teams conduct next-level, enterprise-wide malware hunting.
Overall, CrowdStrike Falcon does a great job of identifying suspicious behavior and providing robust contextual event information. All capabilities are built into the same agent or sensor which then passes the collected information exclusively to the cloud, resulting in rapid detection, quick response, and an expanded platform. The machine learning engine provides useful context to an event, presenting analysts with a big picture view so that they may quickly understand what has occurred. Indicators of attack and machine learning are built directly into the sensor at the host level so that it can even detect threats offline.
The product costs $50 per endpoint, per year and includes 24/7 phone, email and website support. Additional support options are available for a fee. Organizations have access to a knowledgebase and FAQ list. The online manuals and documentation are effective and well-organized with a lot of information, bulletins and more. The CrowdStrike Store adds great value and flexibility to this solution. Its impressive application catalogue and expansive partner support ensure that CrowdStrike Falcon will keep pace with any growing company.
Written by Katelyn Dunn
Tested by Tom Weil