CrowdStrike Falcon is a highly reviewed, highly sophisticated endpoint solution. Falcon focuses on malware; where it really stands out is with advanced types of malware, including PowerShell exploits and file-less malware variants. Falcon combines next-generation antivirus and endpoint detection and response with managed hunting all delivered via their cloud portal. CrowdStrike Falcon delivers, and delivers well, at all three phases of the ransomware phases.
During the delivery or pre-infection phase and the infection phase of an attack, Falcon detects files and blocks known ransomware before it has the chance to infect the system or spread throughout your organization. Typically, this is enough to protect your systems, until you experience a "zero-day" attack. Fortunately for Falcon, they utilize machine learning to understand indicators of attacks to help block these previously unknown attacks; this includes newer file-less attacks. Another advanced feature of the Falcon software blocks execution and spread of malware utilizing features that block exploits that leverage unpatched vulnerabilities.
Where this tool really shines is the post-infection recovery phase. Leveraging the dashboard, we can see exactly how the attack happened and follow a kill chain back and understand what needs to be done to improve your security posture. There are many tools out there that claim to provide you with details around an attack, but Falcon really delivers the forensic detail you need. The cloud dashboard provides event details, behavior detected, file path, hash values, and timestamps from the actual attack. During the investigation, we were able to locate malicious hash values on other systems and quarantine them.
The cloud-managed solution is only as good as its dashboard interface, and CrowdStrike's Falcon doesn't disappoint. The dashboard layout is well polished and easy to use. The documentation around it is well written and gives a lot of context. Without reading the documentation, the dashboard has hover-over tooltips that make it simple to navigate for the first time or infrequent users. Once inside the dashboard, you have all the information at the click of a mouse. Our team found ourselves spending a lot of time ingesting data and clicking through this intelligible user interface.
In the event you need support with Falcon, CrowdStrike offers several tiers of support. The basic support package included gives you 24x7 support using email, phone or their support portal. Additional support options can be added on to get prioritized case handling, enhanced support portal, technical account manager, and even onsite visits. While there is not a strong online community, the support staff are friendly and knowledgeable and can quickly resolve your case. If you need additional threat-hunting support, for an additional fee you can get CrowdStrike's OverWatch team engaged to help with difficult problems.
We were very impressed with the completeness of the CrowdStrike solution. Falcon was not difficult to deploy, and the dashboard was intuitive and easy to follow. After implementation, you have access to important information and can make decisions and tune this solution to meet your environmental criteria.
by Mike Diehl; tested by Mike Diehl & Matt Hreben