Review: CrowdStrike Falcon breaks the EDR mold

The biggest differentiator with Falcon is that the brains of the platform exist completely in the cloud, which gives it unlimited scalability as well as a massive footprint of users and enterprises.

These days, every endpoint within an enterprise is going to have some form of antivirus software. It’s mandated in a lot of industries, plus it makes no sense to run a system without it, if nothing else than to protect the endpoint from random, untargeted threats. But antivirus is also fairly ineffective against targeted and more sophisticated attacks, which are often created specifically to get around normal AV protection. For that, the next level of protection needed is an endpoint detection and response (EDR) platform.

EDR works by looking for malicious activity or processes on endpoints, including code and unusual behavior. For example, an attacker who steals valid credentials through a phishing attack can log into a system normally without triggering any alarms or using any malware. They would initially have free reign of the endpoint, but their activities after that, like trying to elevate privileges or move horizontally to other systems, will likely get flagged by a good EDR system.

While EDR is increasingly important, it’s also becoming a bit commoditized in that many of the offerings are very similar. That could make it easier for skilled attackers to find ways around it, much like they have done with antivirus. The CrowdStrike Falcon platform breaks that mold, offering EDR in a new way that is easy to install and manage, always keeps its agents connected to a central hub, and enables immediate responses to threats as well as the ability to unmask and counter known threat actors whenever they strike.

Using Falcon

The biggest differentiator with Falcon is that the brains of the platform exist completely in the cloud, which gives it unlimited scalability as well as a massive footprint of users and enterprises. Any attack against a protected endpoint anywhere within an enterprise that Falcon is protecting will benefit every other endpoint, even those sitting at organizations also using Falcon. Some groups may initially feel uneasy about letting threat data leave their organization, but the advantages of the shared defense model far outweighs any outdated concern about keeping everything inside an owned security perimeter.

CrowdStrike Falcon Discovery John Breeden II

The agents used by the Falcon Platform are lightweight, yet they stream their findings to the cloud, work offline, and are extremely easy to deploy. It’s also easy to see how many agents have been deployed and which assets still need to receive them. They currently work with Windows, Mac and Linux devices. (Click image to enlarge.)

To use Falcon, organizations that purchase use of the platform log into a portal site that lets them deploy agents onto their Windows, Linux or Mac devices. CrowdStrike is working on adding Android and iOS devices to that mix later this year. Agents are very lightweight, consisting of only 35M of code. That includes both CrowdStrike antivirus and EDR. And although agents can function if they go offline, under normal circumstances they remain constantly connected to the Falcon hub in the cloud so that they can instantly respond to new threats as they are discovered. Each agent generates about 5M of traffic per day, spread out over the full 24-hour period, so they shouldn’t bog down network connectivity.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!