Review: CrowdStrike Falcon breaks the EDR mold

These days, every endpoint within an enterprise is going to have some form of antivirus software. It’s mandated in a lot of industries, plus it makes no sense to run a system without it, if nothing else than to protect the endpoint from random, untargeted threats. But antivirus is also fairly ineffective against targeted and more sophisticated attacks, which are often created specifically to get around normal AV protection. For that, the next level of protection needed is an endpoint detection and response (EDR) platform.

EDR works by looking for malicious activity or processes on endpoints, including code and unusual behavior. For example, an attacker who steals valid credentials through a phishing attack can log into a system normally without triggering any alarms or using any malware. They would initially have free reign of the endpoint, but their activities after that, like trying to elevate privileges or move horizontally to other systems, will likely get flagged by a good EDR system.

While EDR is increasingly important, it’s also becoming a bit commoditized in that many of the offerings are very similar. That could make it easier for skilled attackers to find ways around it, much like they have done with antivirus. The CrowdStrike Falcon platform breaks that mold, offering EDR in a new way that is easy to install and manage, always keeps its agents connected to a central hub, and enables immediate responses to threats as well as the ability to unmask and counter known threat actors whenever they strike.

Using Falcon

The biggest differentiator with Falcon is that the brains of the platform exist completely in the cloud, which gives it unlimited scalability as well as a massive footprint of users and enterprises. Any attack against a protected endpoint anywhere within an enterprise that Falcon is protecting will benefit every other endpoint, even those sitting at organizations also using Falcon. Some groups may initially feel uneasy about letting threat data leave their organization, but the advantages of the shared defense model far outweighs any outdated concern about keeping everything inside an owned security perimeter.

John Breeden II

To use Falcon, organizations that purchase use of the platform log into a portal site that lets them deploy agents onto their Windows, Linux or Mac devices. CrowdStrike is working on adding Android and iOS devices to that mix later this year. Agents are very lightweight, consisting of only 35M of code. That includes both CrowdStrike antivirus and EDR. And although agents can function if they go offline, under normal circumstances they remain constantly connected to the Falcon hub in the cloud so that they can instantly respond to new threats as they are discovered. Each agent generates about 5M of traffic per day, spread out over the full 24-hour period, so they shouldn’t bog down network connectivity.

There is a good discovery module within Falcon that can show how many agents have been deployed and which assets still need to get them. Currently, Falcon can’t protect internet of things devices or assets like printers, though they do show up in the discovery process. It does not take very long at all to install agents, and the whole process can be scripted for even greater speed. Pricing is based on the number of agents installed at an organization.

Once installed, agents remain connected to the brains of the system inside the cloud. Agents are kept constantly up to date with the latest threat data. Because every agent at every organization that uses the Falcon platform reports to the central cloud-based hub, new attacks and techniques are discovered very quickly. In our testing, it took less than a minute for the details of a new variety of attack made against an endpoint at one organization to be shared with all of the endpoints at others.

John Breeden II

IT teams also log into a cloud-based management console to both monitor and remediate threats Falcon discovers. For every incident, Falcon generates a full report that includes a process tree showing what the attacker tried to do. This can be helpful for threat hunting activities, or if a blocked process is actually an indication of a larger problem. Where many EDR platforms will simply report on the successful blocking of a malicious program or restricted process, Falcon graphically shows all the other associated activity happening on that same endpoint. During our testing, this revealed a compromised administrator account, because even though one process was blocked, the attacker was still active on that same endpoint and would likely try something else unless removed.

Testing Falcon

The interface of the incident reports are graphical and easy to understand. They show what an attacker is trying to do on an endpoint, what processes or programs they are trying to run, and their immediate goals. Falcon provides a wealth of evidence to IT teams, including user names, local process identifications, command lines used, file paths, runtimes and durations. It makes it so that remediation can be conducted by even lower tier analysts in most cases.

John Breeden II

Falcon gives IT teams a full suite of remediation tools. As part of our testing we were able to remove a compromised system from the network, connect directly to the infected host and take remediation actions. In that case we replaced compromised command lines that had been changed by the attacker as well as program associations. And we removed a file that the attacker had left behind as well as a secondary user they had created. Then we reset the credentials of the original compromised user and returned the system to service. And because the Falcon agent constantly keeps in touch with brains of the platform in the cloud, it automatically knew when the system had been fixed.

If you have a large IT team, then the Falcon platform is a perfect tool to maximize their effectiveness. But CrowdStrike also offers to directly help organizations that purchase a higher tier service agreement. Called Overwatch, the service enables security teams at CrowdStrike to monitor threat data from a protected organization. Depending on the service tier, CrowdStrike can alert local IT teams about dangerous threats they might have overlooked or not prioritized, work with them to solve problems, or even mitigate threats on their behalf.

John Breeden II

CrowdStrike also internally analyzes threats made against protected endpoints and tries to connect the dots to unmask attackers. They do this by looking at things like the IP addresses used by the attackers as well as their tools and techniques. Once they have enough information, CrowdStrike gives the hacker group a name, a cartoon-like icon, and a full report about their activities and goals. Thereafter, the platform can identify those same attackers and lets targeted organizations know if they ever launch a campaign against them.

The last word

John Breeden II

Some organizations may find information about their adversaries to be very valuable, as attackers generally want different things. Some groups go after intellectual property, for example while others are looking for financial gain. CrowdStrike most famously discovered that the widely-reported attack made against the Democratic National Committee during the last election was orchestrated by a Russian hacker group looking for damaging political information. Knowing about an attacker, and especially their techniques, makes it easier to plan defenses to stop them.

While the concept of cloud-based EDR may be a bit of a stretch for more traditionally minded IT security teams, in practice the advantages far outweigh any concerns. The CrowdStrike Falcon Platform is highly responsive, easy to use and install, and has agents that are kept constantly up to date about the latest threats occurring worldwide. When you add in the optional Overwatch feature, it’s a form of endpoint protection that comes about as close to perfect as one can get in this era of constant attacks.