CrowdStrike Falcon Security – Big Data fighting back
Introduction to CrowdStrike
CrowdStrike is not an antivirus tool, it is a breach prevention platform. Traditional antivirus software use virus pattern databases. Each event on your PC requires the antivirus to monitor. If it matches a known virus pattern, it quarantines or destroys it.
This process works well for known viruses and patterns, but it is extremely system intensive and the AV can only capture what it knows of.
CrowdStrike focuses on security breach protection and prevention, not just ‘virus protection’.
How does CrowdStrike work?
No longer are we just dealing with commodity viruses, because malware and ransomware is taking over. The modern day adversary operates with Nation State sophistication. Every quarter we are now seeing less viruses, and more advanced attacks which are being choreographed with the intention to circumnavigate traditional legacy systems. Ransomware, Cryptolockers and other advanced techniques continue locking entire businesses out from accessing files and attacking more than file shares. Malware taking snapshots of privacy sensitive data and dumping it out.
These breaches are now attacking user accounts, firmware’s and database’s, using memory level attacks that antivirus software cannot possibly capture with traditional scanning methods.
Because attacks are evolving, so should protection. CrowdStrike Falcon refers to this as Next-gen AV. No longer does it just use a database of known patterns, it utilities machine learning, behavioural analytics and artificial intelligence (AI) to see anomalous and malicious behavior on a global scale and stop it.
What gives CrowdStrike Falcon “eyes” so much power is the cloud – Maybe that’s why they call it Falcon, it’s one of the fastest animals with the best sight. CrowdStrike essentially harnesses the power of big data and AI together to see malicious behavior and stop it dead in its tracks. CrowdStrike does away with patterns and signatures. It can see malicious behavior including malicious actions by hackers or even disgruntled staff.
CrowdStrike removes the need to ‘learn’ new viruses, malware, and ransomware before we can stop them. Instead, it watches for the malicious behavior and stops the action – all while processing this data in the cloud, requiring almost no resources on your device.
CrowdStrike does this by sending around 5MB’s of telemetry data per day/device. They currently process a whopping 3.2 Petabytes of global telemetry data, 2 Trillion events per week resulting in 91 million decisions per minute. This is big data fighting back and it is amazing.
One Client – One Platform
The CrowdStrike solution offering is broken into three key areas:
- Endpoint Security
- Prevent –Falcons next-gen antivirus module using machine learning to detect malware and ransomware.
- Insight – Falcon endpoint detection and response (EDR) continuously detects suspicious activity ensuring attacks and breaches are stopped with real time visibility.
- Device Control – Falcon DC provides visibility and safety of USB usage for devices
- Security & IT Operations
- Overwatch – Falcons 24/7/365 human team of threat hunters, with expertise in security proactively monitoring and acting on behalf of your operations. Yes, you read that right. Human Threat Hunters.
- Discover – Falcons IT Hygiene provides clarity on all applications running on each device including patching, hosts and users to expose risks.
- Spotlight – Falcon Spotlight exposes and prevents vulnerabilities on your device network.
- Threat Intelligence
- X – Falcon threat intel is called X which automatically investigating incidents and alerts allowing you to better inform with reporting on any breaches.
- Search – Falcon MalQuery is a tool to research malware samples and insights.
- Sandbox – Falcon Sandbox provides analytics of unknown threats to better understand attacks.
UX and Interface
CrowdStrike Falcon is a powerhouse of intelligence, a well-crafted infrastructure tackling the biggest and toughest issue online, security. It has clearly taken some of the best AI and security minds to execute this platform. Sadly, the let-down is the UX and interface, even for an IT manager it is dark, overly complicated, stat-less and unclear. Naming conventions are confusing – I’m constantly having to hit the link in the toolbar to get back home.
Sure, using it for two months you will master it but the first two weeks are confusing enough to not want to return to it often, this becomes a danger when this area is key to monitoring and management.
It looks like the UI designers were pushed aside. Instead the AI and security team designed the interface using a free admin template they found online. It is constantly conflicting between admin console, stats dashboard and unusual report layout.
A truly modern, intuitive, and clean design would transform the UX and portray the product as much more mature (because it really is) – Clearly there are some smarts behind the platform including some amazing big data stats. I just which I could see them.
Don’t believe a UI can be technical and smart? Take a look at what happens when a smart Apple Inc. employee leaves to start their own Network appliance company called Ubiquiti. Somehow networking got sexy.
Hopefully, we see CrowdStrike implement this change, instead of leaving it to the market with API’s and extra costs to the end users.
Pricing and Plans
CrowdStrike currently has 4 tiers of ‘plans’. Other modules can be purchased individually depending on the plan you choose.
Pro Plan – Provides Falcon Prevent Endpoint Antivirus only.
Enterprise Plan – Includes Falcon Prevent Endpoint Antivirus and Falcon Insight (EDR).
Premium Plan – Provides Falcon Prevent Endpoint Antivirus, Falcon Insight (EDR), and Falcon Discover IT Hygiene.
Complete Plan – Provides the exact same modules are the premium plan but delivered as a fully managed service. Complete also includes a breach prevention warranty for some regions.
As mentioned, it is not an antivirus, well not in a traditional sence. The good thing is you can run it along something like ESET. Consider it another level of breach prevention security, powered by big data and artificial intelligence requiring no local resource.
All CrowdStrike modules are excellent but plans do not include most of them, instead they are another purchase, for example, there are 12 modules in total but the Premium tier only has 3 included within it. The “Complete” teir in fact is not complete, it’s a managed service and only includes 5 of the 12 modules. I feel this convoluted module and pricing structure is the cause of the confusing UX/UI.
Multiple modules provides flexible purchasing options but is not at all user friendly and requires resellers to get what you need. In fairness I don’t think CrowdStrike is currently SMB focused which would explain why.
Currently purchasing CrowdStrike is harder than deploying it as the deployment process is extremely easy for IT managers (GPO out a service installs to your devices).
Make the purchase process easy for all, simplify and unify the modules and plans, rework the (entire) UX/UI and CrowdStrike becomes not only the smartest breach prevention platform in the world, it looks it.