For our use cases, we are using it to collect IOCs, and we also are using EDR, with injection integrated with our SIM solution to create some use cases.

What I find beneficial about CrowdStrike Falcon is that it performs effectively. We are focusing only on EDR and creating use cases regarding user processes or endpoints, particularly user behavior analytics.

The CrowdStrike Falcon has enhanced our cybersecurity posture in our organization by providing full visibility for each endpoint.

The real-time analytics aspect of CrowdStrike performs well because we get all logs in real-time, with no delay, allowing us to take action immediately.

The integration capabilities of CrowdStrike are excellent; we can integrate it with many SIM solutions and SOAR, and we have already integrated with different platforms. While integrating it with other platforms, I do not remember facing any issues, as we have a very good team for custom connectors, and the integration is smooth without any challenges.

We do not leverage AI within the CrowdStrike Falcon, as we are using different products LLM, and I am unsure if CrowdStrike has the capability to integrate it with local LLM or if I need to use commercial LLM such as OpenAI.

I am currently investigating SOAR in CrowdStrike because I have seen some articles about it, but I am uncertain if it is operational now or still in development.

I do not have any specific features I would want to see included in CrowdStrike.

I have been working with the CrowdStrike Falcon for almost three years.

I find CrowdStrike to be stable; there are no issues, although there was one instance when we had an outage for updating the Falcon Agent, but since then, it has been stable without any issues.

In terms of scalability, I find CrowdStrike to be stable, and I have not encountered any limitations with it. CrowdStrike covers around 2,800 endpoints for us.

Regarding maintenance, the service is excellent; if we face any issues, we open a ticket with the CrowdStrike support team.

I would evaluate CrowdStrike tech support as excellent because they have a very fast response.

On a scale of one to ten, I would rate the technical support as a 10 because they resolve many issues for us.

Positive

Before CrowdStrike, I worked with other solutions for EDR and XDR, specifically Trend Micro and Microsoft Defender's Endpoint, as we are working in MSSP.

The main differences between CrowdStrike and Trend Micro or Microsoft solutions are that CrowdStrike gives me more visibility, while with Defender, I have to run queries which are not easy to use. Even network telemetry for CrowdStrike is very simple and easy to read, allowing for faster understanding compared to Defender where creating rules requires more tuning. Regarding disadvantages of CrowdStrike in comparison to Defender or Trend Micro, I do not see any.

I was not involved in the implementation part of CrowdStrike in my environment because I arrived after it was already installed, so I did not start from scratch.

Currently, I do not see any tangible benefits from CrowdStrike regarding incident improvement time, response time, or cost saving.

Based on my experience, I would recommend CrowdStrike to others because it is user-friendly and easy to manage, unlike other solutions that require experienced personnel; CrowdStrike's documentation is also very clear.

I would recommend it to other users because it is a perfect product.

It is an easy solution that anyone can manage, providing many benefits for endpoint visibility and allowing for the creation of many custom use cases without the need for much fine-tuning to get true positive alerts.

On a scale of one to ten, I would rate CrowdStrike Falcon as a product and solution as an eight.

Our organization still uses Infoblox, and my role is a little bit different now. I am conducting the POC of new solutions, which we have to deploy in our infrastructure. I evaluate the new products, and then if we purchase them, we deploy them.

EDR is effective in CrowdStrike. Real-time response (RTR) is a feature of EDR. CrowdStrike provides a lot of visibility in their tool. CrowdStrike is from the EDR point of view. It is a good tool, and we have rolled it out in our infrastructure.

The KDR solution is immature. They do not have much preemption in ITDR. Threat prevention should be their first priority, and false positive reductions are needed. They should improve their support as well. Response resolution time is too high.

I have a little bit of experience with Infoblox. I do not have too much experience with it. Recently, we deployed CrowdStrike, media, and SVR. We purchased CrowdStrike around one and a half years ago, and now we have completely rolled it out in our infrastructure.

Response resolution time is too high.

Neutral

Implementation was comprehensive. It took around seven to eight months.

Overall, seven to eight people from different teams were involved.

SentinelOne and Palo Alto were looked into.

Support is an area that needs attention. Overall, EDR is fine. ITDR is not mature, and other tools are also not mature. If we talk about SIEM and cloud security, those are also not mature. I would rate it five out of ten.

We are using it for endpoint protection, as well as for cloud security coverage. It includes monitoring all our critical servers and endpoint devices. We also design workflows for anomaly behavior detection using machine learning techniques for anything malicious or abnormal. We monitor everything suspicious. We either design the workflows or use CrowdStrike to monitor any new detections and anomaly behaviors, as well as do vulnerability management.

The best benefit of CrowdStrike Falcon is 99% MITRE coverage. It detects suspicious or undetected activities on the system and provides protection for zero-day vulnerabilities. If there is a sudden rise in CPU consumption or abnormal storage use, it helps us by creating a ticket, allowing us to investigate any abnormal behavior present. We can look into the machine and investigate. It reduces the false negatives common with other technologies.

The real-time response helps with MTTR. We achieve faster detection and response times.

It helped prevent breaches. In the past, there was abnormal consumption of RAM along with CPU on a server. It also started communicating with other subnets. CrowdStrike Falcon triggered an alert. We did our investigation and found that we had ransomware. We successfully mitigated it.

The machine learning behavior for anomaly detection is a valuable feature. It helps identify any suspicious or unusual activities within the system.

Furthermore, it has impressive MITRE coverage. 

Deployment in cloud environments is challenging. Another concern is CrowdStrike's GUI. It changes annually, making it hard to work and find options. After a year, options change or integrate with something else, which is challenging for me as it requires relearning. It is time-consuming.

I started working on CrowdStrike in 2018. 

We are following N-1 versions across our environment, which is stable. Due to our requirements, we never switch to the N version; we always stick to N-1 and never face anything abnormal while using it.

It has proven to be a good technology for me. It has adequate coverage and is easy to deploy. Its scalability is good.

It is deployed across the globe.

I would rate them a seven out of ten. They take a lot of time to come back to us.

Neutral

I have used SentinelOne as well. SentinelOne was similar but had major challenges with workflow implementation. Workflow implementation is far easier in CrowdStrike compared to SentinelOne.

We have it in the on-premises environment and cloud environments. For endpoint hosts, it is very easy, but in the cloud environment, there are challenges, especially if we have AWS technologies with Lambda functions, which are serverless.

My implementation strategy was simple. I segregated servers based on criticality, then network, and finally OS level. Anything critical was based on my CMDB asset configuration. Following criticality was the network, determining internal versus public-facing. The last segmentation was on OS configuration. These three categorizations were primarily used in deploying agents across our environment.

In terms of maintenance, there are patches or version upgrades. 

We had a group of five people, which was enough to manage this.

It is worth the money.

It is expensive compared to SentinelOne, but as the market leader, it is worth it.

I would rate CrowdStrike Falcon an eight out of ten. They have some challenges with the cloud environment, which is a major drawback, especially with the serverless aspect. Their GUI also causes issues with regular changes.

If anyone has worked with CrowdStrike, they would promote it. However, cloud security presents challenges. Moving from physical to cloud environments is difficult. I have raised 7-8 tickets to resolve cloud issues, especially with AWS.

I am currently using CrowdStrike Falcon as an EDR, which is integrated with SIEM. We also work in a real-time environment with the product. As a Falconist, I perform investigation actions on it. There are three different kinds of alerts I deal with: one based purely on IOCs, another process-oriented IOA, and those based on machine learning alerts. This is what I work on, and it is actually a good tool. It has multiple features, including real-time connection to the RTR environment, allowing direct remote host connection through CrowdStrike. I have multiple options like host search and event search, enabling me to do everything I need. It's a comprehensive package. It's a challenging tool to explore, but once accustomed to it, it is quite excellent.

Obviously, when checking in the SIEM, not all logs are available. In CrowdStrike, unlike SIEM, actions are clearly defined. For example, a regular AV like Symantec might indicate a file was quarantined or failed to quarantine, but in CrowdStrike, I can verify the action. As an incident response analyst, I can use CrowdStrike to perform actions like directly wiping a file from a host if given access. I can investigate by accessing the customer's host based on the RTR environment and utilize host search to know details for the past seven days, including logins, processes, file installations, malicious processes, and network connections. Event search also allows for detailed investigations, showing accessed files and remote installations.

In CrowdStrike, with the variety of security tools available, learning the different query languages can be challenging. I use KQL queries with Sentinel and AQL with QRadar, and CrowdStrike's query language is different as well. This requires constant learning for security analysts. Simplifying the querying process, such as using double quote queries or directly obtaining logs based on IP addresses or usernames, would be beneficial. The event search tab in CrowdStrike is complex, though the host search is more straightforward and gets details from the past week. The querying system, similar to Splunk, could be made more user-friendly.

I have been using it for the past two years.

The stability is always great. I have never seen instability in the CrowdStrike tool.

When it comes to scalability, it is entirely based on premium models according to demand. Our log retention is low, but paying more increases it. Scalability is moderate, based on the charges paid to the CrowdStrike product service team. Offering good services, like better log retention at a lower price, would be excellent.

The CrowdStrike team is very efficient; I would rate them ten out of ten. They respond quickly when it comes to providing services.

Positive

I have worked on Symantec ATP, advanced threat protection, but it is a legacy product. Many companies have moved away from Symantec, and they use legacy antivirus solutions. The integration with Symantec ATP was tough, and event or host searches were based entirely on raw logs.

The current setup is easy, but it could be more natural and make drill-down searches simpler. With advancements in AI, integration could streamline responses further, but there is still room for making the process easier.

The integration task should be done by engineers. I'm interested in the process and have learned something about integration, but we have not fully explored all integration aspects.

CrowdStrike is a great solution. It's a hands-on tool. I have not seen other EDRs like it. Compared to Carbon Black, which is much more difficult with a different UI, CrowdStrike allows direct, detailed investigation with a PID generated for each process. It offers unique abilities not seen in other EDRs. Overall product rating: nine out of ten.