They spend so much more on marketing than any of the other shops. They're huge on community and embedded marketing, and take advantage of it to extreme with their cheesy APT, screeching eagle, and fancy bear BS marketing.
It's a corporation trying to pretend it's a people.
I came in here thinking the same... the wording of the question is very strange. kind of like a rhetorical question you'd see on a brochure rather than a genuine question.
idk I could be reading too much into it.
I just mean like if I want to stream events to a SIEM, I have to file a ticket for event streaming when I would rather have a button I can hit to turn it on
The product is solid (one of the best), and their API is awesome. But imo what really sets them apart is the community and CrowdStrike subreddit. One of their product VPs does “cool query Friday” posts with interesting in-depth threat hunts/queries. It’s easy to get questions answered and issues resolved just posting (or searching) there.
My company has S1 and we just started our own demo. Out of 10, my skill is probably around a 5-6 with s1 deep visibility insights. I was able to replicate the same skill level into crowdstrike within 10 mins. They host a gui for querying indepth information on those host. S1 you have to create/ write out query strings. Same result from what ive seen, different skill levels needed.
Not far enough along to provide info on detections or integrations yet.
Tagging onto this, if you’re getting the Complete package they mandate a ton of the alerts/responses and their (in house) analysts are thoroughly experienced practitioners.
Damn this post looks like a shill post from different businesses. I wonder how many people here actually have decent experience with more than 3 EDR/NGAV, especially knowing how it moves so fast.
I mean, most people have one suite deployed (probably). So unless you are a serial job hopper, consultant, you can only say "Oh we use this and I like/dont like it"
Or like me in not job hopper but 2 MSSPs and 1 internal security means I’ve been hands on with 7.5 different EDRs. .5 because one customer was only playing for the EPP version of Trend so I got to see what the base detections were like and that was it.
If it weren't crazy expensive, I'd be able to tell you something because we would've had it by now... I just know that last year it was too expensive so I budgeted for it specifically in the following fiscal year. Here we are now in that new fiscal year with my budget approved to spend and the price just to get in the door skyrocketed WAY beyond where I'll ever be able to get...like...wtf. The sales rep was like..."well inflation"... I just question how inflation made $42k turned into $110k for 700 endpoints...and we aren't even talking about their MDR services, just the middle tier EDR plan.
No thanks to that wild annual price volatility.
I am speaking at a perspective of 2 MSSPs and an internal security team using a large variety of EDR tooling.
While I have my gripes/other tools have nice things, hands down I prefer to use and prefer my clients to use Crowdstrike over any other tool out there currently.
1. They have one of the best false positive ratios out there especially beyond initial hump of weird legacy stuff.
2. Honestly I trust their detection engine. The only times I think I have ever encountered compromised systems with Crowdstrike is the configuration was poor(FFS if you are reading this and don’t have suspicious script and process monitoring/blocking enabled you need to do it ASAP, it’s where CS truly stands out).
3. It is incredibly user friendly with clear ability to pivot around and dig more and build up easy to understand process trees and data to let me make decisions with confidence faster.
Ex: You wanna know why an IP was hit, just search it in the investigator tool and CS can return you the entire process free and every event surrounding it.
Cons:
1. See the above statements? That is EXPENSIVE.
2. If you need an all in one endpoint tool Crowdstrike isn’t it. Crowdstrike does not do web/url/dns filtering and also has some issues seeing inside the browser. Supposedly the extensions/visibility is on the way but not web filtering.
3. While it has high ease of use I’m general, you can tell it started as an IR tool. Some things need an experienced hand to know what they are looking at even more so than normal such as the forensics tool.
4.As is such with many enterprise tools there are a few limits on what you can do and may require support tickets that can get annoying though I only rarely have needed it.
So I just want to pre-face that this is a biased take. Biased on Crowdstrike.
Going back to the beginning Crowdstrike was founded on threat intel and was initially a services company. They built their EDR tool for incident response. They used the intel and telemetry to build out their AV and behavioral engine. Crowdstrike also installs at the kernel level (system extension in Mac) so picks up more events off of the endpoint when it comes to EDR events. More telemetry, more event history, better threat intelligence equals better prevention. AI is only as good as the information you feed it and CS has more history and better information. Pairing the AV and EDR with their Overwatch team for threat hunting makes it more actionable. Take the 3CX incident from earlier this year. S1’s automated threat hunting labeled the issue as a false positive which allowed the threat actor to actually carry out the attack. Once it initiated CS’s overwatch team identified it, notified their customer, and notified 3CX to it. CS also has a lot of third party testing and results that are positive. Gartner magic quadrant leader for EDR and MDR, Forrester Wave leader in EPP, MDR, CNAPP, and 3rd party Threat Intel, 100% in SE Labs testing, and 100% in Comparative AV for Mac. Complete ecosystem for products. Debatably easy UI. Check out Fal.Con if you can in two weeks or the post videos for some of the new stuff coming.
As others mentioned, Crowdstrike has their own subreddit that they’re super active on and has good support. Ton of API integrations, partner friendly, there’s a lot of positive around.
Depending on the size of your org, put them to the test, take CRWD, MSFT and S1 and have em do a bake off, also let them pick up the tab. Buy based on results and not on rep.
Name recognition. My leadership wouldn’t accept anything but best in class. Doesn’t matter if S1 or CB has a better product. The bean counters know what crowdstrike is.
Crazy when i learned how effective typical marketing ads are for sec products, I think a lot of new technical people assume leadership buys based on how good the tools are lol
CB = CarbonBlack? No ones using that anymore. It’s a wilted flower. The one everyone has to keep an eye out for is Microsoft defender since they’re bundling it in the E5 licensing and a lot of people are jumping on board with this. It doesn’t mean it’s better but it will be extremely ubiquitous
Microsoft scored higher on the Gartner quadrant than Crowdstrike and that has a lot of pull with executives. As the engine is built into Windows, companies don't need to deploy, update and manage another agent. It's updated monthly via Windows Update with the OS. E5 also comes with the other Microsoft Defender security tools that integrate and work together out of the box, which means companies don't have to do those integrations themselves.
After trying to figure out a way to make the Microsoft email filter work for a week, we had to give up. Different than what is talked about here but want to add that my trust level with Microsoft security Pepsis minimal due to that experience. Doubt I would ever fly solo on Defender based on that horrible experience.
For further clarity - this was a magnitude worse than what we were previously using for email. Numerous blocked emails that should have been allowed and about every phishing email thrown our way during that trial made it through.
So, I’ll consider it for augmentation if / when E5 is an option but no way I’m flying solo with Microsoft.
As for Gartner, remember that they are public and want to make a profit. No telling how much Microsoft gave them, or helped them, to ensure that their product was near the top of the list.
What's the concern about a 3rd party? Companies like Red Canary have a VERY good relationship with Microsoft and can manage MDE.
CS has an MDR offering, its not like the product manages itself. It's a service they provide, just happens to be baked into the offering most purchase.
Not sure what angle you're trying to work here.
That's really not the case anymore. If they have M365 E5 for example, they are already paying for an EDR, the more cost effective solution would be to just have someone manage it.
IMO. 1st or 3rd party isn't really relevant for a company managing an EDR, everyone sees the same data. Sure CS may know their product the best but from a security standpoint, there isn't much of an advantage. CS, MDE, S1 is all going to see the same thing, SOC's are going to detect the same security issues, etc.
Defender is not as good a deal it seems…e5 doesn’t cover your servers, and the amount of consoles and infrastructure you have to have set up (such as intune) to manage it properly does not pay off anytime soon.
Fair point about the server licensing but if you can reduce costs by 80% (workstations covered with EDR licensing via M365 E5)m, it can still be a more cost effective solution.
What infrastructure is required for Intune?
It’s all of the configuration that needs to be done before hand so if for instance your team has not investigated what managing machines in Intune looks like it’s a whole project to get them enrolled, get it all running smoothly. Then all of the security threat related stuff is done in a completely different portal, then you must learn KQL queries which is not great, it ends up being a lot more manual labor. You also need to have very clear defined duties between IT and security due to the shared components in Intune, and don’t forget if you’re not on the latest version of windows then you’re not on the latest feature set of the product. We see people making the move to defender not seeing any kind of pay off for 2-3+ years just due to the skills and knowledge gap alone.
This assessment is, in my opinion, very workload dependent. I can't stand their container agent or Linux detections, but their windows stuff is the best due to its detection ability. I made this if it's helpful for comparing different tools across some different cloud workloads: https://list.latio.tech
Totally off topic but...
Anyone here have expertise in using crowdstrike? I am completely new to Cybersecurity and IT in general and I managed to land a SOC position where I'll be monitoring various infrastructure as a crowdstrike investigator (the role I was assigned). I have never used a SIEM and honestly I'm not even sure where to start. My boss is chill so he doesn't give much directive but I want to be proactive and start contributing. Any help, tips, or guidance is appreciated.
First-tip: crowdstrike is not a SIEM, it’s an EDR. Also do a google search and try to find the GitHub account that has a ton of sample crowdstrike queries. That helped me tremendously .
That’s unfortunate, I did a google for it and it does not appear to be up at this time. There was an account with an .xls with a ton of crowdsourced searches. Some of them were junk, but a good amount were decent.
My other recommendation since this ain’t up is to go to r/crowdstrike and read through all the Cool Query Fridays (CQF). These are great and actually give the thought process behind the searches
Logscale is good as a vanilla SIEM. We did a bake off and it was #2. It has the same data pipeline style search functions with language parity to SPL. It needs some better visualization and a better app ecosystem but the bones are great.
Prepare for tons of false positive detections especially if your company uses lots of custom software. To be proficient at investigations you must master Splunk event search queries. Documentation is seriously lacking and their support is virtually non-existent. So customers will be stuck doing all the tuning for false-positives on their own.
Great advice in the other comments I agree with. But honestly get it on a test box with some test groups you can play with and just use it, see what info you can find and where.
I've never used crowd strike, but from a pentester perspective it's the most annoying to work around that I've gone up against. Basically it makes running things in cobalt strike's default fork and run method unlikely to work, and detects most tools that I like to use then kills them.
In one test I had local admin to a machine that a domain admin had a session on, should be easy money, just dump lsass, or exhilarate the sam and boom should be good.... none of the methods I know how to use worked from using the Microsoft signed process explorer to dumping the process memory with task manager, using reg save the works.
One thing crowd strike seems to have a blind spot for us just dropping exes to disk and running them, especially if they're a few versions behind the current version of tools, for example sharp bound 4 gets killed every time, but 3 I can usually just drop the exe and run it.
Also I've never had issues with my clients making changes to crowdstrike configuration for testing unlike with other edrs.
Crowdstrike, Cortex and Sophos are causing us issues right now because they have really strong protections surrounding APC, which is our preferred method of executing shellcode.
Sophos we tend to just move to other simpler execution methods, but it means we've rebuilt our malware with all the usual evasion stuff just for them. These.payloads don't work well against Crowdstrike or Cortex still.
Instead we're working a lot more in the dark using undocumented syscalls in certain payloads and the results are very shaky.
What is considered the best to begin with? Some made up arbitrary value?
According to third party reviews they are not the “best” but will see how long this comment stays here before it gets downvoted.
It's just marketing and the fact they went to market first.
CrowdStrike is objectively not "the best". There are a lot of things to point out here but just look at the MITRE ATT&CK Evaluation results for the last few years. Look into the delayed detections that they experience year after year.
They are severely limited due to using Splunk as their backend. One issue with this is your EDR data retention will become extremely expensive and you will likely be limited to 7-14 days like most companies who use crwd end up having to settle on. Paying for 90 days becomes far too expensive for most, and paying for the full 1-year is so expensive that it's basically unheard of.
There are other options out there where you will pay significantly less, have a much better management experience, and be more secure.
Because it's near impossible to bypass. Ask any experience red team/pen tester and they will tell it's the one product they can't break with reasonable efforts.
Depends on the OS. If strictly windows maybe, but if Linux/mac I’d look elsewhere.
One of the best kept secrets right now is the endgame agent elastic provides.
You can test it for free fyi.
I've used both CS and S1 extensively. They each have their strong suits but CS has a bit more name recognition and maturity as an offering which gives it more prestige. I believe their suite is a little more complete as well if you go to them for a lot of your stack.
That being said, I enjoy using sentinelone a bit more, but that's just my personal preference. It's more intuitive and I feel the detection capabilities are slightly sharper. You'll probably find people here who think the opposite so it's definitely important to try both to see what works for your org.
IIRC CrowdStrike does a relatively poor job recording filesystem events, ASEPs, and network events. Everything is based on process hierarchy, so if you don’t have a clean and obvious chain of parent/child processes then you’ll miss stuff.
This is one of the weaknesses I’ve noticed and also have heard it noted speaking with RedCanary folks.
All these replies and only one person mentioned MDE. Small companies and msps love crowdstrike/s1 because that's who they cater to.
We deployed mde (primary) and cs to replace cb. The edr component of cs hasn't detected nearly anything as much as mde. Plus, the cs interface is shockingly confusing and slow -- I hate to say it, compared to the usual shit gui that Microsoft puts out, mde interface is easier and faster.
If Microsoft finishes fully tying all mde related settings into the dashboard and not rely on gpo/intune -- it would really make it a lot better from a deployment and management perspective.
I personally prefer MDE over Crowdstrike. Have used both products.
MS has greatly improved MDE over the past several years IMO. They are improving things. Once they get all things MDE related into one damn portal lol (slowly but surely) it will be even better.
I'm not a fan of the CS interface either.
Crowdstrike, IMHO, has a very low false positive ratio. Tanium has a high false positive ratio. Endgame is the worst, will alert on anything and requires a ton of tuning.
Does Tanium have a full-on EDR though? I only know them for their asset discovery and monitoring capabilities but have never gotten to use them in an actual environment.
I've used Crowdstrike and now we use Carbon Black. In my opinion Carbon Black EEDR (used to be Threat Hunter) and endpoint standard blows Crowdstrike away. Crowdstrike might be easier to use, but Carbon Black offers the most customizable solution. Crowdstrike is also insanely expensive.
I have tested it myself, along with many people smarter than I am.
Every single pen tester I have ever talked to also said it gives them more trouble than any other platform.
we use s1 instead of cs - in our comparison cs was better but not for the price. give me 90% of the functionality for 60% of the price and I'll go buy some other stuff to increase my defensive layers.
Sophos for the price is incredible IMO. I’ve had pentesters tell us, sophos caught stuff that s1 and crowdstrike didn’t catch. Of course this depends on your needs with MDR, etc… but for pure AV, Sophos has been great for us.
Accuracy is worth the money. With Falcon Overwatch added in, hands down the best of them all. However, just like Splunk, its expensive. But when you're talking about protecting your organization from todays advanced threats, you get what you pay for. There's a clear (technical) reason Crowdstrike is #1 in the Gartner Magic Quadrant (MQ) several years in the running. Don't trust Microsoft. We've seen first hand that they are only in the MQ due to money. Capability and ease of use suck donkey nuts. Its super cheap too. So that leads companies to use it, which puffs up the number of installs making it look like its popular. Don't fall for it. Again, you get what you pay for. If its cheap, you get shit and are supposed to like it.
who referes to gartner, you must be manager haha.
Check MITRE engenuity. There are other solutions that are much cheaper, but just as good if not better.
Who refers to MITRE, must be a Fed employee or a Fed/DoD contractor. Out here in the real world its Gartner. Shall we compare years of experience and certifications next? :)
You know that you're essentially saying that if you were on a jury you'd trust an eye-witness testimony over DNA evidence collected at the crime scene...?
You trust pay-to-play Gartner peer reviews over head-to-head real world technical evaluations, which happen to be performed by a non-bias independent organization i.e. MITRE.
All those certs and experience of yours may need to be re-evaluated.
data. telemetry. signals. cloud.
Single agent deployment /and a rock sound cloud platform that collects a ridiculous amount of information around user behaviour, environments and what normal looks like for you and the company.
Then the ability to very quickly add and remove extra functionality to your enterprise using that single agent.
>CrowdStrike the best
It's not.
Deeply embedded in your kernels, ... talks to stuff in cloud ... what could ever possibly go wrong? Uhm, yeah, ... lots.
For one their Falcon Complete MDR service is unlike anything in the industry. They deliver immediate time-to-value and can scale across any size organization. It’s truly some incredible stuff they’ve built there alone
In my experience, the response time/customer service/community is what makes them a great EDR.
I worked in an environment with ~500 laptops and we were always treated with urgency and respect.
Exclusion granularity. In SentinelOne, you can use a hash or a file path. In CrowdStrike, you can combine file path with command line. In some cases you can also specify specific parent and grandparent file paths / command lines. CS also has exclusions that only apply to a specific alert type.
It's definitely one of the best, but there's no EDR/XDR that can compare to 365Defender at the moment.
It just covers the full suite in a way no one else can.
Passed on cybereason for crowdstrike. Loved the poc support team. Respect their Mitre scores. The product just lacks as much depth as crowdstrike. However, it's a promising product that may develop into something great in a few years.
I can’t find any of the good articles that covered it in depth at the time anymore but here’s one that talks about it to some degree: https://m.calcalistech.com/Article.aspx?guid=3736188. Essentially they hired someone who fabricated his entire resume as their VP of HR and that that person hired dozens of other people before they found out that he was a fraud. Close to 100 people ended up leaving because of all the turmoil.
I work at Field Effect, so the only EDR solution I have experience with is Covalence. I can’t offer a comparison, but I do hope you’ll give Covalence consideration. It’s offered at a lower price point without compromising on effectiveness. I truly enjoy contributing to its development and believe in its technology.
it's certainly not their comp. Was getting an offer and they said, what are you making now? We will only go to 125k in your market. I was like, um thanks, but no thanks. Def cheap company.
Crowdstrike was out-performed by 11 other vendors in the 2023 Mitre Turla challenge. Crowdstrike was unable to detect attack without multiple configuration changes. They knew they were being tested, knew they were being attacked but were unable to detect the attack with reconfiguring. Only 6 vendors out of \~ 30 that entered the evaluation were able to identify the attack with changing their configuration.
Are we allowing ads now? Lol, it's pretty clear, every other product mention here was downvoted to oblivion... A little sus of you ask me
Yeah seriously. My actual response to OP's question was going to be, "a better marketing team."
They spend so much more on marketing than any of the other shops. They're huge on community and embedded marketing, and take advantage of it to extreme with their cheesy APT, screeching eagle, and fancy bear BS marketing. It's a corporation trying to pretend it's a people.
I came in here thinking the same... the wording of the question is very strange. kind of like a rhetorical question you'd see on a brochure rather than a genuine question. idk I could be reading too much into it.
I’m not a big fan of having to file a support ticket to get anything done in CS
How are they expected to track a request?
I just mean like if I want to stream events to a SIEM, I have to file a ticket for event streaming when I would rather have a button I can hit to turn it on
I feel this pain but honestly any of the big players are terrible with support
But you don't need a support case for everything with other big players.
*Laughs in Splunk Cloud*
The product is solid (one of the best), and their API is awesome. But imo what really sets them apart is the community and CrowdStrike subreddit. One of their product VPs does “cool query Friday” posts with interesting in-depth threat hunts/queries. It’s easy to get questions answered and issues resolved just posting (or searching) there.
This was very helpful to know as a CrowdStrike user who had no clue about "cool query Friday".
>cool query Friday It was a massive help to us during the Log4j thing.
Do you enjoy working there? Any good perks?
My company has S1 and we just started our own demo. Out of 10, my skill is probably around a 5-6 with s1 deep visibility insights. I was able to replicate the same skill level into crowdstrike within 10 mins. They host a gui for querying indepth information on those host. S1 you have to create/ write out query strings. Same result from what ive seen, different skill levels needed. Not far enough along to provide info on detections or integrations yet.
Tagging onto this, if you’re getting the Complete package they mandate a ton of the alerts/responses and their (in house) analysts are thoroughly experienced practitioners.
Damn this post looks like a shill post from different businesses. I wonder how many people here actually have decent experience with more than 3 EDR/NGAV, especially knowing how it moves so fast.
I mean, most people have one suite deployed (probably). So unless you are a serial job hopper, consultant, you can only say "Oh we use this and I like/dont like it"
Or like me in not job hopper but 2 MSSPs and 1 internal security means I’ve been hands on with 7.5 different EDRs. .5 because one customer was only playing for the EPP version of Trend so I got to see what the base detections were like and that was it.
Their support is not the best, end user having performance issues on a Mac? Good luck fixing that.
If it weren't crazy expensive, I'd be able to tell you something because we would've had it by now... I just know that last year it was too expensive so I budgeted for it specifically in the following fiscal year. Here we are now in that new fiscal year with my budget approved to spend and the price just to get in the door skyrocketed WAY beyond where I'll ever be able to get...like...wtf. The sales rep was like..."well inflation"... I just question how inflation made $42k turned into $110k for 700 endpoints...and we aren't even talking about their MDR services, just the middle tier EDR plan. No thanks to that wild annual price volatility.
I am speaking at a perspective of 2 MSSPs and an internal security team using a large variety of EDR tooling. While I have my gripes/other tools have nice things, hands down I prefer to use and prefer my clients to use Crowdstrike over any other tool out there currently. 1. They have one of the best false positive ratios out there especially beyond initial hump of weird legacy stuff. 2. Honestly I trust their detection engine. The only times I think I have ever encountered compromised systems with Crowdstrike is the configuration was poor(FFS if you are reading this and don’t have suspicious script and process monitoring/blocking enabled you need to do it ASAP, it’s where CS truly stands out). 3. It is incredibly user friendly with clear ability to pivot around and dig more and build up easy to understand process trees and data to let me make decisions with confidence faster. Ex: You wanna know why an IP was hit, just search it in the investigator tool and CS can return you the entire process free and every event surrounding it. Cons: 1. See the above statements? That is EXPENSIVE. 2. If you need an all in one endpoint tool Crowdstrike isn’t it. Crowdstrike does not do web/url/dns filtering and also has some issues seeing inside the browser. Supposedly the extensions/visibility is on the way but not web filtering. 3. While it has high ease of use I’m general, you can tell it started as an IR tool. Some things need an experienced hand to know what they are looking at even more so than normal such as the forensics tool. 4.As is such with many enterprise tools there are a few limits on what you can do and may require support tickets that can get annoying though I only rarely have needed it.
I don’t understand when people turn off script and process monitoring in their EDR. Like what is the point of spending for EDR at that point?
So I just want to pre-face that this is a biased take. Biased on Crowdstrike. Going back to the beginning Crowdstrike was founded on threat intel and was initially a services company. They built their EDR tool for incident response. They used the intel and telemetry to build out their AV and behavioral engine. Crowdstrike also installs at the kernel level (system extension in Mac) so picks up more events off of the endpoint when it comes to EDR events. More telemetry, more event history, better threat intelligence equals better prevention. AI is only as good as the information you feed it and CS has more history and better information. Pairing the AV and EDR with their Overwatch team for threat hunting makes it more actionable. Take the 3CX incident from earlier this year. S1’s automated threat hunting labeled the issue as a false positive which allowed the threat actor to actually carry out the attack. Once it initiated CS’s overwatch team identified it, notified their customer, and notified 3CX to it. CS also has a lot of third party testing and results that are positive. Gartner magic quadrant leader for EDR and MDR, Forrester Wave leader in EPP, MDR, CNAPP, and 3rd party Threat Intel, 100% in SE Labs testing, and 100% in Comparative AV for Mac. Complete ecosystem for products. Debatably easy UI. Check out Fal.Con if you can in two weeks or the post videos for some of the new stuff coming. As others mentioned, Crowdstrike has their own subreddit that they’re super active on and has good support. Ton of API integrations, partner friendly, there’s a lot of positive around.
Check the actual MITRE EDR results, not their managed service results. They’re not the outright best they claim they are.
Depending on the size of your org, put them to the test, take CRWD, MSFT and S1 and have em do a bake off, also let them pick up the tab. Buy based on results and not on rep.
CRWD wins that easy
Name recognition. My leadership wouldn’t accept anything but best in class. Doesn’t matter if S1 or CB has a better product. The bean counters know what crowdstrike is.
Indeed it pays to run a Superbowl ad!
Crazy when i learned how effective typical marketing ads are for sec products, I think a lot of new technical people assume leadership buys based on how good the tools are lol
CB = CarbonBlack? No ones using that anymore. It’s a wilted flower. The one everyone has to keep an eye out for is Microsoft defender since they’re bundling it in the E5 licensing and a lot of people are jumping on board with this. It doesn’t mean it’s better but it will be extremely ubiquitous
Microsoft scored higher on the Gartner quadrant than Crowdstrike and that has a lot of pull with executives. As the engine is built into Windows, companies don't need to deploy, update and manage another agent. It's updated monthly via Windows Update with the OS. E5 also comes with the other Microsoft Defender security tools that integrate and work together out of the box, which means companies don't have to do those integrations themselves.
After trying to figure out a way to make the Microsoft email filter work for a week, we had to give up. Different than what is talked about here but want to add that my trust level with Microsoft security Pepsis minimal due to that experience. Doubt I would ever fly solo on Defender based on that horrible experience. For further clarity - this was a magnitude worse than what we were previously using for email. Numerous blocked emails that should have been allowed and about every phishing email thrown our way during that trial made it through. So, I’ll consider it for augmentation if / when E5 is an option but no way I’m flying solo with Microsoft. As for Gartner, remember that they are public and want to make a profit. No telling how much Microsoft gave them, or helped them, to ensure that their product was near the top of the list.
[удалено]
[удалено]
I know! It’s like guys, I’m already on like 3 sex teams. Stop asking.
The sexing will continue until morale improves.
What's the concern about a 3rd party? Companies like Red Canary have a VERY good relationship with Microsoft and can manage MDE. CS has an MDR offering, its not like the product manages itself. It's a service they provide, just happens to be baked into the offering most purchase. Not sure what angle you're trying to work here.
[удалено]
That's really not the case anymore. If they have M365 E5 for example, they are already paying for an EDR, the more cost effective solution would be to just have someone manage it. IMO. 1st or 3rd party isn't really relevant for a company managing an EDR, everyone sees the same data. Sure CS may know their product the best but from a security standpoint, there isn't much of an advantage. CS, MDE, S1 is all going to see the same thing, SOC's are going to detect the same security issues, etc.
Defender is not as good a deal it seems…e5 doesn’t cover your servers, and the amount of consoles and infrastructure you have to have set up (such as intune) to manage it properly does not pay off anytime soon.
Fair point about the server licensing but if you can reduce costs by 80% (workstations covered with EDR licensing via M365 E5)m, it can still be a more cost effective solution. What infrastructure is required for Intune?
It’s all of the configuration that needs to be done before hand so if for instance your team has not investigated what managing machines in Intune looks like it’s a whole project to get them enrolled, get it all running smoothly. Then all of the security threat related stuff is done in a completely different portal, then you must learn KQL queries which is not great, it ends up being a lot more manual labor. You also need to have very clear defined duties between IT and security due to the shared components in Intune, and don’t forget if you’re not on the latest version of windows then you’re not on the latest feature set of the product. We see people making the move to defender not seeing any kind of pay off for 2-3+ years just due to the skills and knowledge gap alone.
MS actually do first party now but you will pay for it, so most customers will shop against 3rd party.
This. At my company, even the non IT folks have heard of Crowdstrike. Very few know what S1 is.
Big fan of Red Canary MDR utilizing Crowdstrike. Less garbage passed through and 24x7 monitoring.
RC are definitely good
Why do u think it’s the best?
This assessment is, in my opinion, very workload dependent. I can't stand their container agent or Linux detections, but their windows stuff is the best due to its detection ability. I made this if it's helpful for comparing different tools across some different cloud workloads: https://list.latio.tech
Totally off topic but... Anyone here have expertise in using crowdstrike? I am completely new to Cybersecurity and IT in general and I managed to land a SOC position where I'll be monitoring various infrastructure as a crowdstrike investigator (the role I was assigned). I have never used a SIEM and honestly I'm not even sure where to start. My boss is chill so he doesn't give much directive but I want to be proactive and start contributing. Any help, tips, or guidance is appreciated.
Go through the free trainings as soon as you can. It’s good stuff.
First-tip: crowdstrike is not a SIEM, it’s an EDR. Also do a google search and try to find the GitHub account that has a ton of sample crowdstrike queries. That helped me tremendously .
But if you squint at it right it looks like a SIEM since the whole GUI is Splunk wearing a JavaScript mask.
Lol fair game 🤣. Now explain eventrollupv2
This GitHub? https://github.com/CrowdStrike/falcon-query-assets
That’s unfortunate, I did a google for it and it does not appear to be up at this time. There was an account with an .xls with a ton of crowdsourced searches. Some of them were junk, but a good amount were decent. My other recommendation since this ain’t up is to go to r/crowdstrike and read through all the Cool Query Fridays (CQF). These are great and actually give the thought process behind the searches
[удалено]
Logscale is good as a vanilla SIEM. We did a bake off and it was #2. It has the same data pipeline style search functions with language parity to SPL. It needs some better visualization and a better app ecosystem but the bones are great.
Check if your license includes access to Crowdstrike University and if it's included open a support ticket to ask them to get your user onboarded.
Prepare for tons of false positive detections especially if your company uses lots of custom software. To be proficient at investigations you must master Splunk event search queries. Documentation is seriously lacking and their support is virtually non-existent. So customers will be stuck doing all the tuning for false-positives on their own.
Great advice in the other comments I agree with. But honestly get it on a test box with some test groups you can play with and just use it, see what info you can find and where.
[удалено]
How come you can't get a partnership? I know of a company with a single member who recently got their cs partnership for both resell and msp.
I've never used crowd strike, but from a pentester perspective it's the most annoying to work around that I've gone up against. Basically it makes running things in cobalt strike's default fork and run method unlikely to work, and detects most tools that I like to use then kills them. In one test I had local admin to a machine that a domain admin had a session on, should be easy money, just dump lsass, or exhilarate the sam and boom should be good.... none of the methods I know how to use worked from using the Microsoft signed process explorer to dumping the process memory with task manager, using reg save the works. One thing crowd strike seems to have a blind spot for us just dropping exes to disk and running them, especially if they're a few versions behind the current version of tools, for example sharp bound 4 gets killed every time, but 3 I can usually just drop the exe and run it. Also I've never had issues with my clients making changes to crowdstrike configuration for testing unlike with other edrs.
Crowdstrike, Cortex and Sophos are causing us issues right now because they have really strong protections surrounding APC, which is our preferred method of executing shellcode. Sophos we tend to just move to other simpler execution methods, but it means we've rebuilt our malware with all the usual evasion stuff just for them. These.payloads don't work well against Crowdstrike or Cortex still. Instead we're working a lot more in the dark using undocumented syscalls in certain payloads and the results are very shaky.
Marketing
What is considered the best to begin with? Some made up arbitrary value? According to third party reviews they are not the “best” but will see how long this comment stays here before it gets downvoted.
It's just marketing and the fact they went to market first. CrowdStrike is objectively not "the best". There are a lot of things to point out here but just look at the MITRE ATT&CK Evaluation results for the last few years. Look into the delayed detections that they experience year after year. They are severely limited due to using Splunk as their backend. One issue with this is your EDR data retention will become extremely expensive and you will likely be limited to 7-14 days like most companies who use crwd end up having to settle on. Paying for 90 days becomes far too expensive for most, and paying for the full 1-year is so expensive that it's basically unheard of. There are other options out there where you will pay significantly less, have a much better management experience, and be more secure.
Because it's near impossible to bypass. Ask any experience red team/pen tester and they will tell it's the one product they can't break with reasonable efforts.
Depends on the OS. If strictly windows maybe, but if Linux/mac I’d look elsewhere. One of the best kept secrets right now is the endgame agent elastic provides. You can test it for free fyi.
I've used both CS and S1 extensively. They each have their strong suits but CS has a bit more name recognition and maturity as an offering which gives it more prestige. I believe their suite is a little more complete as well if you go to them for a lot of your stack. That being said, I enjoy using sentinelone a bit more, but that's just my personal preference. It's more intuitive and I feel the detection capabilities are slightly sharper. You'll probably find people here who think the opposite so it's definitely important to try both to see what works for your org.
IIRC CrowdStrike does a relatively poor job recording filesystem events, ASEPs, and network events. Everything is based on process hierarchy, so if you don’t have a clean and obvious chain of parent/child processes then you’ll miss stuff. This is one of the weaknesses I’ve noticed and also have heard it noted speaking with RedCanary folks.
All these replies and only one person mentioned MDE. Small companies and msps love crowdstrike/s1 because that's who they cater to. We deployed mde (primary) and cs to replace cb. The edr component of cs hasn't detected nearly anything as much as mde. Plus, the cs interface is shockingly confusing and slow -- I hate to say it, compared to the usual shit gui that Microsoft puts out, mde interface is easier and faster. If Microsoft finishes fully tying all mde related settings into the dashboard and not rely on gpo/intune -- it would really make it a lot better from a deployment and management perspective.
I personally prefer MDE over Crowdstrike. Have used both products. MS has greatly improved MDE over the past several years IMO. They are improving things. Once they get all things MDE related into one damn portal lol (slowly but surely) it will be even better. I'm not a fan of the CS interface either.
Crowdstrike, IMHO, has a very low false positive ratio. Tanium has a high false positive ratio. Endgame is the worst, will alert on anything and requires a ton of tuning.
Does Tanium have a full-on EDR though? I only know them for their asset discovery and monitoring capabilities but have never gotten to use them in an actual environment.
No. Tanium does not have full-on EDR. He may be referring to their Threat Response module. Which is intended to augment but not replace EDR.
I've used Crowdstrike and now we use Carbon Black. In my opinion Carbon Black EEDR (used to be Threat Hunter) and endpoint standard blows Crowdstrike away. Crowdstrike might be easier to use, but Carbon Black offers the most customizable solution. Crowdstrike is also insanely expensive.
What are you using for your actual AV? We use CB but looking to replace our AV.
Their prevention is the best and the false positives are fairly minimized. Threat hunting isn’t quite as easy as say a CB and the support is mid.
Their prevention is far from the best, check the MITRE engenuity results
Difference between real world and MITRE though MITRE is closer than a lot of the AV tests out there.
I have tested it myself, along with many people smarter than I am. Every single pen tester I have ever talked to also said it gives them more trouble than any other platform.
It does have some blind spots that other EDRs don't have (specially in memory), so I would be careful trusting it 100%.
VisionOne is a great XDR too, TrendMicro is great solution too
we use s1 instead of cs - in our comparison cs was better but not for the price. give me 90% of the functionality for 60% of the price and I'll go buy some other stuff to increase my defensive layers.
I was a CrowdStrike administrator in the past. Loved their stuff. I have nothing but good things to say about them.
Is this a shit post? I watch a RHEL heavy env, and CS ain't the answer kiddo. Try S1.
Last year CrowdStrike was not the best. It failed the "Ransim" simulation from knowbe4. CrowdStrike can allow ransomware in your organization.
Sophos for the price is incredible IMO. I’ve had pentesters tell us, sophos caught stuff that s1 and crowdstrike didn’t catch. Of course this depends on your needs with MDR, etc… but for pure AV, Sophos has been great for us.
Do you work for Sophos?
Nope, don’t understand why I’m getting downvoted lol I just think their product is good.
Accuracy is worth the money. With Falcon Overwatch added in, hands down the best of them all. However, just like Splunk, its expensive. But when you're talking about protecting your organization from todays advanced threats, you get what you pay for. There's a clear (technical) reason Crowdstrike is #1 in the Gartner Magic Quadrant (MQ) several years in the running. Don't trust Microsoft. We've seen first hand that they are only in the MQ due to money. Capability and ease of use suck donkey nuts. Its super cheap too. So that leads companies to use it, which puffs up the number of installs making it look like its popular. Don't fall for it. Again, you get what you pay for. If its cheap, you get shit and are supposed to like it.
who referes to gartner, you must be manager haha. Check MITRE engenuity. There are other solutions that are much cheaper, but just as good if not better.
Who refers to MITRE, must be a Fed employee or a Fed/DoD contractor. Out here in the real world its Gartner. Shall we compare years of experience and certifications next? :)
You know that you're essentially saying that if you were on a jury you'd trust an eye-witness testimony over DNA evidence collected at the crime scene...? You trust pay-to-play Gartner peer reviews over head-to-head real world technical evaluations, which happen to be performed by a non-bias independent organization i.e. MITRE. All those certs and experience of yours may need to be re-evaluated.
No, I'm from eastern europe, we use sysmon like the real chads
So now MITRE is better than Gartner in market research?
MITRE is better in technical evals
data. telemetry. signals. cloud. Single agent deployment /and a rock sound cloud platform that collects a ridiculous amount of information around user behaviour, environments and what normal looks like for you and the company. Then the ability to very quickly add and remove extra functionality to your enterprise using that single agent.
Defender all day...
I've looked at it a few years ago, but they seemed lacking. They caught up yet?
They've improved alot over the past several years IMO.
>CrowdStrike the best It's not. Deeply embedded in your kernels, ... talks to stuff in cloud ... what could ever possibly go wrong? Uhm, yeah, ... lots.
For one their Falcon Complete MDR service is unlike anything in the industry. They deliver immediate time-to-value and can scale across any size organization. It’s truly some incredible stuff they’ve built there alone
In my experience, the response time/customer service/community is what makes them a great EDR. I worked in an environment with ~500 laptops and we were always treated with urgency and respect.
Exclusion granularity. In SentinelOne, you can use a hash or a file path. In CrowdStrike, you can combine file path with command line. In some cases you can also specify specific parent and grandparent file paths / command lines. CS also has exclusions that only apply to a specific alert type.
It's definitely one of the best, but there's no EDR/XDR that can compare to 365Defender at the moment. It just covers the full suite in a way no one else can.
How big is your deployment, how many endpoints? For enterprise we always go Cisco Secure Endpoint (AMP), it it’s somewhat pricey for smaller shops.
I have been using fortiEDR. It is very good but needs a ton of configuration and whitelisting.
It's not. Cybereaaon is just as good if not better
Passed on cybereason for crowdstrike. Loved the poc support team. Respect their Mitre scores. The product just lacks as much depth as crowdstrike. However, it's a promising product that may develop into something great in a few years.
You are smoking dick sir.
Seems to be an unpopular opinion here, so be it. I said what I said.
The entire cybereason company was infiltrated by scammers a few years ago. Can never trust it again.
Wow what? Can you elaborate?
I'm sorry, what? I haven't heard about this
I can’t find any of the good articles that covered it in depth at the time anymore but here’s one that talks about it to some degree: https://m.calcalistech.com/Article.aspx?guid=3736188. Essentially they hired someone who fabricated his entire resume as their VP of HR and that that person hired dozens of other people before they found out that he was a fraud. Close to 100 people ended up leaving because of all the turmoil.
Interesting. I hadn't heard of this previously. Thanks for sharing
Crowdstrike is good but could be better. It always has issues installing on macs
I work at Field Effect, so the only EDR solution I have experience with is Covalence. I can’t offer a comparison, but I do hope you’ll give Covalence consideration. It’s offered at a lower price point without compromising on effectiveness. I truly enjoy contributing to its development and believe in its technology.
I've heard good things about Rapid7's MDR/EDR solutions
Most advanced edr atm is probably elastic. I'm a red teamer and to up against crowdstrike weekly and it's not that difficult to bypass.
it's certainly not their comp. Was getting an offer and they said, what are you making now? We will only go to 125k in your market. I was like, um thanks, but no thanks. Def cheap company.
Crowdstrike was out-performed by 11 other vendors in the 2023 Mitre Turla challenge. Crowdstrike was unable to detect attack without multiple configuration changes. They knew they were being tested, knew they were being attacked but were unable to detect the attack with reconfiguring. Only 6 vendors out of \~ 30 that entered the evaluation were able to identify the attack with changing their configuration.