What is our primary use case?
It is currently our antivirus and EDR platform that we use to export incidents to our SIEM and automation platform, SOAR. We use Demisto for our SOAR.
The solution is fully deployed in our organization. We are primarily Windows. There are four major hospital sites with a couple thousand endpoints each. We probably have 600 remote workers due to COVID-19. I would probably say there are 7,000 VDIs inside of Citrix. Then, the rest are probably small clinical sites with no more than 50 to 80 people at each one. They make up the bulk of the rest, and probably 99 percent of that is Windows or server-based. We only have maybe 30 Macintoshes in the whole system and about as many Linuxen.
We are using Windows agent 618.
How has it helped my organization?
It talks to a lot of our other systems. It allows us to correlate data between our firewalls. This way, we can connect whether network activity is relating to an endpoint detection for faster correlation. It provides more data about the endpoint quicker than if we were to go out to the endpoint and collect that data manually. In general, I see that it speeds up our playbooks pretty dramatically, as far as our workflow.
We have what we call our phishing playbook. It is an all-in-one, where an email comes into the organization, a user reports it to us, it comes into our automation platform, and then it kicks off a whole bunch of other stuff. For the phishing playbook (which does have a malware component to it) to go out to all the individual tools, that could have taken two and a half hours for it to run the entire phishing book manually, going to all those individual pieces. Now, we can have one done in 15 minutes. The phishing playbook is a catch-all that has multiple systems in there too. As far as collecting data from many different parts, it speeds that up. In general, we have noticed time savings.
I would give them probably about as high as I would be willing to give any organization. I would give them an eight out of 10, as far as their effectiveness, for preventing breaches. In general, we feel more secure knowing that we are not relying on multiple different technologies to provide a different kind of protection. We were using a couple other different pieces of software to do a portion of what CrowdStrike is doing for us. We are getting a more comprehensive protection, which is good.
We like the ability that if there is an issue at a third-party clinic that is affiliated with us in some way, then we can go in there quickly and install our agent, protecting them if something were to happen. For example, we had at doctor's offices where there were phishing incidents, then we went in there and installed the CrowdStrike agent.
What is most valuable?
I like the herd immunity, their Falcon X version. If another organization somewhere else gets hit by a piece of malware that has not been seen before, we will get that protection in however long it takes them to analyze it and push that detection to everybody else. I find that extremely helpful.
The second most useful feature to me is the intelligence modules.
I like the dashboard nature of it. Everything is clickable, linkable, and information is easy to obtain and find. How it presents that information is probably the biggest win as far as the information correlation aspect. The presentation of it is very good.
What needs improvement?
When we first went to CrowdStrike and purchased it, a lot of my team members all had the same issue: There was too much information. Initially, when the user logged in, they were getting dumped on, like a five-gallon bucket of ice. Trying to sort through it all, you can get lost easily. Until you have really had time in the solution to really digest how to use things, it is information overload. We didn't get that from Palo Alto XDR.
I would like them to improve the correlation of data in the search algorithms. When we run an investigation, malware, phishing, etc., I want to look at multiple endpoints at once to correlate that data to see the likenesses, e.g., how are they not alike or what systems and processes are running across those systems? I don't want to have to run the same search in their Spotlight module five, 10, 15, or 100 times to get 100 different results, copy that data out, and then correlate it on my own. In a very simple way, I want to be able to load up a comma-delimited list giving me the spotlight data on these X amount of hosts, letting me search for it quickly. We have had to go back to CrowdStrike, and say, "Our search are taking far too long for even one host." They did bump up the cores and that did improve performance, but it is still kind of slow to get that Spotlight data. That is probably our biggest pain point. I think that needs some help. I understand this kind of information access is probably not the easiest thing to do. It is probably a big ask depending on how their back-end is setup.
For how long have I used the solution?
We have been using it since about June of last year. That is around when we officially purchased it, but we had been running it as a PoC since about March or April of last year.
What do I think about the stability of the solution?
The stability has been fantastic. I have had no stability issues at all. It has never caused a problem of any sort that we have had across in the organization for a PC "acting funny" kind of ticket coming in. Those have never been CrowdStrike agents.
Because this is a cloud-native solution, it provides us with flexibility and always-on protection. That is just the nature of what SaaS applications are. In a very general sense, I wasn't looking at CrowdStrike because it is a SaaS application. That has been a minor point to me. Just one of those, "Oh yeah, your SaaS." It is almost expected nowadays with a lot of your more modern XDR platforms that it has to be always-on, 99.999 percent uptime.
As far as general maintenance, it makes it a bit easier as far as overhead. If there were servers onsite, we would have to take care of those as well as the care and feeding of them. Making it SaaS does make it easier, which provides us some extra man-hours as far as taking care of the hardware behind running it. There is that added benefit, which is nice. The configuration of the agents probably makes it a bit more automated, so that is nice as well. These are just secondary points to me. If we had to do the maintenance, I would be perfectly happy with doing it.
All our security team monitors it. There are five of us in the console daily actively using it. I am probably the only true administrator who will change policies or anything like that in there.
A couple people have access outside of the security team, but I have not seen them login. We have a couple of our server admins have access where they have view rights, but they don't go in because they don't have issues. One or two people on our Citrix team have access, but they don't go in either. Also, one or two of our end users might have access.
What do I think about the scalability of the solution?
The scalability has been fast and easy. We did so many endpoints very quickly without any issues.
It is fully deployed across our organization. We can't really expand anymore unless we are adding/buying clinics.
How are customer service and technical support?
Now that we are a full-on customer, CrowdStrike technical support has always been spot on. It is one of the best that we have. It is way better than Microsoft and many other pieces of software out there. In my personal experience with the technical support, it is one of the best that we have had. That could be because we have an awesome TAM and great customer service manager. If I reach out to them, then they are on top of things.
Which solution did I use previously and why did I switch?
One factor behind why we chose CrowdStrike is that we were getting rid of multiple agents to go to one CrowdStrike agent. When we had Carbon Black Protection previously, they were ripping us off. It was a lot. We are paying substantially less with CrowdStrike. Carbon Black Protection is only for application whitelisting, and that is all it does. It is not AV. It is not anything else. That was just one piece of software that we were using. So, getting rid of Carbon Black Protection more than paid for CrowdStrike, and then some.
We were also previously using Microsoft SCEP.
How was the initial setup?
There was a slight decrease in lag time when we removed Carbon Black and put CrowdStrike on, but CrowdStrike moved it back up slightly. However, it was still less than the Carbon Black agent. We did see a slight performance increase with the OnBase application, which is linked to Epic.
CrowdStrike requires tuning out-of-the-box. When we first installed, we set the protections and configurations as recommended from CrowdStrike. We were getting absolutely inundated by detections and incidents. It required probably about a month or two of tuning to really dial into the number of what we would call, "expected incidents". Even now, I would say about 90 percent of what we see are probably false positives, but they are false positives that make us scratch our head, and say, "Is this really something or not?" These are not, "Oh hey, this is Windows Media Player that is getting flagged." These are legitimate false positives worth the investigation, but it takes some dialing in.
It was exceedingly easy to deploy the solution’s sensor to our endpoints. We had zero issues. We used Microsoft SCCM. We programmed the string and all the commands, then we were off to the races. We programmed one SCCM job by GPO to do all of it. We had 14 total failures, which we found out later was not a CrowdStrike issue. It was an endpoint issue for those failures. Across 20,000-plus endpoints, 14 failures is really good. We deployed it in five days. That includes production servers, test servers, medical endpoints, etc.
The PoC deployment was only 25 endpoints. It was just downloading the agent, then manually installing it. That was a 48-megabyte install. It took two minutes, click two check boxes, enter a string, and you're off to the races. The test install was super easy too.
Our implementation strategy was probably the same as many other organizations. We did the workstations and laptops first, then we did test servers followed by the production servers.
We had to tailor how many agents we were pushing out at a time via SCCM. The way we had built our job, it was doing a CrowdStrike install, but it was also uninstalling a couple of other pieces. It was having issues on that uninstalled portion. So, the SCCM job would fail. Then, we would get a kind of success where CrowdStrike was installed, but it had failed to uninstall the other portion. Therefore, it was a strange kind of limbo where CrowdStrike and Carbon Black did not play well together at all, like it would absolutely just fail. For example, we had a couple instances where they were both on a machine at once, so we had to tailor how many machines we were doing in a time break, e.g., every 30 minutes, we were doing 500 machines. Every 30 minutes is essentially what we did for a couple of days at a time during business hours so we could monitor it.
It was just the SCCM guy and monitoring it like a hawk. That is all we did for those five days. We just watched it. He was the one doing all the work. He programmed the job and everything. I just gave him the code and watched the CrowdStrike console. If necessary, I went into Carbon Black and manually uninstalled it from there too.
What about the implementation team?
The only help I had from CrowdStrike was to confirm this would work in Citrix. For example:
- Do we have the correct install language for Citrix? Because the VDI requires a couple of different switches turned on.
- Is SCCM going to work?
- Does this look right to you?
We just basically had them bless it off, "Yeah, it says right here in the manual that this is good." We kind of followed the manual, then we had no issues. However, we just wanted to make sure about that Citrix VDI. So, we did have them actually look at that and make sure that the switches were good.
What was our ROI?
Agent overhead on the systems has been lowered slightly. We haven't had any tickets coming in, saying, "Oh no, CrowdStrike is messing up my PC. Come fix it." We had this with Carbon Black Protection. It has cut down on the number of support requests for other teams.
I can't even talk about performance overhead, which is good. Our Citrix team hasn't noticed any extra increases in their Citrix workloads, as far as Citrix Server usage overhead, because we also deploy the CrowdStrike agent virtually. It has not slowed down any of the clinical applications, which was a huge win. If it had slowed down any of our clinical applications, especially the more time-sensitive ones, then it would have been a no-go. It would have been a red flag, "You're out the door," and it did not slow any of them down.
We saw ROI by removing Carbon Black Protection, which costs way more than CrowdStrike costs us. Right there, we already earned back and saved money by removing that solution. Turning off Carbon Black Protection and Microsoft SCEP AV were a huge amount of system overhead saved. Easily coordinating between multiple different pieces of software and gathering that information quickly was another time save.
I am saving at least an hour or two a day by not having to go into Carbon Black Protection to figure out some sort of strange whitelisting issue.
What's my experience with pricing, setup cost, and licensing?
One part that I don't like about CrowdStrike is that you have to pay for the extra feature of Falcon X. I don't like the a la carte nature of it. I do find that feature to be one of the most useful.
The pricing and licensing are reasonable. I don't think we are getting charged more than what it is worth. It is fair, but I do not like how it is a la carte. I realize they do that so other organizations can buy and get the agent, getting it cheaper than you could otherwise.
However, if you want the main core package, which has all the main features with the exception of maybe the multi-cloud protections, that can get pricier for an organization. So, you have to pick and choose what you want. I do not care for a la carte pricing.
We had contacted one of our software vendors, who put us in contact with CrowdStrike directly. We did a PoC for about 60 days. This was right at the COVID-19 kickoff. They weren't as strict on the 14 days, then you are done. They said, "Use it for as long as you like."
Getting the free trial was super easy. As soon as they spun it up in the cloud, they said, "Here is your login information. Soon as you get your agent, here is the connection string that you will need with this agent when you have run your install." Done.
When I got the go ahead from my director that we had officially purchased it, I was able to fully deploy to our 22,000-plus endpoints in five days. We had a full deployment in five days.
The free trial was critical. I don't think we would have gone with it if we had not been able to at least kick the tires on it some. We had to make sure that it wasn't going to interfere with our medical applications that are time sensitive.
Which other solutions did I evaluate?
The other major vendor that we were looking at besides CrowdStrike was Palo Alto XDR. CrowdStrike is a more mature product than Palo XDR, but with that goes some bureaucratic sluggishness. I personally had some issues with CrowdStrike, as far as getting support in a timely manner when I was still a trial customer. Now, as a full-on customer, I don't have any of those issues as far as slow support. They are always very on top of things. But as a test drive, it took far too long getting any support to get a user reset and logged into the platform. It took days. I was very upset about that. However, with that maturity, you have your full built-in intelligence module, which is one of their big selling points. It was fantastic having all that data.
Palo Alto XDR probably had more out-of-the-box API integrations that we use, because we use the Palo Alto XSOAR. It would have linked immediately and perfectly right out-of-the-box. Basically, with a click of a button, it would have been on. A majority of our security work comes from XSOAR. That would have been a huge win. Because of legal issues, CrowdStrike and XSOAR have an API link, but it is not terribly useful or intuitive to use without a lot of customization. Unfortunately, with a small team, nobody really has time to dig into the API and do all sorts of customization, trying to program it to get it to be just right. We have too much more operational work to do.
Other than that, the protections between the two are equal. I didn't see any decrease in that. I would just say CrowdStrike was more feature-based, and that Palo Alto's feature-base wasn't fully quite there yet. Things were a little bit more intuitive to me on the Palo Alto product than the CrowdStrike product. However, the maturity of the CrowdStrike product eventually won out.
I personally liked the Palo Alto product a little bit better than CrowdStrike because I could see where it was going. It was a difference of GUIs, essentially. With the recent updates from CrowdStrike, it has made this a little bit better.
Our CIO had a previous good experience with CrowdStrike. That was the reason why we went with CrowdStrike over XDR. Essentially, what it boiled down to, someone with a higher pay grade above me had a previous good experience.
We just signed a contract with an organization for another piece of software to do our multi-cloud protection.
We get a lot of our ideas for software that we want to take for a test drive through Magic Quadrant reports.
What other advice do I have?
It being SaaS was of no importance to me. If I wanted the solution, then had to build an on-site server for it or not, that makes no difference to me. I know for some people who have overhead, that is where it matters. Personally, it does not at our organization. I was more interested in getting the best of breed.
CrowdStrike Store is pretty interesting and always intrigues me. It typically will take you to another vendor's website for another piece of software that you would have to buy and install. So, it is one of those things like, "Oh, that is nice to know that you integrate with these other people. But, we don't have money right now to be looking at these other people's software that easily integrates but still requires their own agent to be installed on the PC." It is kind of an advertisement shop saying we work well with these other pieces of software.
Try it. Try all the features. Because if you go with a trial and don't try all the features, then you are not going to know if it's going to work for you or not. Try everything that you possibly can. I know some organizations who will "try it" and install it, but they won't do anything with it. In this case, we actually did. We actually tried to use all the features and create issues. We tried to kick the system over, and it didn't.
Biggest lesson learnt: Rely more on our technology, trust our processes, and trust the software more. I think that is just an organization maturing from an old-school antivirus and application whitelisting/blacklisting mentality to a next-generation antivirus mentality, where you are trusting your software to operate. You are trusting your processes and playbooks to run automatically. As we matured and went with CrowdStrike, we are now relying more on our automated processes to run.
I would give it an eight out of 10. There are areas of improvement, especially with the search because it's a time burden and causes issues for our team. Other than that, everything else that we are getting has been fantastic. It is great overall.
I have been surprised by the new features coming out. When they add a new feature to an agent release, it doesn't seem pell-mell. They have a thoughtful consideration to what they are adding. The upgrade schedule is not overly burdensome nor is their path for pushing out those new features burdensome. We can keep up with them. So, they are not pushing out 20 features on one agent and none for the next 10 iterations, and then another 20. It's one or two every couple of iterations. It is trickling, which makes it easier to test things and run them through our CAB. That has been helpful.
Which version of this solution are you currently using?