CrowdStrike Falcon Review

Investigations take less time because we have more data and better insight into events taking place on endpoints

What is our primary use case?

The use case is around protecting endpoints and gaining visibility into the activities taking place in endpoints. We also use the EDR data that is being collected by the Falcon Sensor for investigations and incident response.

How has it helped my organization?

When we are investigating events being alerted by our network firewalls or network IPS regarding a system in our environment, we are able to go to the Falcon console, identify the host being reported in those alerts, and take a deeper look into the events taking place, whether it is network traffic, running processes, or DNS activities. Then, we have a better idea of the potential root cause of that behavior.

At this point, it is almost a requirement to have a cloud-native solution so we don't rely on any kind of on-premises infrastructure. It also helps us to ease the administration side of things. So, it is great and pretty critical that it is cloud-based.

Because this is a cloud-native solution, it provides us with flexibility and always-on protection. This is important because it is part of our decision-making process. When we are selecting empty tools for our environment, having it be a cloud-native solution helps us to better manage our environment. We don't have as much administration since the vendor is taking care of a lot of the behind-the-scenes administration.

We don’t need to worry about updates because this is a cloud-native solution. This is pretty important to us. It makes it easier for us to focus on investigating security events and do threat hunting and incident response, instead of trying to administrate the tool. We know that the vendor is already taking care of the administration.

The main business objective for us was to improve the security posture of our organization. Deployment of CrowdStrike was one of many steps that we took to achieve that goal.

What is most valuable?

The real-time protection offered with the Sensor is something that we rely on to make sure that the endpoints are protected. 

The EDR data is very beneficial in the event of an investigation. It gives us better visibility and insight into what is happening on the endpoint. 

We really like the ability to remotely upgrade/downgrade the Sensor, making it very easy from an administration standpoint.

What needs improvement?

There is a capability in the product regarding exploit mitigation. The challenge with that feature of the product is that there is not enough data provided to the analyst for their assessments and analyses of the event. I have asked their support team about this, and their response was, "Most events are taking place in memory. There is not much information being collected so there is not a whole lot that can be provided for analysis." This is one area where it has room for improvement: exploit detection capabilities. It could have better information being collected.

For how long have I used the solution?

I have been using it for more than two years.

What do I think about the stability of the solution?

Overall, the Sensor is very stable throughout our environments. There have been no big concerns nor downtime.

A single person is able to do the administration.

What do I think about the scalability of the solution?

It can scale well, depending on the enterprise environment. There are no concerns about scalability.

The solution is deployed throughout the entire organization.

How are customer service and technical support?

Once we get somebody to help us from their technical support, they are great. However, the support model is not very desirable from a customer point of view. Customers are forced to raise a ticket with the CrowdStrike support portal, where they can only raise a ticket as a P3 or P4. If I have a more urgent issue, I am unable to go to the support model. For high severity, they do have a phone number, but we don't get someone to speak to right away in our experience. It is usually a call back within hours. Their support model can improve.

Which solution did I use previously and why did I switch?

We previously used a product called WebRoot. We were looking for a more robust endpoint protection with an EDR capability.

With CrowdStrike, we have a better sense of security because of the product's capabilities. We have more insights and visibility into endpoints, which we didn't have before.

CrowdStrike is significantly better and more capable at detecting more complicated and sophisticated security attacks than WebRoot.

CrowdStrike is easier to use and administrate compared to WebRoot.

How was the initial setup?

The deployment is extremely easy. It is probably one of the easiest solutions that I have ever deployed. We were taking a phased-based approach in our deployment. Typically, deployment was within a few hours, start to finish. We started with a pilot group, then started adding additional systems to our pilot group, waiting for feedback and getting confirmation. There were no issues. From there, we started rolling it out to additional user bases.

What about the implementation team?

A single person was able to do the deployment.

What was our ROI?

We have seen ROI. We have less administration, so we are saving time in terms of manpower. Same thing when it comes to investigations. Investigations are taking less time because we have more data and better insight into events taking place on endpoints, so we are spending less time on our investigation process.

What's my experience with pricing, setup cost, and licensing?

During the initial testing, we were using the trial period. The process of getting it was pretty easy. We might have just gone to the website and requested it. It was pretty easy to just start the trial. With the free trial, we were able to push the agent and start evaluating the product within hours.

The free trial was critical in our decision to go with the solution. We wouldn't have made a decision without actually testing the product in our environment.

In our experience, both the licensing and pricing were pretty competitive compared to other vendors.

We have to pay for support. The support model has two tiers: 

  1. Most customers get the general support. 
  2. They also have a premium support of some sort, where you can get a dedicated person assigned to your account as support, but it is extremely overpriced so we couldn't afford it.

Which other solutions did I evaluate?

We evaluated another product called Carbon Black. The main differentiator for us was CrowdStrike's ease of use. The decision-making process boiled down to the product appearing easier to use from an analyst/administration perspective.

What other advice do I have?

Overall, we feel pretty confident in the capability of the solution. We have more confidence that our endpoints are protected adequately with the Falcon Sensor. It gives us a higher level of confidence about our ability to detect and prevent potential incidents.

I haven't had a major incident that Falcon has detected.

I would rate it as an eight out of 10. Overall, we are satisfied with the product, but there is still some room for improvement.

Which version of this solution are you currently using?

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More CrowdStrike Falcon reviews from users
...who work at a Energy/Utilities Company
...who compared it with Carbon Black CB Defense
Get Fast and Easy Protection Against All Threats

Protect your organization from all threats - not just malware - even when computers and servers aren’t connected to the internet. Start your free trial and deploy CrowdStrike Falcon within minutes to start receiving full threat protection.

Learn what your peers think about CrowdStrike Falcon. Get advice and tips from experienced pros sharing their opinions. Updated: April 2021.
475,705 professionals have used our research since 2012.
Add a Comment