CrowdStrike Falcon Review

The cloud-based management console is easy to maintain and takes a load off our hands


What is our primary use case?

We are using it primarily for NGAV, but we also use their EDR product and Falcon OverWatch.

Most of our internal stuff is still on-prem. We do use SaaS for vendor products, but our internal environment is still mostly on-prem.

How has it helped my organization?

I think everyone is trying to move away from on-prem solutions. Having the cloud-based management console makes it a lot easier to maintain. It takes a load off our hands as engineers and analysts. It helps with upgrades and patching, I don't have to worry about on-prem servers for maintenance, but also as another thing to defend against, so getting rid of that is definitely beneficial.

As a cloud-native solution, it provides us with flexibility and always-on protection. I don't have to worry about data center failures on my end. I don't have to worry about any issues in our server rooms affecting the protection of the environment as a whole. Having CrowdStrike take that responsibility is a load off our backs.

Falcon has been very successful in preventing breaches. In the beginning, there were a lot of false positives as Falcon learned our environment, but I would definitely give it a positive rating overall for protecting our environment.

What is most valuable?

The NGAV portion is the most valuable feature. The primary reason that we went with the product was their reputation. In practice, it has been a definite step up from where we were previously.

We are using Falcon Investigate, which is their EDR tool. The EDR has made it infinitely easier to investigate into more detail on end user workstations and servers. Any sort of detection where I can go back into the EDR tool and dig down deeper into the endpoint is great. This was a function that we did not have previously.

What needs improvement?

There are some aspects of the UI that could use some improvement, e.g., working in groups. I build a group, then I have to manually assign prevention policies, update policies, etc., but there is no function to copy that group. So, if I wanted to make a subgroup for troubleshooting or divide workstations into groups of laptops and desktops, then I have to manually build a brand new group. I can't just copy a build from one to another. Additionally, in order to do any work within a group, I have to first do the work on the respective prevention policy page or individual policy page, then remove the group if the group is assigned to a different prevention policy, remove the prevention policy, and then add the new one in. So, it can get a little hectic. It would be easier if I could add and remove things from the group page rather than having to go into the policy pages to do it.

For how long have I used the solution?

I have been using it less than a year. We are relatively new customers.

What do I think about the stability of the solution?

My impressions of the stability are positive. I haven't had any problems since implementation with stability or availability.

Minimal maintenance is required on our side post-deployment, but it still does require maintenance. If I have to build out new groups or a troubleshooting group, e.g., tweaking policies if machines change subnets, then there is still maintenance required.

All post-implementation maintenance and administration is handled by a single security engineer.

What do I think about the scalability of the solution?

We are a relatively small firm, but I have had no problems in my deployment plans. I could easily see this scaling upwards.

In total, we are protecting roughly 1500 endpoints.

How are customer service and technical support?

They have been very on point and helpful. I have never had to ask them where they are. They are always following up with me trying to keep the tickets live, so that is great. I have been very impressed.

Which solution did I use previously and why did I switch?

We replaced Symantec Endpoint Protection. On the one hand, we wanted a fully NGAV. Symantec was still using a hybrid model, a mix of signature-based and behavioral-based detections, so moving over into a full NGAV product was important to us. We wanted to stay up to date on the ever changing nature of malware, especially since we have been seeing more malware nowadays that can evade strictly detection-based systems. Also, Symantec support was very hard to track down or talk to. All in all, CrowdStrike has been more responsive to any questions or concerns, which is big when you are dealing with vendor solutions.

Fortunately, we have not experienced any major detections. However, testing-wise, CrowdStrike has been more effective overall.

How was the initial setup?

Deployment was pretty easy. We scripted out a process in GPO, then we were able to deploy it fairly seamlessly.

We managed to deploy it to all our servers within a week or two. That was mostly due to getting clearance from server owners, not due to the CrowdStrike installation. Then, for the workstations, it was a bit longer just because of office locations and when people had their computers on. The CrowdStrike process was very smooth. It was really just the bureaucracy part that took a while.

We had to change management protocols. We put it out to dev servers and workstations in detect-only mode as we deployed CrowdStrike to endpoints that had a preexisting AV system still on them, in order to avoid any time where a system would not be protected by an antivirus system. So, we deployed CrowdStrike, then disabled the previous antivirus system and activated CrowdStrike's prevention policies, then uninstalled the previous antivirus system.

What about the implementation team?

Four or five people were involved in the deployment: a security engineer, two workstation engineers, and various server owners.

What was our ROI?

It is protecting our environment, so it is worth the cost.

It has definitely minimized resources. When everything was on-prem, there was a lot more work maintaining it. One of the big value tickets: I don't have lists of hundreds of exceptions for certain applications that I have to maintain, add, delete, and move. The very nature of the product has lessened my workload considerably.

What's my experience with pricing, setup cost, and licensing?

The pricing was very fair for what we got.

Different components are additional price points. We got the components that were right for us, but other organizations may require more (or less) components to suit their needs.

Which other solutions did I evaluate?

CrowdStrike is an industry leader. When we were looking for a replacement technology for NGAV, their name was on the top of a Google search.

We did a PoC with CrowdStrike. We deployed the PoC only to a select group of test machines, so we were able to deploy rather quickly. The PoC helped immensely in the decision-making process.

We did evaluate Cylance and Carbon Black. All the products that we investigated looked good. In the end, we went with CrowdStrike because of: 

  1. The reputation of the organization in the AV community.
  2. Its out-of-the-box readiness. 
  3. Ease of maintenance and administration.

What other advice do I have?

Take the time you need in the beginning to fully build out all the groups and prevention policies that you will need. It may take a bit longer during the initial setup, but it is worth it in the long run because it makes maintenance down the line much easier than having to build new groups or prevention policies as they come up. Definitely take the time needed in the beginning. Then, later down the road all you have to do is check some boxes, as opposed to building out brand new groups and prevention policies, which can take awhile.

In the beginning, there will be a bunch of false positives as it learns your environment. However, those are very easily handled within the UI, creating IOA or machine learning exceptions. With our previous solution, we had a couple hundred exceptions, and with CrowdStrike, we have six or so.

CrowdStrike has fulfilled its function very well. We got it specifically to serve the purpose that it is serving.

It is a solid nine out of 10.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More CrowdStrike Falcon reviews from users
...who work at a Energy/Utilities Company
...who compared it with Carbon Black CB Defense
Get Fast and Easy Protection Against All Threats

Protect your organization from all threats - not just malware - even when computers and servers aren’t connected to the internet. Start your free trial and deploy CrowdStrike Falcon within minutes to start receiving full threat protection.

Learn what your peers think about CrowdStrike Falcon. Get advice and tips from experienced pros sharing their opinions. Updated: April 2021.
475,705 professionals have used our research since 2012.
Add a Comment
Guest