CrowdStrike Falcon Reviews

It is currently our antivirus and EDR platform that we use to export incidents to our SIEM and automation platform, SOAR. We use Demisto for our SOAR.

The solution is fully deployed in our organization. We are primarily Windows. There are four major hospital sites with a couple thousand endpoints each. We probably have 600 remote workers due to COVID-19. I would probably say there are 7,000 VDIs inside of Citrix. Then, the rest are probably small clinical sites with no more than 50 to 80 people at each one. They make up the bulk of the rest, and probably 99 percent of that is Windows or server-based. We only have maybe 30 Macintoshes in the whole system and about as many Linuxen.

We are using Windows agent 618.

It talks to a lot of our other systems. It allows us to correlate data between our firewalls. This way, we can connect whether network activity is relating to an endpoint detection for faster correlation. It provides more data about the endpoint quicker than if we were to go out to the endpoint and collect that data manually. In general, I see that it speeds up our playbooks pretty dramatically, as far as our workflow.

We have what we call our phishing playbook. It is an all-in-one, where an email comes into the organization, a user reports it to us, it comes into our automation platform, and then it kicks off a whole bunch of other stuff. For the phishing playbook (which does have a malware component to it) to go out to all the individual tools, that could have taken two and a half hours for it to run the entire phishing book manually, going to all those individual pieces. Now, we can have one done in 15 minutes. The phishing playbook is a catch-all that has multiple systems in there too. As far as collecting data from many different parts, it speeds that up. In general, we have noticed time savings. 

I would give them probably about as high as I would be willing to give any organization. I would give them an eight out of 10, as far as their effectiveness, for preventing breaches. In general, we feel more secure knowing that we are not relying on multiple different technologies to provide a different kind of protection. We were using a couple other different pieces of software to do a portion of what CrowdStrike is doing for us. We are getting a more comprehensive protection, which is good.

We like the ability that if there is an issue at a third-party clinic that is affiliated with us in some way, then we can go in there quickly and install our agent, protecting them if something were to happen. For example, we had at doctor's offices where there were phishing incidents, then we went in there and installed the CrowdStrike agent. 

I like the herd immunity, their Falcon X version. If another organization somewhere else gets hit by a piece of malware that has not been seen before, we will get that protection in however long it takes them to analyze it and push that detection to everybody else. I find that extremely helpful.

The second most useful feature to me is the intelligence modules.

I like the dashboard nature of it. Everything is clickable, linkable, and information is easy to obtain and find. How it presents that information is probably the biggest win as far as the information correlation aspect. The presentation of it is very good.

When we first went to CrowdStrike and purchased it, a lot of my team members all had the same issue: There was too much information. Initially, when the user logged in, they were getting dumped on, like a five-gallon bucket of ice. Trying to sort through it all, you can get lost easily. Until you have really had time in the solution to really digest how to use things, it is information overload. We didn't get that from Palo Alto XDR.

I would like them to improve the correlation of data in the search algorithms. When we run an investigation, malware, phishing, etc., I want to look at multiple endpoints at once to correlate that data to see the likenesses, e.g., how are they not alike or what systems and processes are running across those systems? I don't want to have to run the same search in their Spotlight module five, 10, 15, or 100 times to get 100 different results, copy that data out, and then correlate it on my own. In a very simple way, I want to be able to load up a comma-delimited list giving me the spotlight data on these X amount of hosts, letting me search for it quickly. We have had to go back to CrowdStrike, and say, "Our search are taking far too long for even one host." They did bump up the cores and that did improve performance, but it is still kind of slow to get that Spotlight data. That is probably our biggest pain point. I think that needs some help. I understand this kind of information access is probably not the easiest thing to do. It is probably a big ask depending on how their back-end is setup. 

We have been using it since about June of last year. That is around when we officially purchased it, but we had been running it as a PoC since about March or April of last year.

The stability has been fantastic. I have had no stability issues at all. It has never caused a problem of any sort that we have had across in the organization for a PC "acting funny" kind of ticket coming in. Those have never been CrowdStrike agents.

Because this is a cloud-native solution, it provides us with flexibility and always-on protection. That is just the nature of what SaaS applications are. In a very general sense, I wasn't looking at CrowdStrike because it is a SaaS application. That has been a minor point to me. Just one of those, "Oh yeah, your SaaS." It is almost expected nowadays with a lot of your more modern XDR platforms that it has to be always-on, 99.999 percent uptime.

As far as general maintenance, it makes it a bit easier as far as overhead. If there were servers onsite, we would have to take care of those as well as the care and feeding of them. Making it SaaS does make it easier, which provides us some extra man-hours as far as taking care of the hardware behind running it. There is that added benefit, which is nice. The configuration of the agents probably makes it a bit more automated, so that is nice as well. These are just secondary points to me. If we had to do the maintenance, I would be perfectly happy with doing it.

All our security team monitors it. There are five of us in the console daily actively using it. I am probably the only true administrator who will change policies or anything like that in there.

A couple people have access outside of the security team, but I have not seen them login. We have a couple of our server admins have access where they have view rights, but they don't go in because they don't have issues. One or two people on our Citrix team have access, but they don't go in either. Also, one or two of our end users might have access.

The scalability has been fast and easy. We did so many endpoints very quickly without any issues.

It is fully deployed across our organization. We can't really expand anymore unless we are adding/buying clinics.

Now that we are a full-on customer, CrowdStrike technical support has always been spot on. It is one of the best that we have. It is way better than Microsoft and many other pieces of software out there. In my personal experience with the technical support, it is one of the best that we have had. That could be because we have an awesome TAM and great customer service manager. If I reach out to them, then they are on top of things.

One factor behind why we chose CrowdStrike is that we were getting rid of multiple agents to go to one CrowdStrike agent. When we had Carbon Black Protection previously, they were ripping us off. It was a lot. We are paying substantially less with CrowdStrike. Carbon Black Protection is only for application whitelisting, and that is all it does. It is not AV. It is not anything else. That was just one piece of software that we were using. So, getting rid of Carbon Black Protection more than paid for CrowdStrike, and then some.

We were also previously using Microsoft SCEP.

There was a slight decrease in lag time when we removed Carbon Black and put CrowdStrike on, but CrowdStrike moved it back up slightly. However, it was still less than the Carbon Black agent. We did see a slight performance increase with the OnBase application, which is linked to Epic.

CrowdStrike requires tuning out-of-the-box. When we first installed, we set the protections and configurations as recommended from CrowdStrike. We were getting absolutely inundated by detections and incidents. It required probably about a month or two of tuning to really dial into the number of what we would call, "expected incidents". Even now, I would say about 90 percent of what we see are probably false positives, but they are false positives that make us scratch our head, and say, "Is this really something or not?" These are not, "Oh hey, this is Windows Media Player that is getting flagged." These are legitimate false positives worth the investigation, but it takes some dialing in. 

It was exceedingly easy to deploy the solution’s sensor to our endpoints. We had zero issues. We used Microsoft SCCM. We programmed the string and all the commands, then we were off to the races. We programmed one SCCM job by GPO to do all of it. We had 14 total failures, which we found out later was not a CrowdStrike issue. It was an endpoint issue for those failures. Across 20,000-plus endpoints, 14 failures is really good. We deployed it in five days. That includes production servers, test servers, medical endpoints, etc.

The PoC deployment was only 25 endpoints. It was just downloading the agent, then manually installing it. That was a 48-megabyte install. It took two minutes, click two check boxes, enter a string, and you're off to the races. The test install was super easy too.

Our implementation strategy was probably the same as many other organizations. We did the workstations and laptops first, then we did test servers followed by the production servers. 

We had to tailor how many agents we were pushing out at a time via SCCM. The way we had built our job, it was doing a CrowdStrike install, but it was also uninstalling a couple of other pieces. It was having issues on that uninstalled portion. So, the SCCM job would fail. Then, we would get a kind of success where CrowdStrike was installed, but it had failed to uninstall the other portion. Therefore, it was a strange kind of limbo where CrowdStrike and Carbon Black did not play well together at all, like it would absolutely just fail. For example, we had a couple instances where they were both on a machine at once, so we had to tailor how many machines we were doing in a time break, e.g., every 30 minutes, we were doing 500 machines. Every 30 minutes is essentially what we did for a couple of days at a time during business hours so we could monitor it.

It was just the SCCM guy and monitoring it like a hawk. That is all we did for those five days. We just watched it. He was the one doing all the work. He programmed the job and everything. I just gave him the code and watched the CrowdStrike console. If necessary, I went into Carbon Black and manually uninstalled it from there too.

The only help I had from CrowdStrike was to confirm this would work in Citrix. For example: 

• Do we have the correct install language for Citrix? Because the VDI requires a couple of different switches turned on. 
• Is SCCM going to work?  
• Does this look right to you? 

We just basically had them bless it off, "Yeah, it says right here in the manual that this is good." We kind of followed the manual, then we had no issues. However, we just wanted to make sure about that Citrix VDI. So, we did have them actually look at that and make sure that the switches were good.

Agent overhead on the systems has been lowered slightly. We haven't had any tickets coming in, saying, "Oh no, CrowdStrike is messing up my PC. Come fix it." We had this with Carbon Black Protection. It has cut down on the number of support requests for other teams. 

I can't even talk about performance overhead, which is good. Our Citrix team hasn't noticed any extra increases in their Citrix workloads, as far as Citrix Server usage overhead, because we also deploy the CrowdStrike agent virtually. It has not slowed down any of the clinical applications, which was a huge win. If it had slowed down any of our clinical applications, especially the more time-sensitive ones, then it would have been a no-go. It would have been a red flag, "You're out the door," and it did not slow any of them down.

We saw ROI by removing Carbon Black Protection, which costs way more than CrowdStrike costs us. Right there, we already earned back and saved money by removing that solution. Turning off Carbon Black Protection and Microsoft SCEP AV were a huge amount of system overhead saved. Easily coordinating between multiple different pieces of software and gathering that information quickly was another time save. 

I am saving at least an hour or two a day by not having to go into Carbon Black Protection to figure out some sort of strange whitelisting issue.

One part that I don't like about CrowdStrike is that you have to pay for the extra feature of Falcon X. I don't like the a la carte nature of it. I do find that feature to be one of the most useful.

The pricing and licensing are reasonable. I don't think we are getting charged more than what it is worth. It is fair, but I do not like how it is a la carte. I realize they do that so other organizations can buy and get the agent, getting it cheaper than you could otherwise.
However, if you want the main core package, which has all the main features with the exception of maybe the multi-cloud protections, that can get pricier for an organization. So, you have to pick and choose what you want. I do not care for a la carte pricing.

We had contacted one of our software vendors, who put us in contact with CrowdStrike directly. We did a PoC for about 60 days. This was right at the COVID-19 kickoff. They weren't as strict on the 14 days, then you are done. They said, "Use it for as long as you like." 

Getting the free trial was super easy. As soon as they spun it up in the cloud, they said, "Here is your login information. Soon as you get your agent, here is the connection string that you will need with this agent when you have run your install." Done. 

When I got the go ahead from my director that we had officially purchased it, I was able to fully deploy to our 22,000-plus endpoints in five days. We had a full deployment in five days.

The free trial was critical. I don't think we would have gone with it if we had not been able to at least kick the tires on it some. We had to make sure that it wasn't going to interfere with our medical applications that are time sensitive.

The other major vendor that we were looking at besides CrowdStrike was Palo Alto XDR. CrowdStrike is a more mature product than Palo XDR, but with that goes some bureaucratic sluggishness. I personally had some issues with CrowdStrike, as far as getting support in a timely manner when I was still a trial customer. Now, as a full-on customer, I don't have any of those issues as far as slow support. They are always very on top of things. But as a test drive, it took far too long getting any support to get a user reset and logged into the platform. It took days. I was very upset about that. However, with that maturity, you have your full built-in intelligence module, which is one of their big selling points. It was fantastic having all that data.

Palo Alto XDR probably had more out-of-the-box API integrations that we use, because we use the Palo Alto XSOAR. It would have linked immediately and perfectly right out-of-the-box. Basically, with a click of a button, it would have been on. A majority of our security work comes from XSOAR. That would have been a huge win. Because of legal issues, CrowdStrike and XSOAR have an API link, but it is not terribly useful or intuitive to use without a lot of customization. Unfortunately, with a small team, nobody really has time to dig into the API and do all sorts of customization, trying to program it to get it to be just right. We have too much more operational work to do.

Other than that, the protections between the two are equal. I didn't see any decrease in that. I would just say CrowdStrike was more feature-based, and that Palo Alto's feature-base wasn't fully quite there yet. Things were a little bit more intuitive to me on the Palo Alto product than the CrowdStrike product. However, the maturity of the CrowdStrike product eventually won out.

I personally liked the Palo Alto product a little bit better than CrowdStrike because I could see where it was going. It was a difference of GUIs, essentially. With the recent updates from CrowdStrike, it has made this a little bit better.

Our CIO had a previous good experience with CrowdStrike. That was the reason why we went with CrowdStrike over XDR. Essentially, what it boiled down to, someone with a higher pay grade above me had a previous good experience.

We just signed a contract with an organization for another piece of software to do our multi-cloud protection.

We get a lot of our ideas for software that we want to take for a test drive through Magic Quadrant reports.

It being SaaS was of no importance to me. If I wanted the solution, then had to build an on-site server for it or not, that makes no difference to me. I know for some people who have overhead, that is where it matters. Personally, it does not at our organization. I was more interested in getting the best of breed.

CrowdStrike Store is pretty interesting and always intrigues me. It typically will take you to another vendor's website for another piece of software that you would have to buy and install. So, it is one of those things like, "Oh, that is nice to know that you integrate with these other people. But, we don't have money right now to be looking at these other people's software that easily integrates but still requires their own agent to be installed on the PC." It is kind of an advertisement shop saying we work well with these other pieces of software.

Try it. Try all the features. Because if you go with a trial and don't try all the features, then you are not going to know if it's going to work for you or not. Try everything that you possibly can. I know some organizations who will "try it" and install it, but they won't do anything with it. In this case, we actually did. We actually tried to use all the features and create issues. We tried to kick the system over, and it didn't. 

Biggest lesson learnt: Rely more on our technology, trust our processes, and trust the software more. I think that is just an organization maturing from an old-school antivirus and application whitelisting/blacklisting mentality to a next-generation antivirus mentality, where you are trusting your software to operate. You are trusting your processes and playbooks to run automatically. As we matured and went with CrowdStrike, we are now relying more on our automated processes to run.

I would give it an eight out of 10. There are areas of improvement, especially with the search because it's a time burden and causes issues for our team. Other than that, everything else that we are getting has been fantastic. It is great overall.

I have been surprised by the new features coming out. When they add a new feature to an agent release, it doesn't seem pell-mell. They have a thoughtful consideration to what they are adding. The upgrade schedule is not overly burdensome nor is their path for pushing out those new features burdensome. We can keep up with them. So, they are not pushing out 20 features on one agent and none for the next 10 iterations, and then another 20. It's one or two every couple of iterations. It is trickling, which makes it easier to test things and run them through our CAB. That has been helpful.

Our main use case was looking for an endpoint solution that was able to follow our users anywhere. We have over 52,000 employees, and a majority of our people work in various places. Many employees are not in an office every day: They are at a client's sites, some work at home, some are traveling, etc. We really needed something that would give us visibility no matter where and when an employee was working.

It has improved the way that we function by giving visibility to machines that we could not see before. With our previous product, you had to be VPN'd and connected to our network. Now, we can see alerts when people are just working at home. For example, they may have clicked on something that may be malicious, now we can take action and stop things from getting worse at the end of the day with its level of visibility. We have also seen installing CrowdStrike has a lot less resource issues versus what our previous solution had on local machines.

It is very important that our security solutions are cloud-native as continue to grow our company. I have been here for almost three years and we were 40,000 employees then, and we are over 52,000 now three years later. For us, the cloud has been important because we don't have to worry about infrastructure, connectivity, or other things like that to grow our business.

Even as we had to pivot with the pandemic to more employees working from home, we have been able to maintain the same level of security visibility. One of the big concerns for management when the pandemic stated was how we maintain security asking, "What do we have to change for security?" and it was nothing, "Let people go home. Let them work from wherever they need to." We had already taken the remote working ability into our security model. Our security operations did not change anything when employees pivoted from working at client sites (or in offices) to working at home.

As long as the machine is connected to the Internet, and CrowdStrike is running, then it will be on and we will have visibility; no VPNing in or making some type of network connection. CrowdStrike always there and running in the background; for us, that is big. We wanted something that could give us data as long as the machines connected to the Internet and be almost invisible to the employees.

Having this type of security operations gives our management a level of comfort. We know we have ransomware protection and there are automatic actions that will happen to keep those incidents from spreading. As things like SolarWinds or the Microsoft Exchange issues have come out, we have been able to use the CrowdStrike logging to do look backs through the logs that we have been maintaining for over a year to see if there were any indicators of compromise that previously occurred before this was known issue. This has been great for us to be able to report to various management. even if we may have been running a vulnerable version of this for a period of time, e.g., like the SolarWinds software.

The Prevent, EDR, and OverWatch are some of the biggest features for us. They stand out as being useful because:

1. Their high efficacy rate on detecting items.
2. The ability to detect malicious activity and take action with a machine that may not be on our network.
3. Do remediation or automated actions, especially for things like ransomware, where it would automatically stop from running and quarantine the machine.

The introduction of CrowdStrike Overwatch service has reduced security risk. It mines through data by threat hunting. Overwatch has been able to point out things to us that were potentially risky activities going on that probably wouldn't have been detected by our old solution allowing us to take some actions and reduce some risk from that perspective.

They have been able to offer Spotlight and other modules, which is great. They take the information they have and turn it into solutions.

There is so much data in their dashboarding and other stuff like, but there is also still some work to do on, "How do you boil it up to certain higher levels/executives?" There is a lot of good technical detail, but in the position that I sit in, sometimes it is a little hard when I am not in it day in, day out to come to what is the real executive level sorts of things. For example, CrowdStrike shows incidents, but what are the things that I really need to worry about as a CISO at a company? That is the one area for improvement.

Finally, they bought a company that is doing SIEM, which is interesting to me. When I first started with CrowdStrike in my previous organization, four or five years ago, I went to CrowdStrike, and said, "I don't want to have to buy or continue to support our SIEM product. I would rather use you guys. Can I pay you extra money to hold that data and do those things so we can have that functionality? Then, I can get one rid of a solution." At that time, they told me, "No, we're not a SIEM company." I did not like the answer, but I respected it. Now that they bought one, and I am like, "Wow, I guess I was just a few years too early." So, I'm glad to see those sorts of things. I am glad to see them evolving into those areas where I saw it years ago, where they are strong, and displace others.

I would love to see more investment in Insight because CrowdStrike have an opportunity to potentially displace some of the vulnerability management vendors with the visibility they can see over time. I want to see them continue to evolve, e.g., what other things can they disrupt which are operational things we have to continue to do as an organization. Then, I can have less vendors and put more effort into one solution that we really want to operationalize.

I have been using it for two years at this organization. I also used it for about two years when I was at my previous organization. So, I have used it for four years in total. There was a little lull in-between when I came over to this organization as their CISO, because they were on another product and then we ended up switching in 2019 to CrowdStrike.

I have never had an issue with stability at my current organization. At my previous employer, there was one issue with an auto upgrade where it caused some issues, but it was resolved quickly.

CrowdStrike is a vast improvement compared to our previous solution, where we had to spend a lot of time. For example, when the client had to be upgraded, it was a three-to-six-month project with people having to spend dedicated time to roll it out in waves, then deal with issues when a client's machine didn't upgrade correctly. Now, upgrades happen automatically. We turned auto updates on and have never needed to look back. Nobody has to spend any time on it.

I honestly cannot tell you the last time I have heard about a CrowdStrike agent issue causing an outage on a machine or server at the end of the day.

We have had no problems with scalability. CrowdStrike can scale as much as we need them to, they are the ones taking care of all the cloud, hosting, and processing on their end. So, we have never had an issue where we have seen a degradation in alerting timing, etc.

There are probably 10 to 15 people who access CrowdStrike or use its data regularly. It is funny because our IT people will use it to try to look for things that aren't necessarily security sorts of things, for example, "Hey, this isn't working," or, "That isn't loading," because of the level of visibility CrowdStrike has in some of the processing item. We have four or five people on the SOC. There are probably 20 or 30 accounts in there, but for the ones which are used regularly, it is probably about half that amount, like seven to 10.

My experience with the technical support has been great. Part of it is also the level of access that I have at CrowdStrike. I have been on their advisory board since the beginning and a customer. I participated in a panel at one of their last in-person sales kickoff with their CEO. I remember when the company was 200 to 300 employees and there were 1200 or 1300 at their sales kickoff.

For monitoring it, we have an outsourced IT provider (our partner) who has security operation center people. They are the ones who are really responding to the alerts at the end of the day. I think there are four or five people who cover the 24-hour time shifts.

This solution has been not nearly as compute resource heavy as some of our previous solutions. Compared to our previous solution, CrowdStrike is a lot easier to use, easier to get information out of it, and you are getting it in more real-time.

Deploying CrowdStrike's sensors to our endpoints has been fairly easy. You can do tens of thousands of hosts in less than a day. I know of another organization who deployed 60,000 endpoints over a weekend.

Each organization has to look how its IT operations function. We did our deployment in a phased approach, with lower risk systems and servers first. If you had an issue, then you could easily roll it back. Then, we rolled it out into more regions and higher risk things.

We had a desktop management employee pushing it out, then another person in our security operations center validating endpoints numbers. It is really having your support desk know as well as having your people who run endpoint management.

For monitoring it, we have an outsourced IT provider (our partner) who has security operation center people operating the solution 24/5. They are the ones who are really responding to the alerts at the end of the day. I think there are four or five people who cover the 24-hour time shift.

The amount of compute resourcing used on a machine has been significantly less than the previous produce. The biggest ROI is the operational cost reduction. We would have a project manager spend three months to roll out an upgrade of a very heavyweight, security endpoint client. At the end of the day, this could cause a one to two percent error rate where machines would have an issue, then we would need to have a tech spend a lot of time on correcting this versus having automatic updates now that take care of themselves.

You are looking at saving six to seven months of a person's time, collectively, which would have been spent on just doing this one function alone.

Years ago, when we bought CrowdStrike, you got everything it had. I was a little concerned when they broke this out into a la carte modules where you can buy EDR, Spotlight, etc., picking and choosing off the menu. I was a little worried that the solution would get watered down. However, I realized in my previous organization when we had the full suite that there were a bunch of features in it that we didn't have time to operationalize. So, I warmed up to it. I get the whole, "Look, you can pick and choose. Okay, everybody buys a steak, but do you want mashed potatoes, or do you want lobster mac and cheese?" So, you can pick the sides that you want, so you can buy the solution that you want and operationalize versus paying a lot of money and getting a bunch of things, but not using 60 percent of the tools in the box.

There are licensing and maintenance fees.

At my previous company, I did a PoC. The guy who led all the Midwest sales was somebody I knew for around a decade. So, it was, "Hey, I want to try this out because it sounds interesting." So, it was fairly easy. You got the trial. You installed it, then you connected to their cloud portal. That was it. You opened it up to be able to communicate to port 443 outbound, and that was it. It was super easy to get CrowdStrike up and running.

The PoC was important because we were able to test \ and see visibility that we weren't able to before when a system was off-network, just sitting at home, connected on an Internet, and not VPN'd in. It was those sorts of things where, "Look, this is what we can see now that we couldn't see before," as a result of doing that trial.

At my current company, we did not do any type of trial because of past experience. We did test but then just started kind of rolling it out because our other product was just too heavy to continue to operationalize.

In my previous organization had very much the same issue that my current one had. We had an endpoint solution where you didn't get any alerting from the endpoint security if you were off-network. We had salespeople who traveled, and even more people connected via VPNs, which was common. A lot of things were internal, but we were shifting to some cloud-based things. We had the issue where a salesperson connected to the network every once in a while, and we wouldn't see the alerts. By the time we got the alert, it's well past and who knows what has happened. Therefore, I started doing some searching on the Internet and found the company, CrowdStrike. I looked it up and was like, "Oh, a friend of mine, in sales, was there." So, I called him up and said, "Hey, can we talk?" That is where it started.

We continue to look at other solutions such as what Microsoft has to offer. Some of it is part of our licensing and some of it is not. We continue to listen to some of the other players who are out there such as Cylance and SentinelOne. When I first looked for CrowdStrike, there was nobody else in this market space who was doing endpoint security purely from the cloud. Even when I talked to our previous solution provider about the cloud their answer was, "Oh, we can put servers on Amazon." I told them, "No, I don't want to have to manage servers, period. I want the provider to take care of this. We'll pay for that." That was kind of this weird notion for them to be a truly software as a service model. Now, it is common, and everybody is doing this service model.

A number of other solutions have caught up, mainly by copying CrowdStrike’s cloud-first framework model. A lot of them have been catching up from that perspective overall. Now, it has become a little bit of a crowded field and much more of a commodity but CrowdStrike was the industry leader when we were making our decision.

CrowdStrike is currently across all our technology stack, servers, and workstations.

When we did our proof-of-concept testing, our administrators liked that installing it was easy and did not need to reboot the system (and causing an outage). Our administrators also loved that once they did this, they didn’t have to deal with doing client upgrades once or twice a year, where you have to take servers down and reboot them. You install this once, and now you won't have to worry about this ever again. I sold this to administrators as, "You want me to make your life easier? Here is the one thing you need to do." Now, they reap the benefits.

We are looking at the cloud workload options over a course of time, as more technologies shift to cloud and we acquire other companies with more endpoints. From that perspective, we will continue to look at some of the other modules that they have but operationalizing some of modules are not in our risk profile. Some of the modules don't add as much value as they would to some other companies depending on their risk exposures.

We will look into the solution’s Horizon module in the future.

I would rate this solution as a nine out of 10.

We use it for our endpoint detection and response on our devices for both endpoints and servers. It has replaced our traditional antivirus. We are strictly using it now to do all our antivirus duties.

We are primarily a Windows environment, 95 percent Windows. Then, we have a little bit of Linux and Macs in there as well.

They have been able to help us. We have used other functions, such as Discover, to identify software that is running in our environment. This is not necessarily bad software, but it gives us an idea of what is out there to start building a standard configuration, which helps us build policies for what we do want in our environment and what we don't. That has been very valuable as well. It is kind of an offset of what they actually do; their main bread and butter, if you will. They have been very helpful with other tasks, such as that and in finding themes. 

We are pretty confident in CrowdStrike. Knock on wood, we haven't had any breaches that we know about. When you do see a large breach in the news, it seems like CrowdStrike is always mentioned. They are either helping investigate or leading the incident response (IR) process for them. While I can't really say it has specifically stopped a data breach for us, we are confident that if something happened then CrowdStrike would catch it.

We primarily use the Falcon feature. It is very dependable for us. We have done multiple tests against it and thrown everything we could at it. It does seem to pick up quite a bit, if not everything, that we have tested with it. So, we rely heavily on it. Right out-of-the-box, the main Falcon component is the biggest feature that we utilize and rely on.

We are a heavy laptop environment. So, it was nice to know that our users would be protected and we would know what was going on, on the endpoint, regardless of how they were connected. That has been very valuable. This is one of the reasons why we chose to go with this solution.

The fact that this is a cloud-native solution means that we don’t need to worry about updates. They take care of all the back-end and architecture. The only updates that we need to worry about are the sensors themselves. If you set them to auto update, like we do, then you don't even have to worry about that. It definitely frees us up to do more important things. If it wasn't for them doing this, we would need at least a part-time FTE, if not a full-time, to operate and manage CrowdStrike keeping it up-to-date as well as the hygiene. We had half of an FTE assigned to our antivirus prior to CrowdStrike. Now, that is just included in our dailies. It lessens that burden so much that we don't even need a slotted requirement for that. Overall, this solution saves us at least a good 10 hours a week that we would have been using before.

Their threat dashboards are very helpful. For instance, with this zero-day that just came out from Microsoft, they already have a dashboard where you can see the assets in your environment affected or at risk. That is just an added value. 

It would be nice if they did have some sort of Active Directory tie-in, whether that be Azure or on-prem. Sometimes, it is difficult for us to determine if we are missing any endpoints or servers in CrowdStrike. We honestly don't have a great inventory, but it would be nice if CrowdStrike had a way to say this is everything in your environment, Active Directory-wise, and this is what doesn't have sensors. They try to do that now with a function that they have built-in, but I have been unsuccessful in having it help us identify what needs a sensor. So, better visibility of what doesn't have a sensor in our environment would be helpful.

We have been using it for four years.

Stability has been really good. We have not seen the issues that we had with traditional AV. Having it connected to the cloud has really helped with stability, being able to see what a computer is doing at all times, and being able to see the last check-in times, this has kind of helped with the sensors.

It is primarily just me for tweaking or management of the solution. I have backups, if needed, but it is such a light lift that I may spend an hour or two a week in the console. It really is a great product that takes care of itself. Not a lot of tweaking has been needed so far, knock on wood. We haven't really had to make any exclusions like we used to with traditional AV. Everything is running with CrowdStrike's full protection, which is a huge bonus for us, since traditionally you are pretty blind. 

The solution is very scalable and easy to deploy as well as sync up agents with it.

The end users are the security team, which consists of about four of us. Then, we have a couple of leads from other technical teams. So, there are probably eight users who have access to CrowdStrike. Primarily, there are just three of us who are in there constantly.

The technical support has been pretty good. They are usually very responsive. We haven't had to escalate anything. When we have needed a more technical, deep dive, we have been able to get a dedicated engineer for our account to assist us. So, there has never been a time where we feel like we can't get the help that we need.

We were previously using McAfee.

CrowdStrike seems to detect quite a bit more than McAfee did. We like how it is kind of real-time, if you will. It is not so much signature-based. So, it has been able to stop things quicker than McAfee did. We have seen a huge increase in performance on our systems. Oftentimes, the daily scans would need to be run with signature-based AV or scans with servers, then that would cause great performance hits. It kind of limited us as well to where we could only scan certain windows. Now that we have CrowdStrike, we are kind of always-on and not limited to having to do those scans. So, that has been a big performance increase for us.

It is a lot easier to use CrowdStrike than McAfee, especially having the team at CrowdStrike handle the maintenance day-to-day, etc. With on-prem, you are responsible for everything. Whereas, with CrowdStrike, we can just worry about our IR response, basic deployment, and health checks. So, it is very convenient having them handle it in the cloud.

CrowdStrike was cutting edge technology at the time. EDR was still kind of new then versus the traditional AV. Not only because of licensing costs, but also because of performance, we felt that we needed something new.

It is easy to deploy the solution’s sensor to our endpoints. We have that as part of our build process. When new things are built, we have those as part of the build. If for some reason, something gets corrupted, then it is fairly simple to redeploy and we utilize SCCM for that. However, it is pretty run of the mill, i.e., easy. With the updates being taken care of by CrowdStrike, once it is deployed, then you are pretty much good to go.

Our initial deployment took about a week. That was only due to working out how to adjust CrowdStrike in our environment: weed out false positives, mimic anything that we needed to from our traditional AV over to CrowdStrike, and test previous exclusions that we had for our traditional AV, if we needed those anymore in CyberArk. It was very easy to deploy with SCCM, then it was more just tweaking. 

We did a test in our test environment and saw no negative impacts. Although not advised by CrowdStrike, we were able to run our traditional AV while we were deploying CrowdStrike. Once we knew CrowdStrike was on the machine working, then we were able to send out scripts to remove the old, traditional AV. Our strategy: We knew that it would not, at least in our environment, hurt us to have both on temporarily. So, our deployment strategy was very simple, knowing that we had an AV in place to back us up if something didn't go right with the CrowdStrike install.

I did the deployment. If there were exclusions or something that we needed to address, then I worked with the individual teams.

The 10 hours a week that we are freeing up from having to manage and monitor our AV solution has really allowed us to focus on other areas of the business. This has been a huge return on investment.

We did the free trial to kick the tires. Part of that head trial was having us load stuff and trying to get by it, and we weren't. That trial really helped sell us that it was a good product.

Getting the free trial was very easy. It has been years now, but it was as simple as just going to the website and requesting a free trial, then it was stood up maybe even that same day. It is hard to remember now, but it was very quick.

The pricing and licensing are fairly good. It is definitely not a cheap product, but I have felt that it is worth the money that we spent. So, we have discussed it in the past, and were like, "Yes, it is probably pricier than some other solutions, but we also feel they really are the leader. We are very comfortable with their level of expertise. So, it's kind of worth the price that we pay."

We do add their OverWatch protection, which is an extra bit of an add-on, but that gives us 24/7 SOC-type watching. So, we have added that on, which has been valuable as well. Outside of that, there have been no more additional costs.

We were looking for an EDR solution. At the time, CrowdStrike was the leader. We were very big into Gartner reviews, and we went off of Gartner. We just wanted the best that was out there.

Do it. It is a great product. I seriously think it is worth considering. We have been completely happy with the solution that we have been running on for years now and have never regretted our decision. I highly recommend it.

We plan on possibly looking into the added features that they offer to see if there is something there that can increase our incident response or add value to our business.

It is our primary EDR, so we are using it 100 percent for that and plan on using it for other avenues. We found Discover can help us with the inventory for applications. So, I am looking for other business opportunities there to help us, which will be our goal in the future.

It has given us some insight into how threat actors work. The biggest thing for us has been threat actor education. They give you intel which helps you identify what attackers you would more likely be targeted by. A lot of this comes with our OverWatch protection. Their threat intel has probably been the biggest thing for us.

Overall, I hate to give a perfect score, but it is probably a 10 out of 10. It is a really great product. 

The product is inherently cloud-based.

Knock on wood. Between our management of the platform and having subscribed to Falcon Overwatch, the managed threat hunting service, I haven't had a concern in six years. I have yet to deploy this product in an environment that has later incurred a breach. I have the utmost confidence that would be very unlikely to occur.

Every time that I have deployed it, it was more about Falcon Insight and its EDR protection. Then, the team in the company would be so pleased with the results that there was minimal resistance adding additional stack elements. Prior to their announcement of several new modules last Fall, we had acquired the entire stack. 

Each element of the stack continues to further develop their capability and empowerment of team members. For example, CrowdStrike Falcon Spotlight was an interesting tool to assess vulnerability management, but the capability of that module alone has just continued to develop in a very favorable direction. Also, the discover tool is extremely valuable. 

Probably the most valuable thing to me is the real-time response piece. The fact that I can connect to an endpoint as long as it is on the Internet, no matter where it is globally. I can remove files from the endpoint, drop files on the endpoint, stop processes, reboot it, run custom scripts, and deploy software. Pretty much no other tool can do all that.

As a cloud-native solution, it provides us with flexibility and always-on protection, which is critically important.

There is nothing existing today that I would change very much about the solution. Because of the capability of the data that they are ingesting, they have the ability to create tools leveraging that data to enhance the capability of the platform. The possibilities are endless.

I have been using CrowdStrike Falcon for about five and a half years

There are no questions about stability. I continue to see, especially in the last six months, that CrowdStrike is making very purposeful acquisitions to tactically and strategically build upon the platform. Many companies acquire smaller companies to get a fraction of a piece of technology that tends to be an add-on or something that may compliment the core product, but CrowdStrike is making more strategic moves to acquire technology that they can directly integrate into the existing platform to make it even better and more effective.

Updates can be handled one of a number of ways. This is something that has evolved quite a bit since I initially deployed it. Initially, you simply had the option of manually upgrading sensor versions or leaving them to automatically update as soon as a new update was released. Very infrequently, there have been issues with sensor builds. Early last year, they rolled out the ability to automate the sensor revision updates, but do it in a tiered fashion. So, there was an N-1 and an N-2. So, when they release a new version, I step back my releases and deployment of the updates by one version backwards. Then, I have a few early adopters who get the latest sensor build as soon as it is deployed. Provided there are no problems, when the next release happens, the N-1 version will automatically upstep my entire environment without having to put hands on it.

This product does not require any maintenance post-deployment.

We are protecting 5,500 endpoints with this solution. We do have plans to increase usage. Our environment is rather complex in that we have 6,000 core corporate associates and roughly 5,500 endpoints. Then, we have a distributor network globally comprised of about 220 wholly owned subsidiaries who are essentially their own companies, but they are only licensed to resell our products. They kind of have a mix of endpoint protection because it is largely up to them, within their entity, as what they choose to use. We are looking to further wrap our arms around them from a security perspective. We have looked at acquiring CrowdStrike's complete platform, which would be fully managed to deploy to that distributor network, which is about the same size as our corporate environment. So, it would be roughly another 6,000 users. It is a very large, globally-reaching endeavor, and working through the politics and legal aspects of how we will make that come to fruition may take some time. However, that is the plan.

I would give the technical support 10 out of 10 for the past year. They have improved a lot of things in response to customer feedback. A year and a half ago or more, if you put in a support request by email, then it wasn't timely addressed. It could be a day to three days before you received a response, which was a bit frustrating. There was a lot of customer feedback around this issue, which has been greatly refined. Now, if I put in a support ticket, I would expect it would probably be answered within a couple hours.

I have a lot of ideas in my head about where things could go with the solution. The company is very receptive to those thoughts as well as the opinions of all its customers

Our previous endpoint protection platform was very cumbersome to manage. It did not reliably apply protection and had many issues. My current organization is the fourth time that I have deployed CrowdStrike Falcon in an environment. The first time that we deployed it, we were using an inherently cloud-native protection platform, but it was unreliable. 

Swagelok was using McAfee ePO, which inherently is an on-premise solution. It is also very unreliable and cumbersome to manage. It was just missing detections, being inherently signature-based. So, it was only hitting on known signature-based malware. We lacked the EDR aspect of endpoint protection, e.g., behavioral-based analytics and preventing malicious behavior before it begins, which drastically stifles the remediation effort. McAfee's principle was always, "If you get said detection, then you need to run other tools to scan, remediate, and clean up the endpoint." Hands need to be on the endpoint taking it physically offline and off the network. Everything is drastically simplified with CrowdStrike Falcon. I can cloud sandbox the endpoint, remediate it, and interact with it at the command line level remotely, regardless of where it is, as long as it has an Internet connection. It is just amazing. 

As far as Swagelok goes, McAfee yielded a lot of false positives. The management was so cumbersome that there were only a handful of people able to resolve problems with endpoints or false detections. If you weren't connected to the inside core network, you couldn't reach the server in order to mitigate the problem. Because of the cloud-native aspect to CrowdStrike Falcon, I can pull up the console in my car on a mobile phone and mitigate an issue for someone whenever and wherever I need to do it, regardless of how I am connected, what device I am on, etc. So, the response time has drastically decreased (by five to 10 times) for remediating a critical vulnerability, a piece of malware, or undoing a false positive. This has been noticed across the company at large.

In all four instances where I deployed the single sensor in organizations of various sizes, it was very simple. Swagelok was probably the easiest deployment, since it is an organization large enough to have a deployment tool, like Microsoft SCCM. Once the package was built to deploy to endpoints, we push the "Go" button. Then, it was a matter of hours and our entire environment was protected. The deployment took less than a week.

Three people were involved in deploying the solution:

1. Being the experienced administrator, I pretty much did all the configuration: creating the correct groups, prevention policies, etc. 
2. We have an administrator of the deployment tool. I worked very closely with the package of the sensors and he executed the deployment.
3. We have another gentleman who oversees our lab environment and was very invested initially in trialing the product against all our existing applications to ensure there weren't any incompatibilities in the early deployment.

We have absolutely seen ROI, e.g., the reduction in man-hours for resolving incidents. The speed of the platform has drastically reduced time consumed, affording more time for an operator to act when resolving problems.

It is an expensive product, but I think it is well worth the investment.

The CrowdStrike Falcon Pro solution alleviates the need to quote out the product. You initiate the use of the free trial, then opting the purchase. You can manage it all on your own without engaging a sales representative. I definitely have done this in a small business environment. 

In all other instances, it was more of a formal business relationship. There was a sales representative involved who queued up the trial environment. If you initiate a trial yourself, you are basically given 14 days to trial it. Whereas, engaging a sales representative allows them to moderate the length of time that you can do the trial. Because we are a larger enterprise with a lot of politics around completing purchases and legal reviews, we have a sourcing department who vets out vendors. The process is very long and cumbersome. We had initiated a trial, in this instance, which ran for several months before we acquired it.

The fact that I have access to the products free for several weeks or months was not really a factor. What was more impressive in the trial was the way CrowdStrike approached it. When you initiate a trial, they give you a CloudFlare instance of a victim machine and an adversary machine. They then allow you the capability to deploy the sensor or pull it back from the victim machine. You can unload whatever you care to against the victim machine for testing to see how well the product works on your own. Unlike many other products in a similar space, when you evaluate the product, it gives you the feeling that you are completely in control. Also, there is a sales engineer who moderates the demonstration of the product.

The first time that I deployed CrowdStrike Falcon, I evaluated probably a dozen other products. I was very close to signing a deal with Carbon Black, simply because I hadn't yet heard of CrowdStrike Falcon. Since deploying it the first time, I would never really consider anything else. I do look at other platforms from time to time to see how they have evolved and changed, but it would be very difficult to convince me to use something else. The winning factor for CrowdStrike Falcon is just the inherent capability of the platform. In my observation, there really isn't another company who can do as much as they can.

Take advantage of the opportunity by CrowdStrike to network with other customers in a similar company size and industry to see how well the product could benefit you as a potential customer before committing.

We have a very minimalistic cloud infrastructure footprint or container footprint at this point in time. That is likely to take off in full swing in the next year or so. We have many legacy applications running on legacy operating systems, which I am working very aggressively to get out of our environment. When that starts to take flight, we will definitely have more of a need for a cloud container as well as cloud infrastructure visibility and protection, which we do not have a lot of at this point in time.

I would rate this solution as 10 out of 10.

The initial use case was for CrowdStrike to be a replacement for McAfee. We wanted to come up with something that was a lot more adaptive to emerging world threats and not just strictly signature-based. We wanted something focused a lot more on heuristic analysis and pattern analysis first, e.g., isn't just sheer signature. Additional use cases are workstation servers and as much as we can do in our OT environment.

It has allowed our security team to have more time and resources built into things that are used to run the business versus needing to babysit our antivirus platform, or any malware platform. With what we have been paying for, it allows us to be a lot more involved with how the business is being run from a security, risk, and compliance standpoint.

We have signed up for Falcon Complete, which is their completely managed service. This has done nothing but paid dividends since we have rolled it out. Slightly before I started, there was a ransomware issue. CrowdStrike did exactly what it was supposed to when we joined networks with the company that we were acquiring. So, that was helpful to us.

To the best of our knowledge, it has stopped everything that we have seen. It has allowed us to focus our efforts on other things relevant to how the overall business functions.

It helps us in the M&A environment because it is a very simple, easy tool to deploy, being pretty much all cloud-based. While we're not building our security practice around it, it is a tool that we want to make sure does integrate well, if at all possible, with any new tool that we purchase moving forward.

It is especially important to us that CrowdStrike Falcon is a cloud-native solution. We have a directive for cloud-first architecture at this point. Anything that is cloud-native, or has a cloud offering, will always get first billing over something that is on-prem. We are a small security team. Having the ability to have a service or application that is not wholly managed by us, but rather governed and used by us, is the ideal solution.

The flexibility comes from allowing us to do a mass push, if we need to. We would find always-on protection with pretty much any solution. However, the fact that it is in the cloud, that just makes it that much better.

I would like to see a little bit more in the offline scanning ability. This just comes from my background in what I have done in other positions. They only scan on demand, so I always have this fear that we sometimes maybe email out a dormant virus and can be held liable for that. That is something where I would like to see a little bit more robustness to the tool. 

U.S. Venture has been using it since the first quarter of 2019. I, however, did not start with the organization until the Summer of 2020.

It has been very stable. There have been no real issues that we have had in the deployment or use of the CrowdStrike system in general. There has been zero downtime.

For our workstations, we don't worry about the updates. However, we have a tighter grip on updates for our server environment only because there was an issue at a point with one update. Since then, we would like to keep our deployments at an N-1. So, there is more of a check built-in just to make sure that the latest and greatest doesn't actually break anything unintentionally.

The CrowdStrike sensor is always kept at N-1 for our production servers. Our test servers are always up to date.

From what we have seen, it is very scalable. We have recently acquired a company where someone had a ransomware attack when we joined networks. Within the course of just a few days, we were able to easily get CrowdStrike rolled out to about 300 machines. That also included the removal of that company's legacy anti-malware tool.

We have all our desktop engineering group and server team as admins in the system, but they only use it for specific troubleshooting in their job roles. So, if the server team needs to do something, then they can just log in and do it as well as the desktop engineering group. They can just go in and do stuff, if it is something related to computers or servers. As far as for the overall management of the system, that is left to the security team.

It is currently being used to the extent that we need it. After CrowdStrike had their user conference last Fall, they introduced a lot of new tools, specifically one around forensic that we would like to get our hands on. However, there are no real plans for doing any major increases of its toolset. I do know that there is a project that will be going on for using its mobile application on some Android tablets, but it is still very much in its infancy. So, we are not quite sure how that will roll out yet.

I have never used their standard technical support. I do everything through their unofficial Reddit support forum. Also, if there are any other major technical issues, then I work directly with our TAM. So, I have never just reached out and created a general support case. Therefore, I cannot speak to how well they respond. However, their unofficial Reddit support has been fantastic with helping me work through troubleshooting issues and a couple of queries, where I was having issues trying to get the syntax correct. They have been nothing but helpful.

I believe they have their actual support engineers on Reddit, but there is no SLA nor anything guaranteed on that Reddit page. They claim that right there in the subreddit rule. However, I have had nothing but good luck working through them. It could take a few hours to one or two days to get a response, but it has always been for things that aren't pressing. For things that are pressing, then it is a direct call or email to our technical account manager who is very responsive.

They have a great online forum for customer use cases. That has been a great crowd sourcing thing. It is unofficial. I just stumbled across it, but the subreddit for their support has been spectacular for many reasons.

Previous to CrowdStrike, our organization was using McAfee VSE with McAfee ePolicy Orchestrator (ePO). Switching from McAfee to CrowdStrike, we saw a reduction in resources being used on both the workstations and servers. We saw an increase in detections, be that good or bad. We would like to think it was a good thing, because now it is finding a lot more stuff that wasn't strictly signature-based. So, it provided almost a very lightweight SIEM-type of response. It was providing information about installed applications, account lockouts, and top console users. It was a very nice bonus to have that information in addition to just the general overall anti-malware that CrowdStrike is known for.

CrowdStrike is so much easier to use. The UI is far more intuitive. The breakout of how the policies as well as the organizational structure within the UI for how the computers are laid out is far more intuitive. It feels a lot more based around how AD kind of functions. Because I am already familiar with Active Directory, the move to using that in CrowdStrike is very seamless, at least in my mind.

The agent is far more lightweight than our previous antivirus solution. It is a lot less resource intensive. We don't have any more on-prem servers to manage for running the application, which is another benefit to being in the cloud. There are just a couple of holes punched in the firewall for communication in and out.

A lot of the switch was focused around the fact that CrowdStrike was solely a cloud-native solution as well as heuristics versus signature.

It is very simple to deploy the solution’s sensor to our endpoints. Right now, it is part of our standard build process through a SCCM. So, it gets a version, then it is obviously outdated because our desktop engineering group can only update the image so quickly. Once it is checked into the cloud, it updates, decides to download, and gets the new seamless version. It has been wonderful to have and very helpful to us.

The initial setup was done in less than two months.

The implementation strategy was done how any other mass deployment is done. You take a small set of computers, put it on one, remove the old solution, and then run that group by itself, figuring out if there are any new or existing exemptions that needed to be in play. Once it is stable, it is rolled out to a larger group, the process is repeated, and then it is moved onto the servers.

Overall, four people worked on the deployment: It would have been my predecessor, my other coworker, and two server guys to do the server environments.

Our ROI has been high compared to what we had with McAfee. We spend about two hours a month for its care and feeding, which is really low maintenance. We previously spent two to three times that amount of time managing our McAfee environment.

Pricing and licensing seem to be in line with what they offer. We are a smaller organization, so pricing is important. Obviously, we would make a business case if it is something we really needed or felt that we needed. So, the pricing is in line with what we are getting from a product standpoint.

Since moving to CrowdStrike, we have not looked at other endpoint management solutions. In fact, when we look at a new tool, we want to make sure it will play well with CrowdStrike, be it a new SIEM or anything cloud-based. 

Make sure you know what the policies do. There are a lot of good and bad things that you can do with too strict or too loose of a policy governing workstations or servers.

We have evaluated the CrowdStrike Horizon module. We are not there yet. Our environment has not changed drastically since our last review of it. So, we have not felt the need to revisit it since then.

It is important to not solely rely on one product, especially one that has a good or bad name, such as McAfee. Because there was a lot of, "Oh no, we got an antivirus. We're fine." It helps to make sure you always have an in-depth defense strategy.

I would rate it a solid nine out of 10. 

We primarily use the solution as advanced threat protection. It is used to protect all endpoints, servers, etc. 

They're very good at what they do. As far as the product is, in its current state, I don't have any complaints at all right now. They do a quarterly review with us, just so they can let us know how many viruses or how much malware they've stopped, etc. Those features are quite good. They also go through the portal step-by-step to describe whatever they improved or tightened up. They will explain everything clearly and in a way that a customer can understand.

They do also ask for feedback, which is nice. They'll ask things like "The last time we changed this, how was your experience?" or "Did you get a lot of false positives?" or "Did you get any complaints?" etc. That's pretty good. Not many companies do that.

The UI is simple and self-explanatory. Everything is easy to understand.

So far, in the past three years, they've been absolutely great. They've been more proactive than the solution we had previously was. They even introduced new products in their line and they came back and told us that they could add that product to our current solution. At first, we added them, then we decided we had sufficient resources in house to manage it ourselves and removed it. They were great about the change. 

They've caught quite a lot of viruses and malware that have been sent through improper links, which is very reassuring. 

They report any network isolation that has been done on certain endpoints if they detect a malicious file or malware on the device that couldn't be cleaned by automation. They isolate it or us. The end-user can contact the service desk and say, "Hey, I'm not able to surf the internet. I can't do anything, so can you help me?" or we're able to look at the endpoint and see "oh, your PC is infected, that's why you aren't allowed on." It's protecting us well.

Even though the users are somewhere else, even when they're not at headquarters, we are able to remediate everything before we put them on the network again. Those network isolations are great when we detect high threat malicious items. Those are valuable tools that we appreciate.

If an operating system is stopped by support by the original vendor like Microsoft, or maybe Apple, within a few weeks, CrowdStrike will also decide they no longer support it, and they kind of move on. I understand their model. However, if we still have the OS, it's hard to keep it protected. So, for example, if Microsoft decides to stop supporting or patching a solution, Crowdstrike too will stop supporting it and making updates. It's still a useable product, it's just not getting updates or patches and therefore may be vulnerable. 

The result is that we can't guarantee we're going to be able to protect that hardware or operating system. We either have to upgrade to a newer platform, which sometimes is not possible because you have a legacy application. Whatever that constraint is, sometimes we're not able to move things. We still have to rely on other products to support that. That's the only quandary I have with them. 

Basically, they don't cover legacy OS or applications. That's the only issue we're concerned about.

When a file is infected or it detects a ransomware file network, when it does remediate, it should self-heal as Sophos does. That's a good feature to have, but I don't know enough pros and cons about that to kind of recommend that because if it is a false positive, that may be a problem. If it detected a valid file and if for some reason it decides, "Oh, this looks like an infection," and maybe it's not actually infected, and if it goes in and remediates it by replacing it with an older file, that may be a problem. However, I don't know, because I've never used that feature or heard anybody say that's a problem.

I've been using the solution for about three years now.

I have two engineers that regularly watch everything. We all get alerts. We'll see if something gets isolated, or a user will tell us. We isolate the issues and work on them so nothing gets through the endpoints into the system. Within 30 minutes to an hour, an issue can be cleared.

It's therefore very stable. We're able to catch everything before it can get it. It's reliable for sure.

They're so pro-active there's very little intervention that we have to do on our end.

The solution is easily scalable. A company shouldn't have any issues with that aspect of the solution.

Technical support is great. We've never had to contact them at all. Instead, they've always been proactive and reached out to us.

Their quarterly review manager will contact us every three months. They schedule it months ahead and we actually jump on a Zoom or WebEx meeting. They actually go through the improvements, how much detections they go through, all of our features, anything new that has been added, anything they're seeing out in the world in terms of threats, and where we need to tighten up the roles.

They would improve the sensitivity level or they will decrease the sensitivity level for some false positives. For example, they might say "Hey, we detect these, but they're not really a threat because this is just a Word document that's produced in an older format. It's not something that's malicious." Then they would decrease the sensitivity in certain areas, to eliminate the issue going forward. They always ask permission before tweaking anything. They will come to us and say, "this is what we're considering doing it and why we want to do it. Is that okay?" We usually agree to that and then they go ahead and do it.

It's just a phenomenal company. If they ever stopped the way they handle their customer service, then I would probably move on to a different company. So far they've been pretty good. For the last three years, they contacted us always and told us about every aspect of the solution. I don't think I missed a quarterly meeting so far with them due to the fact that it's all been so valuable.

Originally, we had Webroot. We used to get, every so often, a slew of viruses that would get through the cracks. I don't know if Webroot's definition didn't get updated in a timely manner or if they were just delayed in something, however, whatever it was, we used to get that intrusion quite a bit. Then we would patch it and we would have to remediate everything. It wasn't ideal. 

We were looking for a product that would be more proactive than a reactive solution, and after doing a bunch of research, we decided on CrowdStrike. 

The solution's initial setup was very simple. The only thing we had an issue with is our network operation. Is a separate organization that manages it. We have a network operation that we used for 24 hour monitoring. They don't support CrowdStrike and they were not experts in it. They stood us we would have to manage it ourselves. In the beginning, we were kind of worried about it. However, after that initial stage, the simplicity of how to install it, configure it was like a breeze.

We manage the entire solution in house. For maintenance, we have me and two engineers, plus a second level of support. There are around five people altogether.

I'm not sure of the exact cost of the solution. That's a detail our finance department handles.

We did research on Cylance. We looked at Norton as well. We went through a bunch of products and we decided CrowdStrike was probably the most advanced threat protection at that time, which was three years ago. 

One of the products we were looking at is Sophos. The reason we were looking at Sophos is we were purchasing a backup and disaster recovery tool. In that tool, they had a built-in Sophos pack; they integrated Sophos in to protect the backup and replication and recovery. That way, if a backup had infections, for some reason, and they weren't picked up, and it got into our backup product, then Sophos could kick in and pick it up. It has automated remediation, meaning it reverses back the infection before infection if that makes sense.

Sophos has a self-healing technology built into it, which is an AI technology that they invented. We were looking at that because we thought that may be a better product. We were doing some homework on that and trying to figure out more about it. We're still in the process of purchasing a backup and recovery tool, so we're still doing our homework.

We're just customers. We don't have a business relationship with the company.

I'm not sure which version of the solution we're using. The last time I checked, it was version 5.6. It is up-to-date, however. I get a report every so often saying, we've updated the sensors, or current version, etc. It's an auto-update and it does that. Whenever it's missing something or it couldn't reach an endpoint, the company will send me a report of that, saying these endpoints are not updated because we couldn't detect it on the network any longer.

The only advice I would say to others considering the solution is, if they have an unsupported operating system or legacy application, to look closely at CrowdStrike to see if the solution actually makes sense for them. This is due to the fact that they're not going to be able to support it. If they have thousands of servers and 20% of them are legacy applications, they may not want to think about CrowdStrike because the solution doesn't support legacy products. Other than that, I fully recommend CrowdStrike. The advanced threat protection they have has always been great.

I'd rate the solution a solid nine out of ten.

We have several use cases including threat management, EDR, AV, and a SOC with 24x7 monitoring.

The fact that CrowdStrike is a cloud-native solution is very important. We don't have to deal with any upgrades on the appliances or console. The only thing we have to deal with is the upgrade of the agents. The SaaS model works very well for smaller companies like us.

The flexibility and always-on protection that is provided by a cloud-based solution are important to us. The cloud is everywhere. So, with the agent on the laptop, wherever the user may go, including home, office, or traveling, it's protected 24x7, all the time. That's what we require and this is what we got.

We haven't had cases where we have quarantined any material stuff yet, because we are relatively small and we don't see a lot of malware in our environment. In this regard, it has been relatively quiet.

In terms of its ability to prevent breaches, if you look at the cyber kill chain, the sooner you detect malicious activity, the better you are in responding as opposed to waiting for a data breach. I think CrowdStrike is capable of identifying malicious activity throughout the whole cyber kill chain. Step one is establishing when they have a foothold in the environment, and then detect whether they are moving laterally. The sooner they are discovered, the better we are at stopping data breaches.

CrowdStrike has definitely reduced our risk of data breaches. It reduces the risk of ransomware and it gives us comfort that someone is watching our back.

We had some end-of-life workstations that were running Windows 7 and for some reason, related to PCI compliance, CrowdStrike rejected them. This helped us in terms of maintaining our PCI compliance.

The OverWatch is the most valuable feature to me. It's a 24x7 monitoring service, and when they see anything suspicious in my environment, they will investigate. Essentially, they're an extension of my team and I like that. We're a small company and we only have a base of approximately 260 employees. As such, we cannot afford to hire skilled security people. So this makes sense for a smaller company like us.

There is a helpful feature to look into the vulnerability of the endpoint, which allows us to see which PCs have been patched and which ones have not. That helps my team to focus on those PCs that require their attention.

The deployment process is an area that needs to be improved. For some reason, CrowdStrike does not provide any help in terms of how to deploy the agent in a more efficient manner. They just don't provide the support there, which leaves their customers to figure out how to push agents out, either through GPO or through BigFix or through SCCM, and there was no support on that side. Not being able to complete the deployment in an efficient manner is one of the huge weaknesses.

It would be good if they had a feature to remove agents. We're in a transaction processing environment and if CrowdStrike is affecting a transaction processing server, we need to uninstall that agent pretty fast. Right now, the uninstall has to be done manually, which is not great. If we have a dashboard capability to uninstall agents, I think that would be great.

The dashboard seems a little bit too clunky in the sense that it's spread out in so many ways that if you don't log in on a daily basis, you're going to forget where things are. They can do a better job in organizing the dashboard.

I have been using CrowdStrike Falcon for approximately five months.

I haven't had any issues for five months since we've installed it, which is good to know. No users have complained about any CPU spikes or false positives, which we like.

If you have a way to deploy agents in a rapid manner, I think the scalability is there. As we buy and acquire companies, we have to roll out agents to those places. Right now, it's still very manually intensive and it slows down the process a lot. So, I think the scalability can be improved with a rapid deployment feature.

Our strategy right now is just to install CrowdStrike for PCs and laptops. Once we get comfortable with the technology, we can start testing the servers. It's just that we haven't finished the deployment to PCs and workstations yet.

We have approximately 260 endpoints and we're probably about 20% complete in terms of deployment.

We've raised support tickets such as the request for rapid deployment capabilities. However, we only received responses to the effect that they do not support anything like it. In that regard, the support has not been great.

That said, we don't use the support site a lot because we haven't had any issues with CrowdStrike. So, I can't say much about that.

Prior to CrowdStrike, we used Carbon Black Threat Hunter.

There is a huge difference between the two products. CrowdStrike is quiet. I think that Carbon Black Threat Hunter just locks everything that has to do with the endpoint. You generate a lot of noise, but it means nothing. Whereas CrowdStrike is more about real threats and we haven't seen much from it.

On the other hand, with Carbon Black Threat Hunter, we were able to deploy pretty fast and we could uninstall agents pretty quickly from the dashboard.

I had originally heard about CrowdStrike Falcon from my peers. A lot of CSOs that I have roundtable discussions with speak highly about it.

The sensor deployment is a manual process right now, where we have to log into every workstation, every server, and install it manually. It's very time-consuming.

It's an ongoing process across our organization.

One of our security engineers is in charge of deployment. However, we don't have someone on it full time. He works on this when he has time available, so we probably only have one-third of a person working on it.

We completed a PoC using the trial version, and it was pretty easy to do. It took us less than an hour to deploy. It was just a matter of downloading a trial agent and setting it up.

Having the trial version was important because the easier the PoC is, the better the chances are of us buying the tool.

At approximately 40% more, Falcon is probably too expensive compared to Cisco AMP and Cylance, although that is because of the OverWatch feature. If you took out the OverWatch feature then they should be about the same. There are no costs in addition to the standard licensing fee.

We evaluated other products including Cisco AMP and Cylance. Neither of these products has the Overwatch feature that CrowdStrike has. The reason why we chose CrowdStrike was that we need to have 24x7 monitoring of our endpoints. That's the main difference.

In terms of ease of use, CrowdStrike is not so great. Cisco AMP has a better, cleaner dashboard and they're more mature in the way that you navigate. It's as though they have spent time getting customers to click on features and then figured out which is the quickest way to get to what you want, whereas CrowdStrike is not there in that sense.

Cylance is even better in terms of ease of use. They dumb it down to only a small number of menus and dashboards. There are probably only five dashboards that I look at on Cylance, whereas with CrowdStrike, I have to look at many.

My advice for anybody who is considering CrowdStrike is definitely to start with a PoC, and then definitely to subscribe to OverWatch. I think that OverWatch is the main benefit to it.

The biggest lesson that I have learned from CrowdStrike is about the different threats that are out there. They have a nice dashboard with information about threats, and you can read it and learn from it.

I would rate this solution a seven out of ten.

We are using it primarily for NGAV, but we also use their EDR product and Falcon OverWatch.

Most of our internal stuff is still on-prem. We do use SaaS for vendor products, but our internal environment is still mostly on-prem.

I think everyone is trying to move away from on-prem solutions. Having the cloud-based management console makes it a lot easier to maintain. It takes a load off our hands as engineers and analysts. It helps with upgrades and patching, I don't have to worry about on-prem servers for maintenance, but also as another thing to defend against, so getting rid of that is definitely beneficial.

As a cloud-native solution, it provides us with flexibility and always-on protection. I don't have to worry about data center failures on my end. I don't have to worry about any issues in our server rooms affecting the protection of the environment as a whole. Having CrowdStrike take that responsibility is a load off our backs.

Falcon has been very successful in preventing breaches. In the beginning, there were a lot of false positives as Falcon learned our environment, but I would definitely give it a positive rating overall for protecting our environment.

The NGAV portion is the most valuable feature. The primary reason that we went with the product was their reputation. In practice, it has been a definite step up from where we were previously.

We are using Falcon Investigate, which is their EDR tool. The EDR has made it infinitely easier to investigate into more detail on end user workstations and servers. Any sort of detection where I can go back into the EDR tool and dig down deeper into the endpoint is great. This was a function that we did not have previously.

There are some aspects of the UI that could use some improvement, e.g., working in groups. I build a group, then I have to manually assign prevention policies, update policies, etc., but there is no function to copy that group. So, if I wanted to make a subgroup for troubleshooting or divide workstations into groups of laptops and desktops, then I have to manually build a brand new group. I can't just copy a build from one to another. Additionally, in order to do any work within a group, I have to first do the work on the respective prevention policy page or individual policy page, then remove the group if the group is assigned to a different prevention policy, remove the prevention policy, and then add the new one in. So, it can get a little hectic. It would be easier if I could add and remove things from the group page rather than having to go into the policy pages to do it.

I have been using it less than a year. We are relatively new customers.

My impressions of the stability are positive. I haven't had any problems since implementation with stability or availability.

Minimal maintenance is required on our side post-deployment, but it still does require maintenance. If I have to build out new groups or a troubleshooting group, e.g., tweaking policies if machines change subnets, then there is still maintenance required.

All post-implementation maintenance and administration is handled by a single security engineer.

We are a relatively small firm, but I have had no problems in my deployment plans. I could easily see this scaling upwards.

In total, we are protecting roughly 1500 endpoints.

They have been very on point and helpful. I have never had to ask them where they are. They are always following up with me trying to keep the tickets live, so that is great. I have been very impressed.

We replaced Symantec Endpoint Protection. On the one hand, we wanted a fully NGAV. Symantec was still using a hybrid model, a mix of signature-based and behavioral-based detections, so moving over into a full NGAV product was important to us. We wanted to stay up to date on the ever changing nature of malware, especially since we have been seeing more malware nowadays that can evade strictly detection-based systems. Also, Symantec support was very hard to track down or talk to. All in all, CrowdStrike has been more responsive to any questions or concerns, which is big when you are dealing with vendor solutions.

Fortunately, we have not experienced any major detections. However, testing-wise, CrowdStrike has been more effective overall.

Deployment was pretty easy. We scripted out a process in GPO, then we were able to deploy it fairly seamlessly.

We managed to deploy it to all our servers within a week or two. That was mostly due to getting clearance from server owners, not due to the CrowdStrike installation. Then, for the workstations, it was a bit longer just because of office locations and when people had their computers on. The CrowdStrike process was very smooth. It was really just the bureaucracy part that took a while.

We had to change management protocols. We put it out to dev servers and workstations in detect-only mode as we deployed CrowdStrike to endpoints that had a preexisting AV system still on them, in order to avoid any time where a system would not be protected by an antivirus system. So, we deployed CrowdStrike, then disabled the previous antivirus system and activated CrowdStrike's prevention policies, then uninstalled the previous antivirus system.

Four or five people were involved in the deployment: a security engineer, two workstation engineers, and various server owners.

It is protecting our environment, so it is worth the cost.

It has definitely minimized resources. When everything was on-prem, there was a lot more work maintaining it. One of the big value tickets: I don't have lists of hundreds of exceptions for certain applications that I have to maintain, add, delete, and move. The very nature of the product has lessened my workload considerably.

The pricing was very fair for what we got.

Different components are additional price points. We got the components that were right for us, but other organizations may require more (or less) components to suit their needs.

CrowdStrike is an industry leader. When we were looking for a replacement technology for NGAV, their name was on the top of a Google search.

We did a PoC with CrowdStrike. We deployed the PoC only to a select group of test machines, so we were able to deploy rather quickly. The PoC helped immensely in the decision-making process.

We did evaluate Cylance and Carbon Black. All the products that we investigated looked good. In the end, we went with CrowdStrike because of: 

1. The reputation of the organization in the AV community.
2. Its out-of-the-box readiness. 
3. Ease of maintenance and administration.

Take the time you need in the beginning to fully build out all the groups and prevention policies that you will need. It may take a bit longer during the initial setup, but it is worth it in the long run because it makes maintenance down the line much easier than having to build new groups or prevention policies as they come up. Definitely take the time needed in the beginning. Then, later down the road all you have to do is check some boxes, as opposed to building out brand new groups and prevention policies, which can take awhile.

In the beginning, there will be a bunch of false positives as it learns your environment. However, those are very easily handled within the UI, creating IOA or machine learning exceptions. With our previous solution, we had a couple hundred exceptions, and with CrowdStrike, we have six or so.

CrowdStrike has fulfilled its function very well. We got it specifically to serve the purpose that it is serving.

It is a solid nine out of 10.