CrowdStrike Cybersecurity Solutions

CrowdStrike SASE Solution: Comparisons, Review, Benefits, Use Cases, Pros & Cons

Author: Netify Research Team

If you have questions about CrowdStrike and how their capability is aligned to your needs, email the Netify research team.
UK: uk@netify.co.uk North America: northamerica@netify.com

(Please use the UK email for ROW - Rest of the World - questions or enquiries)

Netify Review

CrowdStrike is a good choice for businesses who require a strong endpoint protection solution. They offer managed endpoint security with constant monitoring (EDR), MDR and XDR. However, CrowdStrike is not a networking solution and therefore third party integration is required for SD WAN and SASE (although they offer SASE elements). The solution can scale from small to medium to large global enterprises, making them a versatile choice for a variety of companies - their range of previous and current clients illustrates this further. 

About CrowdStrike

CrowdStrike focus on cloud-delivered and next-generation cybersecurity services - specifically threat intelligence and response and endpoint protection. They were founded in 2011 and are currently headquartered in Texas, North America. They own a number of subsidiaries, including Humio, SecureCircle, Payload Security and Preempt Security. In 2021, they were named a leader in the Gartner Magic Quadrant for Endpoint Protection Platforms and a leader in the Forrester Wave MDR. 

CrowdStrike Products and Services:

CrowdStrike Endpoint Security:

The Falcon Platform is CrowdStrike’s endpoint protection offering. Delivered from the cloud, it can be purchased in bundles, or as individual modules. These modules can also be added to Falcon Endpoint Protection Bundles.

• Falcon Pro: A low cost bundle, Falcon Pro is designed to replace legacy AV with NGAV and integrated threat intelligence and response. 
• Falcon Enterprise: Includes unified NGAV, EDR (see, What EDR (Endpoint Detection and Response) Solution is Supported by CrowdStrike?), managed threat hunting and integrated threat intelligence.
• Falcon Premium: Full endpoint protection with threat hunting and expanded visibility.
• Falcon Complete: Endpoint protection delivered as a service and backed with a Breach Prevention Warranty up to $1M.

Additional Modules:

• Falcon Spotlight (manages system vulnerabilities)
• Falcon Mobile (mobile EDR)
• Falcon Forensics (forensic data analysis)

Stand-Alone Modules:

• Falcon Search Engine (malware search engine)
• Falcon Sandbox (automated malware analysis)

Specialized Products:

• Falcon On Govcloud (cloud-delivered endpoint security, used by the US public sector)
• Falcon for Data Centers (secures physical, virtual or cloud-based data centers) 

CrowdStrike Threat Intelligence:

Falcon X Automated Threat Intelligence augments a client’s Security Operations Center (SOC) and Incident Response teams using built-in adversary intelligence. This combines malware sandbox analysis, threat intelligence and malware search into one solution, reducing time and skills required to perform manual incident investigations. Clients can identify and investigate related threats whilst blocking similar attacks from happening again in the future. 

Threat Intelligence can also extend endpoint integration as it is build directly into the Falcon Platform, requiring no integration, administration or deployment. Workflows are streamlined as all quarantined files are automatically forwarded to Falcon X for investigation.

• Indicators of Compromise (IOCs): Visualizes relationships between IOCs and adversaries found on client’s endpoints, whilst leveraging security from the Falcon Platform. Client’s defenses can be strengthened with CrowdStrike’s real-time global IOC feed and threat hunting. Defenses with existing security solutions can also be managed using pre-built integrations and APIs. 
• Actor Profiles: Offers information about adversaries intent and capabilities, to help clients predict how to adapt to future changes. Access is provided to over 165 profiles of nation state, eCrime and hacktivist adversaries which focus on attacking a client’s business, region or industry.

There are three different product offerings for Falcon X:

• Falcon X: Built directly into the Falcon Platform for quick deployment, Falcon X is designed to automatically investigate incidents and accelerate alert triage and response. The service includes Endpoint Integration, Automated Investigations and Indicators of Compromise (IOCs).
• Falcon X Premium: Includes all of the above, as well as added threat intelligence reporting and research from CrowdStrike security experts, Intelligence Reports, Tailored Intelligence and SNORT/YARA Rules. This enables clients to cope with eCrime, nation-state and activist adversaries. 
• Falcon X Elite: Includes everything from the above two offerings, as well as Requests for Information, Assigned Intel Analyst and Priority Intelligence Requirements. This expands a client’s security team with access to intelligent analysts for help defending against adversaries targeting the organization.

CrowdStrike Identity Protection:

CrowdStrike Identity Protection is designed to protect against breaches that use compromised identities, leveraging advanced AI in a threat centric data fabric. The solution includes real-time detection and prevention, with high ROI as security products and processes are eliminated, taking pressure off client’s security teams. 

Identity Protection offers unified control of all identities, to accelerate key identity projects such as Adaptive Authentication and Conditional Access which creates improved Multifactor Authentication (MFA) coverage and user experience for all systems, including legacy systems, remote users and single sign-on (SSO). Clients also benefit from visibility into the secure Active Directory (AD) both on-premises and in the cloud. AD attack paths such as shadow administrators, shared credentials and stale accounts are identified and blocked as security is hardened. AD security hygiene is improved with continuous monitoring of authentication traffic and user behavior to catch access deviations, password compromises and credential weaknesses - offering dynamic risk scores for all users and device accounts. 

All authentication activity can be monitored easily with increased visibility in all accounts and endpoints - managed and unmanaged. This can include login type (human or service accounts), location information and source and destination (including SSL-VPN and RDP) across on-premises and cloud deployments. Identity Protection can reduce the attack surface by identifying misused service accounts, stealthy admins and anomalous user behavior in the Virtual Desktop Infrastructure (VDI). This offers protection against privileged user threats, insider threats and credential compromise from lateral movement attacks. 

The solution can integrate into existing security architectures, IT tools, IAM solutions, SOAR infrastructure and SOC run books with pre-integrations with Splunk Phantom and Palo Alto Network’s Cortex XSOAR. For compliance requirements, the solution can output logs into SIEM without the need for log ingestion - however taking in of logs from SIEM, VPN and other sources can provide additional context. Leverages pre-integrations with Okta and Ping to ensure the use of SSO infrastructure to stop indentity-based threats faster and an existing MFA solution such as Duo to challenge users only when required to avoid MFA fatigue. Integrations are also possible for critical IT security tools such as Axonius and CyberArk, offering high performance APIs. 

CrowdStrike Identity Protection comes in two offerings:

• Falcon Identity Threat Protection: Offers accurate threat detection and real-time prevention of identity-based attacks. Leverages advanced AI, a flexible policy engine and behavioral analytics to enforce risk-based conditional access. 
• Falcon Identity Threat Detection: Deep visibility for identity-based attacks and anomalies in real-time without the need for log files. Suitable for organizations requiring identity-based threat incident alerts and threat hunting with no need for analytics and automated threat-prevention. 

What XDR (Extended Detection and Response) Solution is Supported by Crowdstrike?

Falcon XDR is an extended version of EDR, offering enhanced threat correlation and improved response times against sophisticated attacks. The solution accelerates threat analysis and hunting as data is changed into cross-platform attack indicators, insights and alerts, which improves the efficiency of a client’s SOC teams. Falcon XDR will guide remediation with detailed information about infected hosts, indicators, timelines and root causes - improving response times and preventing attacks from becoming breaches. Security teams can design and implement automated response workflows for full security stack remediation, building custom detections and scheduled searches that are unique to their organization. 

Falcon XDR is deployed from a single console and is able to detect stealthy threats automatically without the need for IT staff to create and manage detection rules. Triage and investigation is sped up by prioritized alerts, detailed detection information and rich context mapped to the MITRE ATT&CK framework, with improved visibility from XDR integrations, streamlined telemetry, open data schema, parsing, mapping and ingestion. The solution incorporates CrowdStrike Endpoint Protection and offers the graph explorer to visualize each step of an attack for clear understanding. 

CrowdStrike Observability and Log Management:

CrowdStrike offer log management via their acquisition of Humio. Clients can choose from three different offerings: 

• Standard Humio: Ingests and retains streaming data. Offers real-time updates for alerts, scripts and dashboards and low latency for live tail and retained data. The solution is index-free, working with any structured or unstructured data format.
• Humio Community Edition: Capable of logging all data and answering questions in real-time for no extra cost, Humio Community Edition is free to use and cloud deployed, leveraging streaming data ingestion to achieve instant visibility across distributed systems whilst preventing and resolving incidents. The solution includes: access to Humio’s marketplace, ingestion of up to 16GB per day and live dashboards
• The Nest by Humio: Clients can connect with DevOps, ITOps and SecOps teams from around the world to enhance log management skills and overcome observability challenges. 

What EDR (Endpoint Detection and Response) Solution is Supported by CrowdStrike?

Falcon Insight is CrowdStrike’s EDR solution, which includes detection, response and forensics. The solution will automatically detect and prioritize malicious and attacker activity, allowing clients to contain and investigate compromised systems (including remote access). Security teams can use alerts, detections and incidents to build repeatable automation and map alerts to MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework to help clients to understand complex detections. Response times are improved as triage is automated and clients can see what needs priority attention.

As part of Falcon Insight, Falcon Fusion is designed to improve the efficiency of client’s SOC teams by orchestrating and automating complex and repetitive tasks. The solution will monitor endpoint activity, offering visibility and detailed analysis to detect suspicious activity. This allows clients to minimize time spent investigating and responding to alerts. 

How does CrowdStrike access cloud vendors?

Falcon Cloud Workload Protection offers breach protection security for containers, workloads and Kubernetes. Organizations can build, manage and secure cloud-native applications efficiently, offering visibility across the cloud environment, instance metadata and container events for efficient threat hunting and investigation. The stack is secured on any cloud, extending across all containers, workloads and Kubernetes applications with automated security designed to detect and remedy suspicious activity and zero-day attacks and risky behavior, reducing the attack surface. The solution is available for AWS, Azure and Google Cloud and includes the following features: 

• Vulnerability scanning and management
• Multi-cloud workload discovery
• Automated CI/CD pipeline security
• Container Security
• Runtime protection
• Threat graph breach prevention engine
• Single source of truth with powerful APIs
• MDR for the cloud
• Single pane of glass

What is the CrowdStrike managed, co-managed and DIY services solution?

Falcon Complete Managed Detection and Response is designed to augment a client’s security team with added expertise and continuous monitoring. Leverages the Falcon Complete team of security experts who offer experience in forensics, incident handling and incident response, SOC analysis and IT administration, with a large global footprint. The team holds CrowdStrike Certified Responder (CCFR) and CrowdStrike Certified Falcon Administrator certificates, demonstrating their expertise in the Falcon platform. Security experts will help clients to optimize their environment to combat threats whilst retaining high performance levels. The Falcon OverWatch team offers human threat detection, monitoring the client’s environment constantly whilst building and tuning a reputable playbook to ensure any threats are investigated quickly. If an intrusion is identified the team will remotely access the affected system using native Falcon capabilities to remove persistence mechanisms, clear latent artefacts and stop active processes. Further, systems will be restored to their pre-intrusion state with no need to reimage. 

CrowdStrike MDR is powered by the Falcon platform which is cloud-native, with Proprietary Threat Graph offering real-time visibility and insight into the entire environment. Falcon Complete helps clients to categorize all assets into appropriate groups for protection (on-premises, off-premises and in the cloud), ensuring the most current Falcon agent is installed and applying best practices policies to the entire environment. 

Individual components include:

• Falcon Complete Expertise: Security experts from Crowdstrike manage, monitor and respond to threats.
• Falcon Insight Endpoint Detection and Response (EDR): Offers visibility into endpoint activity
• Falcon Discover IT Hygiene: Offers visibility across assets.
• Falcon OverWatch Managed Threat Hunting: Threat hunting team constantly monitors and stops hidden, advanced attacks.

How does CrowdStrike support remote users?

CrowdStrike Falcon prevent for home use is designed to secure personal devices and home systems whilst allowing access to corporate resources. The solution does not require configuration by the end user and provides next-generation antivirus protection that does not impact performance. Administrators can manage remote users via the cloud-native falcon console (maintaining home-workers from corporate users for ease of use management) and provide a specially packaged version of CrowdStrike Falcon lightweight agent for employees to install on at home Windows systems. 

What Reporting and Management is available via the CrowdStrike Portal?

The CrowdStrike Support Portal allows clients to create and manage support cases and subscriptions whilst offering access to the Knowledge Base and Technical Alerts for important information.