What is our primary use case?
In my cybersecurity strategy, I use CrowdStrike Falcon mainly as an EDR solution for us. Currently, we are using it as an EDR. We are also in discussion along with the CrowdStrike team where we can have a managed SOC integrated.
In the online industry, we are using CrowdStrike Falcon, specifically in online classified, which you could call e-commerce.
What is most valuable?
For threat detection, the most effective feature I find in CrowdStrike Falcon is 24/7 managed monitoring, which is basically a next-gen antivirus and next-gen endpoint detection and response. In endpoint detection and response, the best part is 24/7 365 continuous monitoring to the endpoint for identifying any suspicious activity.
CrowdStrike Falcon serves as a next-gen AV, which basically does AI-based behavioral analysis to detect and act on malware or ransomware.
The automated response capabilities in CrowdStrike Falcon handle incidents based on the behavior of the activity, performing analysis in case it finds more objectionable content. If there is blocking or breaking any of your site map or something of that sort, it is an untraditional way. If the traffic behaves suspiciously, it triggers an automated response to block it. Additionally, if it detects a file which might have an extension of MIME type of maybe a document whereas it is self-replicating, that sends a suspicious activity alert. In such cases, the detection happens automatically. Because in case it's a zero-day, many times such files automatically get put in a sandbox to extract it and see why it is identified as malware. It offers automated threat detection as well, not only automated response.
Falcon's integration capabilities with other tools enhance my security posture because it has a very lightweight agent, and having a unified console gives us complete visibility, including endpoints, servers, containers, cloud workloads, everything.
What needs improvement?
To make CrowdStrike Falcon better for the next release, I recommend that they should have a model where it works as agentless. In terms of everything which the agent pushes to the server or to the single console, having a feature where you can have another port, which is SNMP or your network devices or OT devices, which you can specifically monitor, would be great.
For how long have I used the solution?
I have been using CrowdStrike Falcon for more than two years now.
What was my experience with deployment of the solution?
CrowdStrike Falcon is fairly easy to set up, according to my experience and our team's experience. Since we have a heterogeneous environment, for Windows it is very straightforward and easy, but for Linux it is a bit complex since you need to automate it. If you have a bulk force, then you have to use some CMF or something similar. Overall, it is still fairly easy.
For deployment, it takes approximately a couple of minutes.
What do I think about the stability of the solution?
During these two years with CrowdStrike Falcon, I certainly faced some problems, including the known CrowdStrike outage, which was quite pinching and brought many of the Windows-related services to a halt just because of one bad configuration push from CrowdStrike tracks.
Except for the incident mentioned above, I have not seen any recent issues with stability.
What do I think about the scalability of the solution?
CrowdStrike Falcon is easy to scale for my company's needs.
How are customer service and support?
I have contacted CrowdStrike for issues, and the response was poor. That particular experience was pretty bad, with people not knowing what was happening, how to mitigate, or what to do. We were in a bad situation, but after a couple of hours, their communication started flowing fine, and things gradually started improving. For that particular instance, I would rate it less than four.
Which solution did I use previously and why did I switch?
Before working with CrowdStrike Falcon, I evaluated options such as Carbon Black and SentinelOne.
How was the initial setup?
CrowdStrike Falcon is fairly easy to set up, according to my experience and our team's experience. Since we have a heterogeneous environment, for Windows it is very straightforward and easy, but for Linux it is a bit complex since you need to automate it. If you have a bulk force, then you have to use some CMF or something similar. Overall, it is still fairly easy.
For deployment, it takes approximately a couple of minutes.
What was our ROI?
As for return on investment after implementing CrowdStrike Falcon, I would say if it is protecting my environment, that itself meets my expectations so far.
What's my experience with pricing, setup cost, and licensing?
CrowdStrike Falcon is pretty expensive.
Which other solutions did I evaluate?
I do not see a lot of advantages in CrowdStrike Falcon; however, because of one particular problem, we had to give away SentinelOne. Otherwise, all three products are quite comparable.
What other advice do I have?
For those who would like to use CrowdStrike Falcon, I recommend negotiating hard on commercial terms because it is not an easy or affordable solution. From a commercial standpoint, you should negotiate hard, but technically, it is not very difficult.
CrowdStrike Falcon is a user-friendly tool.
On a scale of one to ten, I rate CrowdStrike Falcon an eight.