CrowdStrike Falcon 4.x Product Review

Summary

CrowdStrike Falcon combines intelligence, next-generation antivirus, endpoint detection and response and managed hunting via the cloud. The company pioneered the use of attack indicators to protect against advanced persistent threats with and without malware. The 24/7 Falcon OverWatch team backs the tool’s functionality, going beyond alert triage with proactive adversary and threat hunting across all environments.

The solution focuses on stopping breaches from occurring
through advanced detection, prevention, monitoring and granular search
capabilities meant to protect against sophisticated threats and adversaries
that may otherwise go undetected.

It is broken into two
main parts: 1) A single, lightweight, intelligent sensor deployed to every
endpoint to gather system events that takes proactive detection and prevention
actions as necessary, with or without cloud connectivity. 2) Data is
continuously transmitted from the sensor to the CrowdStrike ThreatGraph.

MalQuery is CrowdStrike’s database of malware where hashes
are cross-referenced to obtain additional information. If a piece of malware is
used repeatedly by an actor, the system can assign attribution then begin
building a profile on how that adversary operates. This information is also fed
into the sandbox report. Sandboxing is integrated into alerts, eliminating the
need to deploy another box or add a separate console.

By following the comprehensive instructions provided, we
found setup was straightforward. To put the tool through maneuvers, we ran our
lab’s toolsets on Windows Server 2016, WS 2012r2 and W10, which Crowdstrike
caught. We then navigated to the activity dashboard, which showed detections
and an accurate number of detonations we had executed. We were truly impressed
with the ease of navigation between the different applications and how
interactive the dashboard is. An administrator or security analyst with little
experience could navigate this product with a high degree of confidence in
understanding an event. CrowdStrike impressively stopped all five testing
detonations.

The ThreatGraph takes data and produces a sophisticated, powerful graph of digestible and actionable information. It constantly analyzes data to detect and establish behavioral patterns indicating new attacks. When we clicked on one of the incidents displayed under most recent detections, the tool populated a visual process tree of the incident. We found the the process tree easy to navigate and the information in the details pane on the right side of the screen to be straightforward. This showed numerous details on execution, files, sandbox analysis, etc. helping organizations gain a clear understanding as quickly as possible without being overly technical.

Tested by Tom Weil and Matthew Hreben

Comments are closed.