I am currently using CrowdStrike Falcon as an EDR, which is integrated with SIEM. We also work in a real-time environment with the product. As a Falconist, I perform investigation actions on it. There are three different kinds of alerts I deal with: one based purely on IOCs, another process-oriented IOA, and those based on machine learning alerts. This is what I work on, and it is actually a good tool. It has multiple features, including real-time connection to the RTR environment, allowing direct remote host connection through CrowdStrike. I have multiple options like host search and event search, enabling me to do everything I need. It's a comprehensive package. It's a challenging tool to explore, but once accustomed to it, it is quite excellent.

Obviously, when checking in the SIEM, not all logs are available. In CrowdStrike, unlike SIEM, actions are clearly defined. For example, a regular AV like Symantec might indicate a file was quarantined or failed to quarantine, but in CrowdStrike, I can verify the action. As an incident response analyst, I can use CrowdStrike to perform actions like directly wiping a file from a host if given access. I can investigate by accessing the customer's host based on the RTR environment and utilize host search to know details for the past seven days, including logins, processes, file installations, malicious processes, and network connections. Event search also allows for detailed investigations, showing accessed files and remote installations.

In CrowdStrike, with the variety of security tools available, learning the different query languages can be challenging. I use KQL queries with Sentinel and AQL with QRadar, and CrowdStrike's query language is different as well. This requires constant learning for security analysts. Simplifying the querying process, such as using double quote queries or directly obtaining logs based on IP addresses or usernames, would be beneficial. The event search tab in CrowdStrike is complex, though the host search is more straightforward and gets details from the past week. The querying system, similar to Splunk, could be made more user-friendly.

I have been using it for the past two years.

The stability is always great. I have never seen instability in the CrowdStrike tool.

When it comes to scalability, it is entirely based on premium models according to demand. Our log retention is low, but paying more increases it. Scalability is moderate, based on the charges paid to the CrowdStrike product service team. Offering good services, like better log retention at a lower price, would be excellent.

The CrowdStrike team is very efficient; I would rate them ten out of ten. They respond quickly when it comes to providing services.

I have worked on Symantec ATP, advanced threat protection, but it is a legacy product. Many companies have moved away from Symantec, and they use legacy antivirus solutions. The integration with Symantec ATP was tough, and event or host searches were based entirely on raw logs.

The current setup is easy, but it could be more natural and make drill-down searches simpler. With advancements in AI, integration could streamline responses further, but there is still room for making the process easier.

The integration task should be done by engineers. I'm interested in the process and have learned something about integration, but we have not fully explored all integration aspects.

CrowdStrike is a great solution. It's a hands-on tool. I have not seen other EDRs like it. Compared to Carbon Black, which is much more difficult with a different UI, CrowdStrike allows direct, detailed investigation with a PID generated for each process. It offers unique abilities not seen in other EDRs. Overall product rating: nine out of ten.

It gives an overview and insights into my AD accounts. It shows if any identity, like an AD user, is compromised, has a weak password, or is logging in from an unusual system. Any anomalies.

I like the insights and detailed view of my AD structure. How protected it is, or is there any loophole or an area that needs more protection.

Another feature I like is that it gives insights into all my domain controllers and ADCs. The configuration is also really easy.

The real-time monitoring feature is good. For example, a user account is hacked. It alerts me that it's been hacked and prompts me to look into it or have the user change their password. I can then log in to my AD, change the password, or notify the user that their account has been compromised and ask them to change their password.

AI capabilities of CrowdStrike are also good.

When I use Identity Protection, I want the full stack, like going for XDR. If anything happens, like a laptop being compromised using a password, it gives me the entire attack flow. For example, the attack came from a particular user, like an IT admin. If their identity is hacked and they log into multiple systems, and those systems are affected, we can see those details and provide good support or recovery for customers and partners.

I'm concerned about the recent issue in July 2024. It involved a faulty content configuration update. What if another update causes the same problem again?

I have been using it for two years.

Stability, I would rate it as a seven out of ten. There are a few instances where our customers have complained about the digital signatures it uses. Sometimes, even if you create a policy, it still tends to block it. A few applications get flagged as malicious even though the customer trusts them. Even if you create an exception rule, it might still block it after a few weeks. Also, there's the recent issue we faced with CrowdStrike and Windows. So, based on that, I'd give it a seven out of ten.

There is room for improvement. They need to conduct more thorough R&D before releasing updates. I think they didn't do that this time, but it was just a one-time issue. However, what if it happens again? That's a concern.

Scalability-wise, I would give it a ten out of ten. It's simple because it's a SaaS solution. For example, this month, I have 50 users. Next month, I have 50 additional users. I just need to buy more licenses and add those systems to CrowdStrike. If I need to put them in certain groups with specific policies, that's easy too.

We work with all types of businesses, including small, medium, and enterprise businesses. Scalability is simple. I don't even need to install it on my laptop. One more good thing is that it offers an XDR view where I can add other components, like the email security solution Proofpoint. I can integrate it, so I'll get my emails and everything will be in a single pane of glass.

We have a Technical Account Manager (TAM). We can directly call them and raise a ticket. Initially, it was a six or even a five because we had to send an email, and it would take three to four days for them to reply. Now, with the TAM, we can get issues resolved faster.

I have experience with CrowdStrike, apart from their Cloud Security offering, which is on GCP. I've worked with CrowdStrike Identity Protection, Device Control, Device Control, EDR, XDR - basically everything except their cloud solution.

The initial setup is straightforward. I don't need to install an agent in my AD, and I can get alerts from my read-only domain controller, which is also good.

I would rate my experience with the initial setup a ten out of ten, with ten being easy and one being difficult.

It's not required to deploy on-premises. It's a SaaS solution. I just need to download the agent and install it on each of my devices, whether they're VMs or my laptop.

One more good thing is that I don't need to be in my office network for it to keep protecting me. I can take the system home, and it will still be protected.

The deployment itself takes about a day to install everything if it's user-based. But for CrowdStrike to learn what to block and what not to block in your specific environment, it will take easily about two weeks. There will be some applications that it might consider a threat because it's a next-gen AV that uses AI.

So, some applications the customer uses might be flagged. I can whitelist them or create a policy to allow them. That's also a very good feature of CrowdStrike.

So, for the initial setup takes two weeks. For it to get to know your environment and work smoothly, just to install agents and set up the dashboard, policies, and all that, it takes about one day.

It offers seamless integration with the existing security infrastructure. We haven't faced any challenges because our customers use CrowdStrike only for endpoint and server security. They haven't gone to the XDR level yet. However, many other OEMs I've spoken to, like Zerto, have said that the CrowdStrike and Zerto integration is very seamless. So, if anything happens on my server end, I'll know when it happened and what the issue is from CrowdStrike. Or, for example a ransomware attack happens, I can restore from my Zerto application.

The benefit I've seen is their backend, which powers the EDR, XDR, and NGAV. It's really good because it can detect anything due to the wide range of customers they have.

For example, one customer has a vulnerability because of a zero-day attack. All the other customers will benefit because it propagates to the cloud and analyzes if other customers are on the same version of the drivers or any other Windows patch. If they are, it will tell us that there's an issue and provide remediation steps. Many of our customers find this very helpful. It's called the CrowdStrike community.

I would rate it a seven out of ten, where one is cheap, and ten is expensive because it's a bit on the costlier side. Compared to Symantec or Trend Micro, CrowdStrike is more expensive.

Overall, I would rate the product an eight out of ten because of one recent issue that happened.

I'm concerned about the recent issue that happened. What if another update causes the same problem again? Is it really as good as it seems? Even our customers have given very good feedback, they get more insights into what's happening, what they should do, and what remediation steps to take. So, in that way, it's very good.

I would recommend it, especially if you're going for endpoint security. I'd definitely recommend CrowdStrike first because it's more mature than SentinelOne and other EDR solutions in the APAC region.

We use the solution for end-user devices.

The reporting console is phenomenal, and I can get a lot of data out of it. The reporting capabilities are much better than anything I've used before. With CrowdStrike Falcon, we can track machines much better.

One of the things that we built and used quite regularly is a remote wipe capability within CrowdStrike Falcon. The solution should have included remote wipe capability out of the box.

If we have a compromised or stolen machine, we can quarantine it within the CrowdStrike console. However, it doesn't include a feature that enables you to remotely wipe that machine via the console. We had to build that in separately.

I have been using CrowdStrike Falcon for two years.

We haven’t faced any issues with the solution’s stability.

The solution's scalability has been amazing. We started by deploying it to 30 users, and over three months, we expanded to 5,000 users with no issues.

For technical support, I open a ticket with the MSP, and they deal with it. Our MSP is excellent at resolving support tickets.

We previously used Symantec Endpoint Protection. We switched to CrowdStrike Falcon because it was a new vendor with new technology.

The solution's initial setup was very easy because we did an SCCM push for deployment.

Our MSP did a lot of the deployment work for us. The solution was deployed by a small team in three months. It took four of us to deploy the tool to 5,000 users.

The solution's pricing is great for us.

It took us about three months to adjust to the new client and switch from a file-level scanner to an AI-based CrowdStrike scanner to see where we felt the differences. CrowdStrike Falcon is deployed on the cloud in our organization. From an end-user perspective, the solution does not require any maintenance after deployment.

New users should be prepared for unexpected alerts. CrowdStrike Falcon views things very differently than many conventional antivirus tools.

Overall, I rate the solution a nine out of ten.

Our primary use case for the product is to enhance our threat intelligence capabilities. We use it to ensure comprehensive security coverage.

The solution has significantly improved our threat detection capabilities. It has helped us identify and respond to potential threats more effectively, contributing to our security posture. There have been no notable drawbacks; the solution meets our needs and complies with local regulations.

The product's most valuable features include its global reach and extensive threat data. Its wide exposure helps gather diverse threat intelligence, crucial for effective security management.

Enhancements in reporting and forensic analysis could benefit the product. CrowdStrike could publish detailed threat reports and analyses more consistently than other providers.

I have been using CrowdStrike Falcon Threat Intelligence since early 2016.

I rate the platform's stability an eight.

The platform is very scalable. It can effectively accommodate growing security needs, which is crucial for organizations with evolving threat landscapes.

Customer service and support vary based on the level of service. Premium support is excellent, but standard support can be less responsive.

We previously used a different solution. We switched to CrowdStrike due to its comprehensive threat intelligence capabilities and global reach, which we found to be more effective for our needs.

The initial setup was straightforward, with the installation taking less than two hours. However, fine-tuning alerts and configuring rules required additional time and effort.

The implementation was carried out in-house.

The product has helped us detect threats that might have gone unnoticed, contributing to overall security.

The product is expensive.

We evaluated several other options before choosing CrowdStrike. Our decision was based on the product's effectiveness and ability to meet our security requirements.

Overall, it is a robust solution that meets our security needs. However, potential users should know the cost implications and ensure the product meets their requirements.

I rate it an eight.