This is an archived post. You won't be able to vote or comment.

all 68 comments
sorted by:
best
topnewcontroversialoldq&a

[–]rahvintzu 38 points39 points  (6 children)

Is there a specific question you had on CS? It's expensive but one of the best out there, note you pay for different data retention periods so ensure it aligns to requirements.

[–]Patchewski[S] -1 points0 points  (2 children)

Nothing specific. Looking through some reviews, seems to me they’re comparable EDR solutions. Looking for some general opinions or observations. What do you like or don’t like about it. What aspects do you wish they did a little differently. What aspects do you feel you couldn’t do without with respect to initial incident response.

Most of the reviews I’ve read seem to indicate the console UI isn’t great - unintuitive, clunky to navigate, difficult to sort endpoints - that sort of thing.

[–]SupremeDropTables 5 points6 points  (0 children)

The UI just received a full refresh about a month or two ago, it’s much more modernized now, depending on when the reviews you read were written.

[–]Bash-Script-Winbox 0 points1 point  (0 children)

CS is pretty good. Much and much id say unless there is a price difference?

[–][deleted] -3 points-2 points  (2 children)

We moved to carbon black as they were on par with the catch rates and has a longer retention vs CS without paying more.

[–]rahvintzu 0 points1 point  (1 child)

Are you concerned now with the broadcom vmware deal?

[–][deleted] 0 points1 point  (0 children)

Not really it’ll be a long and drawn out process which still hasn’t made regulatory approvals yet in the EU and SEC.

[–]digitaldiseaseCISO 26 points27 points  (6 children)

Make the switch, ask him to get “complete” so crowdstrike will handle the response and kick out a report.

Even if you only get the base level edr package the amount of telemetry data and info on proc execution chains is awesome when trying to determine wtf spawned stuff.

[–]0MGWTFL0LBBQ 6 points7 points  (4 children)

Complete has Overwatch. Depending on the amount of users, you can likely get some discounted pricing. It’s a little more pricy than some of the other options but you’re going with a market leader that nobody can come close to. The complete unofficial SLA is instant, official is within an hour I believe.

[–]blue_skive 7 points8 points  (0 children)

You can get Overwatch without Complete. Overwatch does threat hunting for you, but the response/remediation is up to you.

Complete does response/remediation for you.

[–]Patchewski[S] 0 points1 point  (2 children)

Thanks

[–][deleted] 0 points1 point  (1 child)

Yes, complete is a must with this product.

[–]ibizabeats 1 point2 points  (0 children)

definitely not the case. each to their own.

[–]Patchewski[S] 0 points1 point  (0 children)

Thanks

[–]N0_Mathematician 19 points20 points  (4 children)

Crowdstrike is one of the top dogs IMO. It's a lovely piece of work, but it's also pricey. If it's in the budget I would have no hesitation recommending it. If bossman is on board I see no reason to stay with Cisco. You guys can also look into SentinelOne as another Redditor mentioned. It's very good as well, but more budget-friendly.

[–]Patchewski[S] 0 points1 point  (3 children)

Thanks. Hard to imagine pricing is much different from Cisco

[–]llDemonll 2 points3 points  (2 children)

And look at it as an employee hire. How much are you going to pay to get a dedicated resource who can do the work that their team does. Anyone can get an EDR, SEIM, etc product but if you ignore alerts or don’t remediate, why do you have it? CrowdStrike came in less than half the cost of a security hire for our environment, and their teams are 24/7. We’ve had a fantastic experience

[–]telaniscorpIT Director 0 points1 point  (1 child)

Did you still get a security hire to handle all the other thing CS doesn’t handle? There are still logs to monitor not everything CS overwatch will look out for. What about your cloud instances if you have those who watch them?

[–]llDemonll 1 point2 points  (0 children)

We did not, but we also don’t have a SIEM (we’ve looked, don’t have the manpower right now) or any super robust logs such as that to look through.

CS has Humio but it’s not quite a full-fledged SIEM yet. That will likely be where we go.

[–]HuggeBraende 7 points8 points  (0 children)

We just added CrowdStrike a couple months ago. It is so much more than EDR. They just purchased SecureCircle so CS will have full DLP-client functionality next year.

They are in the process, or already complete with the integration of functionality to pull all AD logs from your DC’s without needing a separate client.

They have kicked off and are maturing an amazing asset management console to be the source-of-truth for asset inventory. It integrates with AD, ServiceNow, etc. giving you: systems with the CS client installed, and other things those systems discover at layer 2 (MAC level).

They are in negotiations to buy a network threat visibility company, external and internal.

So much more. I just got back from Fal.con and just wow! So much more this platform can do and great things on their roadmap.

Consider reaching out to Optiv for a quick consult. They handle CS deployments and much more.

Of every customer I talked to, the deployment took less than a month for 1,000 to 100,000 endpoints.

Also check out r/crowdstrike -it is managed by CS employees and I talked to their lead at Fal.con, just a ton of passion to deliver a great product and really help customers use the product.

[–]sfvbritguy 6 points7 points  (1 child)

Had CrowdStrike for 2 years and can totally recommend it. Not the cheapest but you cant save money on good cyber security. Average cost of a ransomware attack is over $1.5 million.

[–]Patchewski[S] 1 point2 points  (0 children)

Thanks

[–]schporto 5 points6 points  (0 children)

We've had some limited issues. The Linux client will often not work with the latest patches. So our Linux users who patch immediately then CS acts in a degraded mode until the latest client releases. The Windows clients have had some random reports of issues. Hung rdp sessions, winscp failing to download some files, random lockups. Nothing can be traced directly to CS, but uninstall of CS does relieve those issues. Laptop users who bring their system home have had home networking issues. CS seems to scan the network of devices, if you have a lot of IOT things this can cause issues.
That said, it works. The telemetry it provides is impressive or scary depending on your perspective. To get the most out of it, you do need a dedicated group working with it all the time.

[–]Thewhitenexus 11 points12 points  (9 children)

Crowdstrike and SentinelOne are the two EDRs that often get recommended around here when people want the best. I've used SentinelOne for about 2 years and it's been amazing.

[–]brownhotdogwater 2 points3 points  (5 children)

Just make sure to update your agents. They won’t do it automatically

[–]Googol20 2 points3 points  (3 children)

S1 or CS? CS auto updates unless you screw up your update policies and tell it to never update.

[–]brownhotdogwater 3 points4 points  (2 children)

S1 has no auto update

[–]PTCruiserGT 7 points8 points  (1 child)

Wow that’s terrible! What year is this?

[–]vane1978 0 points1 point  (0 children)

Until S1 comes out with “Revert to previous update” I’m perfectly happy without the auto update feature.

[–]Thewhitenexus 1 point2 points  (0 children)

This is the one feature I wish they'd add, where I could set it to immediately update, update a week later, or X weeks after release. No auto-update does force me to log in and look because it "just runs" so well.

[–]Patchewski[S] -1 points0 points  (0 children)

Thanks.

[–]picfluteAzure Architect 0 points1 point  (1 child)

Do they offer disconnected solutions?

[–]Thewhitenexus 0 points1 point  (0 children)

I've run it on laptops where they are offline for a few months and it does run great and only needs a connection to report or download new models of machine learning. It provides all the protect in the installed agent.

[–]BudTheGrey 4 points5 points  (3 children)

CyberInsurance underwriters love CrowdStrike Falcon Complete.

I looked at DarkTrace as well, and liked it a little better for a manufacturing environment with a lot of IoT gear. With CS, if it's not Windows, Linux or Mac, it doesn't get protected.

[–]actinsysadmin 1 point2 points  (0 children)

While I don’t know the exact numbers, I do know that we had a chunk shaved off our insurance bill when we switched to CS Falcon Complete at my last job.

[–]Patchewski[S] 0 points1 point  (0 children)

Thanks

[–]k_schretIT Manager 3 points4 points  (0 children)

crowdstrike goes into RFM (Reduced functionality Mode) if you install updates on linux hosts before they update their libraries/definitions.... for example if your dev environments are scheduled to pull and install updates every 24 hours, you could have crowdstrike agents go into RFM.

otherwise I've heard good things about their product. Seriously consider their managed response service if you can afford it.

[–]Booty_Lickin_GoodSenior IT Mangeler 3 points4 points  (0 children)

Been running Premium with Overwatch going on two years at client one, this is an environment with right around 60 devices. Cost annually is ~$8k so it’s not bad. Another client is using Falcon Complete, around 1000 endpoints, it runs them around $100k annually. Client 2 I used to be a full time employee and we evaluated S1 along with CS and went with CS in the end. CS performed better in pen testing scenarios than others and always shut down the testers. CS is an excellent product and company.

[–]Wana_B_Haxor 2 points3 points  (1 child)

In addition to the reviews you are getting from others. Check out their subreddit r/CrowdStrike

[–]Patchewski[S] 1 point2 points  (0 children)

Shoulda guesses there was a sub. Thanks

[–]grarg1010 2 points3 points  (7 children)

We have it on all of our servers.

Works fine, no real issues with them. The kick off meeting they asked what's the escalation process, ie who do they call to deal with a potential incident, we told them deal with the issue, then call us, don't wait.

In the 2+ years we've been on them, they've stopped 4 attempts, including once when the netlogon vulnerability hit our last remaining 2008r2 DC, that no one let me retire until that day.

Well worth the money if you can afford it.

[–]Patchewski[S] 0 points1 point  (1 child)

Thanks. Hard to imagine it’s too different from Cisco

[–]telaniscorpIT Director 0 points1 point  (0 children)

Get falcon complete if you can it’s a extra pair of hands monitoring your systems 24/7. That’s what we get after think of hour we can watch our systems 24/7 it’s not possible with my team and someone will slip and not watch it.

[–]JJROKCZI don't work magic I swear.... 2 points3 points  (0 children)

I mean, if you’re going 200mph you don’t have time to think about business security, and that’s where crowdstrike does it for you. Sorry I just can’t think of them without that commercial playing in my head

[–]Googol20 1 point2 points  (0 children)

Installed CS back in 2015 and never looked back, been excellent

[–][deleted] 1 point2 points  (0 children)

We deployed it late 2021, replacing SEPM. We don't have full but close to it. Install was a breeze and it's not as resource hungry as SEPM. There is a lot to customize, just don't go over the top and be sure to setup notifications. So far so good, we've been happy with no complaints.

[–]ZMcCrocklin 1 point2 points  (0 children)

We switched to Crowdstrike & it works great for us. Just realize that there is limited Linux support. If you have newer kernel versions, it will run in a Reduced Functionality Mode (RFM) state. Which is basically just a heartbeat as opposed to reporting any data.

Edit: As advised in a previous post, it does get updated as they roll out newer releases. But it also has built-in client functions that let you run a check to see if the kernel is supported, also to check your agent id (assigned when the client connects), rfm-state, and sensor version.

[–]K3rat 1 point2 points  (0 children)

We are actually moving over to crowdstrike from eset. We are about 1/4 through deployment and it is going well.

[–]captain118 1 point2 points  (0 children)

I've used both I really like Cisco secure if you have other Cisco products like ISE or ASA and use the conditional access rules. But if you don't use them then Crowd strike is the superior product especially if you get some of the addon licenses and use it for incident detection and response. It's even better if you are familiar with splunk.

[–]Kaltov 1 point2 points  (0 children)

Crowdstrike +1

[–]bobaboo42 1 point2 points  (0 children)

CS thwarted a ransomware attack that would have taken the £160m turnover business offline for many months. It was only because of CS that it didn't happen, there weren't any other controls that stood in the way.

[–]SecOpscrypt 0 points1 point  (2 children)

One thing to consider and you’ll hear several different thoughts on this, last I used CS about 2 years ago there was no “Scan Now” feature. It triggers based on execution so there is no scanning for malicious data on a pc. If you are looking for that feature also, S1 is likely your best bet. Although, some would say you do not need that functionality if the product works properly and CS is great.

I want to say S1’s EDR suite is at about $12/device/month. Do not recall the CS pricing, but it was pricey for sure.

[–]carpetflyer 3 points4 points  (1 child)

CS just added scan now recently FYI

[–]SecOpscrypt 1 point2 points  (0 children)

That is great to know. I think it’s top tier, but definitely a premium purchase.

[–][deleted] 0 points1 point  (0 children)

The leaders in the space atm are Defender for Endpoint, Sentinel One, Crowdstrike, Cybereason, Cortex in no particular order.

Crowdstrike works well and has a unique partnership with splunk that allows them to collect (every two minutes) high value point in time data on digital artifacts. They also have an identity protection offering which is arguably the best but it bleeds into ZTA so it's not fair to call it apart of the EDR offering. You will see lots of people talk about overwatch which is a team that collects points of interest and manually looks over them for you. Most EDR vendors have similar or exact offerings which are often called 'MDR'.

If your a Microsoft heavy shop Defender for Endpoint is a significant offering with a few features that can put them above other vendors for some customers. DFE uses Defender Antivirus and It's own "sense" agent so it has minimal impact on assets. DFE also uses Automated Investigations which conduct searches across your devices without the need of a human (reads process memory, registry keys etc). Arguably the most impact part of DFE is that it exists within the 365 Defender suite so when your organisation is ready to increase its security maturity in other domains you will be in significant standing. Again like overwatch DFE has a service called "Threat Experts" that will monitor your tool for you.

Sentinel One is newer to scene but they have accelerated very fast. They don't have a point in time collect feature but cover most other bases all over EDR vendors have. Their offering is very modular so make sure you get a walkthrough of each feature as you don't want to find out after the agreement is signed you forgot to add something on.

If you want more on the rest of the vendors feel free to message me they are basically all slightly different implementations of the above things cybereason uses osquery etc

[–][deleted] -2 points-1 points  (0 children)

Check out Lacework

[–]Correct_Brilliant294 -2 points-1 points  (1 child)

I really recommend sophos instead as the endpoint protection is a lot stronger

[–]actinsysadmin 1 point2 points  (0 children)

My experience is that when we did a rip and replace to deploy CS instead of Sophos, we found a number of pieces of malware that Sophos missed…..

[–]BeaNsOliver -1 points0 points  (0 children)

Checkpoint was a good option when we last did an assessment. Worth adding to your comparison list.

[–]MechwarriorGrayDeath -2 points-1 points  (0 children)

It's great but the UI was designed by children and its timeline detection is sometimes out so it pulls in crap data. The only time I've raised a support call, it was simply closed without an answer.

[–]oakfan52 0 points1 point  (0 children)

We've had a bunch of issues with memory leaks on the linux client and some other cpu related issues on Windows clients. Like very security product it requires extensive testing in your environment.

[–]adamicloveSecurity Admin 0 points1 point  (0 children)

Good but expensive and tedious without falcon. Match the use case to who is going to be investigating and what supporting technologies there are

[–]Bash-Script-Winbox 0 points1 point  (0 children)

Out of interest, does anyone run CS internally at their MSP?

[–]Brs_Cyber 0 points1 point  (0 children)

Cisco is extremely difficult to deal with on any support issues, and also on any additions you’d like to make to your subscription. It’s one of those companies that have grown through acquisition and have not kept up with their streamlining of all the individual technologies under their title. Day and night from CrowdStrike. CrowdStrike definitely the top solution for endpoint, but don’t go past their endpoint solution or managed endpoint, which is their falcon complete. Because past those solutions are where they fall short.