CrowdStrike Falcon Review

With the real-time response piece, I can connect to an endpoint as long as it's on the Internet


What is our primary use case?

The product is inherently cloud-based.

How has it helped my organization?

Knock on wood. Between our management of the platform and having subscribed to Falcon Overwatch, the managed threat hunting service, I haven't had a concern in six years. I have yet to deploy this product in an environment that has later incurred a breach. I have the utmost confidence that would be very unlikely to occur.

What is most valuable?

Every time that I have deployed it, it was more about Falcon Insight and its EDR protection. Then, the team in the company would be so pleased with the results that there was minimal resistance adding additional stack elements. Prior to their announcement of several new modules last Fall, we had acquired the entire stack. 

Each element of the stack continues to further develop their capability and empowerment of team members. For example, CrowdStrike Falcon Spotlight was an interesting tool to assess vulnerability management, but the capability of that module alone has just continued to develop in a very favorable direction. Also, the discover tool is extremely valuable. 

Probably the most valuable thing to me is the real-time response piece. The fact that I can connect to an endpoint as long as it is on the Internet, no matter where it is globally. I can remove files from the endpoint, drop files on the endpoint, stop processes, reboot it, run custom scripts, and deploy software. Pretty much no other tool can do all that.

As a cloud-native solution, it provides us with flexibility and always-on protection, which is critically important.

What needs improvement?

There is nothing existing today that I would change very much about the solution. Because of the capability of the data that they are ingesting, they have the ability to create tools leveraging that data to enhance the capability of the platform. The possibilities are endless.

For how long have I used the solution?

I have been using CrowdStrike Falcon for about five and a half years

What do I think about the stability of the solution?

There are no questions about stability. I continue to see, especially in the last six months, that CrowdStrike is making very purposeful acquisitions to tactically and strategically build upon the platform. Many companies acquire smaller companies to get a fraction of a piece of technology that tends to be an add-on or something that may compliment the core product, but CrowdStrike is making more strategic moves to acquire technology that they can directly integrate into the existing platform to make it even better and more effective.

Updates can be handled one of a number of ways. This is something that has evolved quite a bit since I initially deployed it. Initially, you simply had the option of manually upgrading sensor versions or leaving them to automatically update as soon as a new update was released. Very infrequently, there have been issues with sensor builds. Early last year, they rolled out the ability to automate the sensor revision updates, but do it in a tiered fashion. So, there was an N-1 and an N-2. So, when they release a new version, I step back my releases and deployment of the updates by one version backwards. Then, I have a few early adopters who get the latest sensor build as soon as it is deployed. Provided there are no problems, when the next release happens, the N-1 version will automatically upstep my entire environment without having to put hands on it.

This product does not require any maintenance post-deployment.

What do I think about the scalability of the solution?

We are protecting 5,500 endpoints with this solution. We do have plans to increase usage. Our environment is rather complex in that we have 6,000 core corporate associates and roughly 5,500 endpoints. Then, we have a distributor network globally comprised of about 220 wholly owned subsidiaries who are essentially their own companies, but they are only licensed to resell our products. They kind of have a mix of endpoint protection because it is largely up to them, within their entity, as what they choose to use. We are looking to further wrap our arms around them from a security perspective. We have looked at acquiring CrowdStrike's complete platform, which would be fully managed to deploy to that distributor network, which is about the same size as our corporate environment. So, it would be roughly another 6,000 users. It is a very large, globally-reaching endeavor, and working through the politics and legal aspects of how we will make that come to fruition may take some time. However, that is the plan.

How are customer service and technical support?

I would give the technical support 10 out of 10 for the past year. They have improved a lot of things in response to customer feedback. A year and a half ago or more, if you put in a support request by email, then it wasn't timely addressed. It could be a day to three days before you received a response, which was a bit frustrating. There was a lot of customer feedback around this issue, which has been greatly refined. Now, if I put in a support ticket, I would expect it would probably be answered within a couple hours.

I have a lot of ideas in my head about where things could go with the solution. The company is very receptive to those thoughts as well as the opinions of all its customers

Which solution did I use previously and why did I switch?

Our previous endpoint protection platform was very cumbersome to manage. It did not reliably apply protection and had many issues. My current organization is the fourth time that I have deployed CrowdStrike Falcon in an environment. The first time that we deployed it, we were using an inherently cloud-native protection platform, but it was unreliable. 

Swagelok was using McAfee ePO, which inherently is an on-premise solution. It is also very unreliable and cumbersome to manage. It was just missing detections, being inherently signature-based. So, it was only hitting on known signature-based malware. We lacked the EDR aspect of endpoint protection, e.g., behavioral-based analytics and preventing malicious behavior before it begins, which drastically stifles the remediation effort. McAfee's principle was always, "If you get said detection, then you need to run other tools to scan, remediate, and clean up the endpoint." Hands need to be on the endpoint taking it physically offline and off the network. Everything is drastically simplified with CrowdStrike Falcon. I can cloud sandbox the endpoint, remediate it, and interact with it at the command line level remotely, regardless of where it is, as long as it has an Internet connection. It is just amazing. 

As far as Swagelok goes, McAfee yielded a lot of false positives. The management was so cumbersome that there were only a handful of people able to resolve problems with endpoints or false detections. If you weren't connected to the inside core network, you couldn't reach the server in order to mitigate the problem. Because of the cloud-native aspect to CrowdStrike Falcon, I can pull up the console in my car on a mobile phone and mitigate an issue for someone whenever and wherever I need to do it, regardless of how I am connected, what device I am on, etc. So, the response time has drastically decreased (by five to 10 times) for remediating a critical vulnerability, a piece of malware, or undoing a false positive. This has been noticed across the company at large.

How was the initial setup?

In all four instances where I deployed the single sensor in organizations of various sizes, it was very simple. Swagelok was probably the easiest deployment, since it is an organization large enough to have a deployment tool, like Microsoft SCCM. Once the package was built to deploy to endpoints, we push the "Go" button. Then, it was a matter of hours and our entire environment was protected. The deployment took less than a week.

What about the implementation team?

Three people were involved in deploying the solution:

  1. Being the experienced administrator, I pretty much did all the configuration: creating the correct groups, prevention policies, etc. 
  2. We have an administrator of the deployment tool. I worked very closely with the package of the sensors and he executed the deployment.
  3. We have another gentleman who oversees our lab environment and was very invested initially in trialing the product against all our existing applications to ensure there weren't any incompatibilities in the early deployment.

What was our ROI?

We have absolutely seen ROI, e.g., the reduction in man-hours for resolving incidents. The speed of the platform has drastically reduced time consumed, affording more time for an operator to act when resolving problems.

What's my experience with pricing, setup cost, and licensing?

It is an expensive product, but I think it is well worth the investment.

The CrowdStrike Falcon Pro solution alleviates the need to quote out the product. You initiate the use of the free trial, then opting the purchase. You can manage it all on your own without engaging a sales representative. I definitely have done this in a small business environment. 

In all other instances, it was more of a formal business relationship. There was a sales representative involved who queued up the trial environment. If you initiate a trial yourself, you are basically given 14 days to trial it. Whereas, engaging a sales representative allows them to moderate the length of time that you can do the trial. Because we are a larger enterprise with a lot of politics around completing purchases and legal reviews, we have a sourcing department who vets out vendors. The process is very long and cumbersome. We had initiated a trial, in this instance, which ran for several months before we acquired it.

The fact that I have access to the products free for several weeks or months was not really a factor. What was more impressive in the trial was the way CrowdStrike approached it. When you initiate a trial, they give you a CloudFlare instance of a victim machine and an adversary machine. They then allow you the capability to deploy the sensor or pull it back from the victim machine. You can unload whatever you care to against the victim machine for testing to see how well the product works on your own. Unlike many other products in a similar space, when you evaluate the product, it gives you the feeling that you are completely in control. Also, there is a sales engineer who moderates the demonstration of the product.

Which other solutions did I evaluate?

The first time that I deployed CrowdStrike Falcon, I evaluated probably a dozen other products. I was very close to signing a deal with Carbon Black, simply because I hadn't yet heard of CrowdStrike Falcon. Since deploying it the first time, I would never really consider anything else. I do look at other platforms from time to time to see how they have evolved and changed, but it would be very difficult to convince me to use something else. The winning factor for CrowdStrike Falcon is just the inherent capability of the platform. In my observation, there really isn't another company who can do as much as they can.

What other advice do I have?

Take advantage of the opportunity by CrowdStrike to network with other customers in a similar company size and industry to see how well the product could benefit you as a potential customer before committing.

We have a very minimalistic cloud infrastructure footprint or container footprint at this point in time. That is likely to take off in full swing in the next year or so. We have many legacy applications running on legacy operating systems, which I am working very aggressively to get out of our environment. When that starts to take flight, we will definitely have more of a need for a cloud container as well as cloud infrastructure visibility and protection, which we do not have a lot of at this point in time.

I would rate this solution as 10 out of 10.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: I'm a real user as well as a member of CrowdStrike's customer and technical advisory boards
More CrowdStrike Falcon reviews from users
...who work at a Energy/Utilities Company
...who compared it with Carbon Black CB Defense
Get Fast and Easy Protection Against All Threats

Protect your organization from all threats - not just malware - even when computers and servers aren’t connected to the internet. Start your free trial and deploy CrowdStrike Falcon within minutes to start receiving full threat protection.

Learn what your peers think about CrowdStrike Falcon. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
534,226 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest