Migrating to CrowdStrike Falcon
We have supported several clients recently as they migrated from legacy endpoint protection solutions to CrowdStrike Falcon. CrowdStrike is the market-leading Endpoint Protection platform, consistently leading in Gartner and Forrester assessments.
CrowdStrike’s technology provided a step-change in protection compared to legacy vendors, an advantage that has proven important during the COVID-19 pandemic. With the rapid increase of remote work in past years companies are facing a more exposed and varied threat landscapes. Rather than connecting through centralised office connections with centralised firewalls, proxies, intrusion detection/prevention systems, laptops are connected to various networks that are inconsistently configured and secured.
Compared to typical on-premise endpoint management consoles where you typically lose visibility of endpoint activities when off-network, CrowdStrike’s cloud-based management console allows us to monitor and respond to threats on all devices, all the time, independent of their network connection.
What is CrowdStrike Falcon? Next-Gen AV vs. Legacy AV
CrowdStrike Falcon is a cloud-delivered endpoint protection solution which unifies and simplifies cloud workload security through a single platform that enables the simple and rapid rollout of new workload protection capabilities without impacting performance, adding complexity or overhead. Falcon provides a sophisticated yet easy user experience to help businesses stop cyber breaches through harnessing the massive power of the cloud to protect workloads across all environments — including private, public and hybrid data centres and as well as on-premises.
Why choose CrowdStrike over Legacy Antivirus scanner?
CrowdStrike offers a number of benefits compared to a legacy solution, the primary improvement is CrowdStrike’s use of Next-Generation Antivirus (NGAV) that is a combination of artificial intelligence, behavioural detection, machine learning algorithms, and exploit mitigation.
CrowdStrike has shown over recent years that it does not require the hundreds of megabytes of signature and log data being sent back and forth between the console and endpoint daily, needing only 2-3% of the equivalent bandwidth, reducing network overheads.
How does CrowdStrike EDR work?
Falcon Insight continuously monitors all endpoint activity and analyses the data in real time to automatically identify threat activity, enabling it to both detect and prevent advanced threats as they happen. CrowdStrike follows all suspicious processes that get loaded into memory and investigates their actions. Once CrowdStrike see some suspicious activity that might require some investigation it will create an Incident. The Incident workflow enables a graphical view of detection flow that can quickly help you to identify all involved processes and their activities.
If the detection severity is already high or critical with CrowdSrike’s recommended policy settings, these processes will get terminated right away and the associated malicious files quarantined or deleted.
Crowdstrike can also be used for Incident Response. Administrators can isolate the machine (this will terminate any existing network connections and allow only agent connection to CrowdStrike portal). This means it will still allow CrowdStrike to launch Real time Response.
Real Time Response allows to start a remote terminal, some of the actions that can be performed but not limited to are these:
- Navigate the file system and perform many file system operations.
- Put and get files to and from the system to the CrowdStrike cloud.
- Stage commonly used programs and PowerShell scripts.
- Create supportability scripts as needed.
- List running processes and kill processes.
- Retrieve memory dumps, event logs, or any other files.
- Show network connections.
- Query, create, or modify registry keys.
Which Features does Crowdstrike Provide?
- Host intrusion prevention (HIPS) and/or exploit mitigation solutions
- Behavioural analytics
- Endpoint Detection and Response (EDR) tools
- Indicator of compromise (IOC) search tools
- Sandboxes or dynamic execution analysis
- Log analysis
- Managed Detection and Response
- Threat Intel services
- IT Hygiene too
Where to next?
To discuss introducing CrowdStrike Falcon to your estate, please reach out to the team [email protected] where you will get to speak to employees with hands on experience of migrating to Crowdstrike from a legacy endpoint protection solution.
If you’d like to deepen your knowledge on the wider Crowdstrike product stack and hear from other customers on how they utilise Crowdstrike, the annual Fal.Con conference takes place for EMEA from Oct13th-15th with over 60 sessions to choose from. You can REGISTER HERE