CrowdStrike Falcon Reviews

It is currently our antivirus and EDR platform that we use to export incidents to our SIEM and automation platform, SOAR. We use Demisto for our SOAR.

The solution is fully deployed in our organization. We are primarily Windows. There are four major hospital sites with a couple thousand endpoints each. We probably have 600 remote workers due to COVID-19. I would probably say there are 7,000 VDIs inside of Citrix. Then, the rest are probably small clinical sites with no more than 50 to 80 people at each one. They make up the bulk of the rest, and probably 99 percent of that is Windows or server-based. We only have maybe 30 Macintoshes in the whole system and about as many Linuxen.

We are using Windows agent 618.

It talks to a lot of our other systems. It allows us to correlate data between our firewalls. This way, we can connect whether network activity is relating to an endpoint detection for faster correlation. It provides more data about the endpoint quicker than if we were to go out to the endpoint and collect that data manually. In general, I see that it speeds up our playbooks pretty dramatically, as far as our workflow.

We have what we call our phishing playbook. It is an all-in-one, where an email comes into the organization, a user reports it to us, it comes into our automation platform, and then it kicks off a whole bunch of other stuff. For the phishing playbook (which does have a malware component to it) to go out to all the individual tools, that could have taken two and a half hours for it to run the entire phishing book manually, going to all those individual pieces. Now, we can have one done in 15 minutes. The phishing playbook is a catch-all that has multiple systems in there too. As far as collecting data from many different parts, it speeds that up. In general, we have noticed time savings. 

I would give them probably about as high as I would be willing to give any organization. I would give them an eight out of 10, as far as their effectiveness, for preventing breaches. In general, we feel more secure knowing that we are not relying on multiple different technologies to provide a different kind of protection. We were using a couple other different pieces of software to do a portion of what CrowdStrike is doing for us. We are getting a more comprehensive protection, which is good.

We like the ability that if there is an issue at a third-party clinic that is affiliated with us in some way, then we can go in there quickly and install our agent, protecting them if something were to happen. For example, we had at doctor's offices where there were phishing incidents, then we went in there and installed the CrowdStrike agent. 

I like the herd immunity, their Falcon X version. If another organization somewhere else gets hit by a piece of malware that has not been seen before, we will get that protection in however long it takes them to analyze it and push that detection to everybody else. I find that extremely helpful.

The second most useful feature to me is the intelligence modules.

I like the dashboard nature of it. Everything is clickable, linkable, and information is easy to obtain and find. How it presents that information is probably the biggest win as far as the information correlation aspect. The presentation of it is very good.

When we first went to CrowdStrike and purchased it, a lot of my team members all had the same issue: There was too much information. Initially, when the user logged in, they were getting dumped on, like a five-gallon bucket of ice. Trying to sort through it all, you can get lost easily. Until you have really had time in the solution to really digest how to use things, it is information overload. We didn't get that from Palo Alto XDR.

I would like them to improve the correlation of data in the search algorithms. When we run an investigation, malware, phishing, etc., I want to look at multiple endpoints at once to correlate that data to see the likenesses, e.g., how are they not alike or what systems and processes are running across those systems? I don't want to have to run the same search in their Spotlight module five, 10, 15, or 100 times to get 100 different results, copy that data out, and then correlate it on my own. In a very simple way, I want to be able to load up a comma-delimited list giving me the spotlight data on these X amount of hosts, letting me search for it quickly. We have had to go back to CrowdStrike, and say, "Our search are taking far too long for even one host." They did bump up the cores and that did improve performance, but it is still kind of slow to get that Spotlight data. That is probably our biggest pain point. I think that needs some help. I understand this kind of information access is probably not the easiest thing to do. It is probably a big ask depending on how their back-end is setup. 

We have been using it since about June of last year. That is around when we officially purchased it, but we had been running it as a PoC since about March or April of last year.

The stability has been fantastic. I have had no stability issues at all. It has never caused a problem of any sort that we have had across in the organization for a PC "acting funny" kind of ticket coming in. Those have never been CrowdStrike agents.

Because this is a cloud-native solution, it provides us with flexibility and always-on protection. That is just the nature of what SaaS applications are. In a very general sense, I wasn't looking at CrowdStrike because it is a SaaS application. That has been a minor point to me. Just one of those, "Oh yeah, your SaaS." It is almost expected nowadays with a lot of your more modern XDR platforms that it has to be always-on, 99.999 percent uptime.

As far as general maintenance, it makes it a bit easier as far as overhead. If there were servers onsite, we would have to take care of those as well as the care and feeding of them. Making it SaaS does make it easier, which provides us some extra man-hours as far as taking care of the hardware behind running it. There is that added benefit, which is nice. The configuration of the agents probably makes it a bit more automated, so that is nice as well. These are just secondary points to me. If we had to do the maintenance, I would be perfectly happy with doing it.

All our security team monitors it. There are five of us in the console daily actively using it. I am probably the only true administrator who will change policies or anything like that in there.

A couple people have access outside of the security team, but I have not seen them login. We have a couple of our server admins have access where they have view rights, but they don't go in because they don't have issues. One or two people on our Citrix team have access, but they don't go in either. Also, one or two of our end users might have access.

The scalability has been fast and easy. We did so many endpoints very quickly without any issues.

It is fully deployed across our organization. We can't really expand anymore unless we are adding/buying clinics.

Now that we are a full-on customer, CrowdStrike technical support has always been spot on. It is one of the best that we have. It is way better than Microsoft and many other pieces of software out there. In my personal experience with the technical support, it is one of the best that we have had. That could be because we have an awesome TAM and great customer service manager. If I reach out to them, then they are on top of things.

One factor behind why we chose CrowdStrike is that we were getting rid of multiple agents to go to one CrowdStrike agent. When we had Carbon Black Protection previously, they were ripping us off. It was a lot. We are paying substantially less with CrowdStrike. Carbon Black Protection is only for application whitelisting, and that is all it does. It is not AV. It is not anything else. That was just one piece of software that we were using. So, getting rid of Carbon Black Protection more than paid for CrowdStrike, and then some.

We were also previously using Microsoft SCEP.

There was a slight decrease in lag time when we removed Carbon Black and put CrowdStrike on, but CrowdStrike moved it back up slightly. However, it was still less than the Carbon Black agent. We did see a slight performance increase with the OnBase application, which is linked to Epic.

CrowdStrike requires tuning out-of-the-box. When we first installed, we set the protections and configurations as recommended from CrowdStrike. We were getting absolutely inundated by detections and incidents. It required probably about a month or two of tuning to really dial into the number of what we would call, "expected incidents". Even now, I would say about 90 percent of what we see are probably false positives, but they are false positives that make us scratch our head, and say, "Is this really something or not?" These are not, "Oh hey, this is Windows Media Player that is getting flagged." These are legitimate false positives worth the investigation, but it takes some dialing in. 

It was exceedingly easy to deploy the solution’s sensor to our endpoints. We had zero issues. We used Microsoft SCCM. We programmed the string and all the commands, then we were off to the races. We programmed one SCCM job by GPO to do all of it. We had 14 total failures, which we found out later was not a CrowdStrike issue. It was an endpoint issue for those failures. Across 20,000-plus endpoints, 14 failures is really good. We deployed it in five days. That includes production servers, test servers, medical endpoints, etc.

The PoC deployment was only 25 endpoints. It was just downloading the agent, then manually installing it. That was a 48-megabyte install. It took two minutes, click two check boxes, enter a string, and you're off to the races. The test install was super easy too.

Our implementation strategy was probably the same as many other organizations. We did the workstations and laptops first, then we did test servers followed by the production servers. 

We had to tailor how many agents we were pushing out at a time via SCCM. The way we had built our job, it was doing a CrowdStrike install, but it was also uninstalling a couple of other pieces. It was having issues on that uninstalled portion. So, the SCCM job would fail. Then, we would get a kind of success where CrowdStrike was installed, but it had failed to uninstall the other portion. Therefore, it was a strange kind of limbo where CrowdStrike and Carbon Black did not play well together at all, like it would absolutely just fail. For example, we had a couple instances where they were both on a machine at once, so we had to tailor how many machines we were doing in a time break, e.g., every 30 minutes, we were doing 500 machines. Every 30 minutes is essentially what we did for a couple of days at a time during business hours so we could monitor it.

It was just the SCCM guy and monitoring it like a hawk. That is all we did for those five days. We just watched it. He was the one doing all the work. He programmed the job and everything. I just gave him the code and watched the CrowdStrike console. If necessary, I went into Carbon Black and manually uninstalled it from there too.

The only help I had from CrowdStrike was to confirm this would work in Citrix. For example: 

• Do we have the correct install language for Citrix? Because the VDI requires a couple of different switches turned on. 
• Is SCCM going to work?  
• Does this look right to you? 

We just basically had them bless it off, "Yeah, it says right here in the manual that this is good." We kind of followed the manual, then we had no issues. However, we just wanted to make sure about that Citrix VDI. So, we did have them actually look at that and make sure that the switches were good.

Agent overhead on the systems has been lowered slightly. We haven't had any tickets coming in, saying, "Oh no, CrowdStrike is messing up my PC. Come fix it." We had this with Carbon Black Protection. It has cut down on the number of support requests for other teams. 

I can't even talk about performance overhead, which is good. Our Citrix team hasn't noticed any extra increases in their Citrix workloads, as far as Citrix Server usage overhead, because we also deploy the CrowdStrike agent virtually. It has not slowed down any of the clinical applications, which was a huge win. If it had slowed down any of our clinical applications, especially the more time-sensitive ones, then it would have been a no-go. It would have been a red flag, "You're out the door," and it did not slow any of them down.

We saw ROI by removing Carbon Black Protection, which costs way more than CrowdStrike costs us. Right there, we already earned back and saved money by removing that solution. Turning off Carbon Black Protection and Microsoft SCEP AV were a huge amount of system overhead saved. Easily coordinating between multiple different pieces of software and gathering that information quickly was another time save. 

I am saving at least an hour or two a day by not having to go into Carbon Black Protection to figure out some sort of strange whitelisting issue.

One part that I don't like about CrowdStrike is that you have to pay for the extra feature of Falcon X. I don't like the a la carte nature of it. I do find that feature to be one of the most useful.

The pricing and licensing are reasonable. I don't think we are getting charged more than what it is worth. It is fair, but I do not like how it is a la carte. I realize they do that so other organizations can buy and get the agent, getting it cheaper than you could otherwise.
However, if you want the main core package, which has all the main features with the exception of maybe the multi-cloud protections, that can get pricier for an organization. So, you have to pick and choose what you want. I do not care for a la carte pricing.

We had contacted one of our software vendors, who put us in contact with CrowdStrike directly. We did a PoC for about 60 days. This was right at the COVID-19 kickoff. They weren't as strict on the 14 days, then you are done. They said, "Use it for as long as you like." 

Getting the free trial was super easy. As soon as they spun it up in the cloud, they said, "Here is your login information. Soon as you get your agent, here is the connection string that you will need with this agent when you have run your install." Done. 

When I got the go ahead from my director that we had officially purchased it, I was able to fully deploy to our 22,000-plus endpoints in five days. We had a full deployment in five days.

The free trial was critical. I don't think we would have gone with it if we had not been able to at least kick the tires on it some. We had to make sure that it wasn't going to interfere with our medical applications that are time sensitive.

The other major vendor that we were looking at besides CrowdStrike was Palo Alto XDR. CrowdStrike is a more mature product than Palo XDR, but with that goes some bureaucratic sluggishness. I personally had some issues with CrowdStrike, as far as getting support in a timely manner when I was still a trial customer. Now, as a full-on customer, I don't have any of those issues as far as slow support. They are always very on top of things. But as a test drive, it took far too long getting any support to get a user reset and logged into the platform. It took days. I was very upset about that. However, with that maturity, you have your full built-in intelligence module, which is one of their big selling points. It was fantastic having all that data.

Palo Alto XDR probably had more out-of-the-box API integrations that we use, because we use the Palo Alto XSOAR. It would have linked immediately and perfectly right out-of-the-box. Basically, with a click of a button, it would have been on. A majority of our security work comes from XSOAR. That would have been a huge win. Because of legal issues, CrowdStrike and XSOAR have an API link, but it is not terribly useful or intuitive to use without a lot of customization. Unfortunately, with a small team, nobody really has time to dig into the API and do all sorts of customization, trying to program it to get it to be just right. We have too much more operational work to do.

Other than that, the protections between the two are equal. I didn't see any decrease in that. I would just say CrowdStrike was more feature-based, and that Palo Alto's feature-base wasn't fully quite there yet. Things were a little bit more intuitive to me on the Palo Alto product than the CrowdStrike product. However, the maturity of the CrowdStrike product eventually won out.

I personally liked the Palo Alto product a little bit better than CrowdStrike because I could see where it was going. It was a difference of GUIs, essentially. With the recent updates from CrowdStrike, it has made this a little bit better.

Our CIO had a previous good experience with CrowdStrike. That was the reason why we went with CrowdStrike over XDR. Essentially, what it boiled down to, someone with a higher pay grade above me had a previous good experience.

We just signed a contract with an organization for another piece of software to do our multi-cloud protection.

We get a lot of our ideas for software that we want to take for a test drive through Magic Quadrant reports.

It being SaaS was of no importance to me. If I wanted the solution, then had to build an on-site server for it or not, that makes no difference to me. I know for some people who have overhead, that is where it matters. Personally, it does not at our organization. I was more interested in getting the best of breed.

CrowdStrike Store is pretty interesting and always intrigues me. It typically will take you to another vendor's website for another piece of software that you would have to buy and install. So, it is one of those things like, "Oh, that is nice to know that you integrate with these other people. But, we don't have money right now to be looking at these other people's software that easily integrates but still requires their own agent to be installed on the PC." It is kind of an advertisement shop saying we work well with these other pieces of software.

Try it. Try all the features. Because if you go with a trial and don't try all the features, then you are not going to know if it's going to work for you or not. Try everything that you possibly can. I know some organizations who will "try it" and install it, but they won't do anything with it. In this case, we actually did. We actually tried to use all the features and create issues. We tried to kick the system over, and it didn't. 

Biggest lesson learnt: Rely more on our technology, trust our processes, and trust the software more. I think that is just an organization maturing from an old-school antivirus and application whitelisting/blacklisting mentality to a next-generation antivirus mentality, where you are trusting your software to operate. You are trusting your processes and playbooks to run automatically. As we matured and went with CrowdStrike, we are now relying more on our automated processes to run.

I would give it an eight out of 10. There are areas of improvement, especially with the search because it's a time burden and causes issues for our team. Other than that, everything else that we are getting has been fantastic. It is great overall.

I have been surprised by the new features coming out. When they add a new feature to an agent release, it doesn't seem pell-mell. They have a thoughtful consideration to what they are adding. The upgrade schedule is not overly burdensome nor is their path for pushing out those new features burdensome. We can keep up with them. So, they are not pushing out 20 features on one agent and none for the next 10 iterations, and then another 20. It's one or two every couple of iterations. It is trickling, which makes it easier to test things and run them through our CAB. That has been helpful.

We use this product for endpoint security and threat remediation.

The fact that this is a cloud-native solution that provides us with flexibility and always-on protection is absolutely important, especially with a good majority of our staff working remotely, now.

We've had security incidents that occurred and within a matter of just a couple of minutes, they were completely remediated and fixed and we didn't even have to think about it. We just got the report after the fact.

Falcon's ability to prevent breaches is excellent. It's affected us in that we haven't had any downtime as a result of breaches or any malware or anything like that. Ultimately, it's given us a lot of our time back. On the IT side, this is at least five to ten hours per week. On the user side, it is probably more.

The most valuable feature is threat remediation. We have a small IT Team, and this allows us to get sleep at night, knowing that someone else is taking care of any incidents that occur.

CrowdStrike takes care of all of the updates, so we don't even think about it or see it. This is great because we definitely spent a lot of time doing that kind of thing with our previous solution. Now that we haven't had to do it in four months, it's not even something we consider anymore.

We use both the endpoint and cloud workload protection and the detection and prevention it provides are excellent. It's tuned well to the fact that there can be a lot of false positives, so there's not a lot of potential issues that we're getting alerted about that aren't real. This means that when we do get alerts, we know that they're real and they're already being remediated for us.

It would be nice if the dashboard had some more information upfront, and looked a little better. Having a cooler dashboard is nice to have, although it is not as important as the functionality, which is very good.

I have been using CrowdStrike Falcon for approximately four months.

The stability is great and we haven't had a single issue.

It was originally deployed to 200 users and we haven't really grown since we started, so I can't speak to scalability. This represents 100% adoption in our organization, and there are no current plans to grow. As we hire more people, our usage will increase.

There are two people who work with it on a daily basis. There is the director of IT and a network administrator.

The technical support is excellent. I've only used it a couple of times and they were extremely responsive and very fast.

Prior to implementing CrowdStrike, we used BlackBerry Cylance. We switched for the ability to have full remediation so that we didn't have to do it ourselves. Also, this product is pretty much best-in-class for endpoint protection.

The only real difference that we have found with CrowdStrike, compared to Cylance, is that we no longer have to spend time remediating our issues. The detection and prevention capabilities are similar, although, with CrowdStrike, we have fewer false positives.

The initial setup is extremely easy. It took me about five minutes to deploy it to my entire organization of about 200 users. The single-center process is extremely important because it's something that we were worried about, but it turned out to be a non-issue because it only took five minutes and we haven't had to think about it again.

We initially had a plan for deployment but once we found out how easy it really turned out to be, it was basically a one-step plan.

Our return on investment comes from the fact that there is less downtime for people that do get malware and other such problems. That is something that can be quantified.

We made use of the free trial and the process for getting set up was extremely easy. We spoke to our sales rep and in our discussions and demos, they offered the free trial. We accepted, they sent me a link and I downloaded the agent. I was then able to install it and login in less than five minutes.

Having the free trial was very important in making our decision to implement CrowdStrike because without being able to test it, it's not something that we would have chosen.

The pricing is definitely high but you get what you pay for, and it's not so high that it prices itself out of the market. That said, it's definitely one of the highest. There are no costs in addition to the standard licensing fees and the fact that it's keeping us safe, and it's proven that it works, is worth it.

We evaluated solutions from several vendors including Sophos, Trend Micro, McAfee, Kaspersky, and perhaps another one. A lot of these other endpoint solutions don't offer a full remediation option, and that was a big deal for us.

Also, reputation was important. We had used a couple of others in the past and there were issues where they would make an update that would negatively affect all of our computers. For example, our users could no longer access certain important websites. We haven't had that problem with CrowdStrike.

In terms of ease of use, CrowdStrike is extremely easy. Comparatively, we've had less time in the administration console than we have previously.

My advice for anybody who is looking into implementing CrowdStrike is to go ahead and do it. There is nothing to worry about and they deliver as promised.

I would rate this solution a nine out of ten.

Our primary use case for the product is to enhance our threat intelligence capabilities. We use it to ensure comprehensive security coverage.

The solution has significantly improved our threat detection capabilities. It has helped us identify and respond to potential threats more effectively, contributing to our security posture. There have been no notable drawbacks; the solution meets our needs and complies with local regulations.

The product's most valuable features include its global reach and extensive threat data. Its wide exposure helps gather diverse threat intelligence, crucial for effective security management.

Enhancements in reporting and forensic analysis could benefit the product. CrowdStrike could publish detailed threat reports and analyses more consistently than other providers.

I have been using CrowdStrike Falcon Threat Intelligence since early 2016.

I rate the platform's stability an eight. 

The platform is very scalable. It can effectively accommodate growing security needs, which is crucial for organizations with evolving threat landscapes.

Customer service and support vary based on the level of service. Premium support is excellent, but standard support can be less responsive.

Neutral

We previously used a different solution. We switched to CrowdStrike due to its comprehensive threat intelligence capabilities and global reach, which we found to be more effective for our needs.

The initial setup was straightforward, with the installation taking less than two hours. However, fine-tuning alerts and configuring rules required additional time and effort.

The implementation was carried out in-house.

The product has helped us detect threats that might have gone unnoticed, contributing to overall security.

The product is expensive. 

We evaluated several other options before choosing CrowdStrike. Our decision was based on the product's effectiveness and ability to meet our security requirements.

Overall, it is a robust solution that meets our security needs. However, potential users should know the cost implications and ensure the product meets their requirements.

I rate it an eight. 

The solution is for alerts. It will trigger if there is malicious traffic or some scripting attack. Any attack that is there, then it'll alert automatically.

We can protect against the worst level of attacks. We can see everything from the dashboard.

The vulnerability monitoring is great.

It's very easy to set up.

The performance could be better. It's a bit slow. When we click to launch the dashboard, it should be more responsive.

I've been using the solution for the last six months. 

The performance could be better. It's a little bit slow. 

It's not very stable. We can't seem to support the latest version.

We don't really handle the scaling. I can't speak to that aspect of the product.

We have about 300 to 400 agents running.

Technical support is great.

Positive

We did previously use a different solution. The security team made the decision to switch. It wasn't a decision from an operations standpoint. 

We just install the agent and whatever other notes you need to monitor.

It is straightforward to set up the solution. 

There's no deployment. We just run the agents and those will take care the deployments. The security team will take care of the deployment part. Therefore, we just install the agents and hand over the environment to them. They will monitor everything.

We don't need any outside help, really. Mostly they will give you the links and how you need to deploy everything. Based on that information, we'll follow that advice.

I'm not sure of the exact cost of the solution. 

We are on the latest update of the solution. 

There isn't really any specific knowledge required to use CrowdStrike, apart from maybe general knowledge of cyber security.

I'd rate the solution seven out of ten. If it had better performance, I would rate it higher. 

I am using CrowdStrike Falcon to protect my endpoints from new zero-day threats.

One of the most valuable features of CrowdStrike Falcon is when there are upgrades there are no additional fees.

CrowdStrike Falcon could improve by adding manual scanning or serverless scanning. It is not available at this time.

I have been using CrowdStrike Falcon for two and a half years.

CrowdStrike Falcon is stable.

CrowdStrike Falcon is scalable enough for our needs.

We have approximately 250 people using this solution in my organization.

We have used the technical support for investigations, but not for installation or anything else.

I rate the support CrowdStrike Falcon a five out of five.

I previously used McAfee but zero-day threats are not being protected. We evaluate CrowdStrike Falcon and when compared to McAfee, it was far better. 

The initial setup of CrowdStrike Falcon is easy.

Our administrator of this solution had to configure the policy for the best detection.

There is no license required to use this solution.

My advice to others is this is a good solution that does not require a lot of attention. You can install it and it runs silently in the background.

I rate CrowdStrike Falcon a nine out of ten.

CrowdStrike Falcon's most valuable features are the lightweight agent which has absolutely zero performance issues. There is no performance deterioration on the laptop on the network. It is a signature-less antivirus and anti-malware solution, it doesn't depend on signatures which better protects the systems.

The solution comes with many competitive modules, such as the Discover Module. It is helpful to us with regard to the application search. For example, which users are using which application, what is the application involved in, how many administrators and local users are there, and do the users have administrator privileges. It can give us a lot of information. Additionally, it can inform us if the user's password has changed. The solution is very useful for administrators and is overall easy to use and manage.

I have been using CrowdStrike Falcon for seven months.

CrowdStrike Falcon is a highly stable solution. We have not had any performance or compatibility problems.

The solution is scalable.

We have approximately 1,000 users using this solution in my organization. We plan to increase usage in the future.

The technical support could improve because I am in India and the support I receive is from the UK or Australia. It is difficult to manage the time difference. The service could be faster. However, when we do have the support they are knowledgeable.

We were previously using Symantec and we switched to CrowdStrike Falcon.

The initial setup is straightforward. It took us approximately two weeks to implement.

We have one person that does the implementation and support of CrowdStrike Falcon.

The licensing model is straightforward. We choose the features we want and we then can download the package we want.

I would highly recommend this solution to others.

I rate CrowdStrike Falcon a nine out of ten.

The most valuable feature of CrowdStrike Falcon is its accuracy.

CrowdStrike Falcon could improve the logs by making them free to the API.

I have used CrowdStrike Falcon for two years.

The solution is stable.

CrowdStrike Falcon is a scalable solution.

We have approximately 800 people using this solution in my organization.

CrowdStrike Falcon technical support has been fine in my experience.

I have used other solutions before CrowdStrike Falcon, such as Symantec.

Symantec does not have any advantage over CrowdStrike.

The initial setup of CrowdStrike Falcon is easy.

The price of CrowdStrike Falcon is reasonable.

I rate CrowdStrike Falcon a nine out of ten.

We are using it primarily for NGAV, but we also use their EDR product and Falcon OverWatch.

Most of our internal stuff is still on-prem. We do use SaaS for vendor products, but our internal environment is still mostly on-prem.

I think everyone is trying to move away from on-prem solutions. Having the cloud-based management console makes it a lot easier to maintain. It takes a load off our hands as engineers and analysts. It helps with upgrades and patching, I don't have to worry about on-prem servers for maintenance, but also as another thing to defend against, so getting rid of that is definitely beneficial.

As a cloud-native solution, it provides us with flexibility and always-on protection. I don't have to worry about data center failures on my end. I don't have to worry about any issues in our server rooms affecting the protection of the environment as a whole. Having CrowdStrike take that responsibility is a load off our backs.

Falcon has been very successful in preventing breaches. In the beginning, there were a lot of false positives as Falcon learned our environment, but I would definitely give it a positive rating overall for protecting our environment.

The NGAV portion is the most valuable feature. The primary reason that we went with the product was their reputation. In practice, it has been a definite step up from where we were previously.

We are using Falcon Investigate, which is their EDR tool. The EDR has made it infinitely easier to investigate into more detail on end user workstations and servers. Any sort of detection where I can go back into the EDR tool and dig down deeper into the endpoint is great. This was a function that we did not have previously.

There are some aspects of the UI that could use some improvement, e.g., working in groups. I build a group, then I have to manually assign prevention policies, update policies, etc., but there is no function to copy that group. So, if I wanted to make a subgroup for troubleshooting or divide workstations into groups of laptops and desktops, then I have to manually build a brand new group. I can't just copy a build from one to another. Additionally, in order to do any work within a group, I have to first do the work on the respective prevention policy page or individual policy page, then remove the group if the group is assigned to a different prevention policy, remove the prevention policy, and then add the new one in. So, it can get a little hectic. It would be easier if I could add and remove things from the group page rather than having to go into the policy pages to do it.

I have been using it less than a year. We are relatively new customers.

My impressions of the stability are positive. I haven't had any problems since implementation with stability or availability.

Minimal maintenance is required on our side post-deployment, but it still does require maintenance. If I have to build out new groups or a troubleshooting group, e.g., tweaking policies if machines change subnets, then there is still maintenance required.

All post-implementation maintenance and administration is handled by a single security engineer.

We are a relatively small firm, but I have had no problems in my deployment plans. I could easily see this scaling upwards.

In total, we are protecting roughly 1500 endpoints.

They have been very on point and helpful. I have never had to ask them where they are. They are always following up with me trying to keep the tickets live, so that is great. I have been very impressed.

We replaced Symantec Endpoint Protection. On the one hand, we wanted a fully NGAV. Symantec was still using a hybrid model, a mix of signature-based and behavioral-based detections, so moving over into a full NGAV product was important to us. We wanted to stay up to date on the ever changing nature of malware, especially since we have been seeing more malware nowadays that can evade strictly detection-based systems. Also, Symantec support was very hard to track down or talk to. All in all, CrowdStrike has been more responsive to any questions or concerns, which is big when you are dealing with vendor solutions.

Fortunately, we have not experienced any major detections. However, testing-wise, CrowdStrike has been more effective overall.

Deployment was pretty easy. We scripted out a process in GPO, then we were able to deploy it fairly seamlessly.

We managed to deploy it to all our servers within a week or two. That was mostly due to getting clearance from server owners, not due to the CrowdStrike installation. Then, for the workstations, it was a bit longer just because of office locations and when people had their computers on. The CrowdStrike process was very smooth. It was really just the bureaucracy part that took a while.

We had to change management protocols. We put it out to dev servers and workstations in detect-only mode as we deployed CrowdStrike to endpoints that had a preexisting AV system still on them, in order to avoid any time where a system would not be protected by an antivirus system. So, we deployed CrowdStrike, then disabled the previous antivirus system and activated CrowdStrike's prevention policies, then uninstalled the previous antivirus system.

Four or five people were involved in the deployment: a security engineer, two workstation engineers, and various server owners.

It is protecting our environment, so it is worth the cost.

It has definitely minimized resources. When everything was on-prem, there was a lot more work maintaining it. One of the big value tickets: I don't have lists of hundreds of exceptions for certain applications that I have to maintain, add, delete, and move. The very nature of the product has lessened my workload considerably.

The pricing was very fair for what we got.

Different components are additional price points. We got the components that were right for us, but other organizations may require more (or less) components to suit their needs.

CrowdStrike is an industry leader. When we were looking for a replacement technology for NGAV, their name was on the top of a Google search.

We did a PoC with CrowdStrike. We deployed the PoC only to a select group of test machines, so we were able to deploy rather quickly. The PoC helped immensely in the decision-making process.

We did evaluate Cylance and Carbon Black. All the products that we investigated looked good. In the end, we went with CrowdStrike because of: 

1. The reputation of the organization in the AV community.
2. Its out-of-the-box readiness. 
3. Ease of maintenance and administration.

Take the time you need in the beginning to fully build out all the groups and prevention policies that you will need. It may take a bit longer during the initial setup, but it is worth it in the long run because it makes maintenance down the line much easier than having to build new groups or prevention policies as they come up. Definitely take the time needed in the beginning. Then, later down the road all you have to do is check some boxes, as opposed to building out brand new groups and prevention policies, which can take awhile.

In the beginning, there will be a bunch of false positives as it learns your environment. However, those are very easily handled within the UI, creating IOA or machine learning exceptions. With our previous solution, we had a couple hundred exceptions, and with CrowdStrike, we have six or so.

CrowdStrike has fulfilled its function very well. We got it specifically to serve the purpose that it is serving.

It is a solid nine out of 10.