CrowdStrike’s Falcon Host combines several functions into a very attractive package, both from the perspective of the user and IT administrator. It is one of the easiest products to install: you start off with a web-based console to operate a cloud instance of its server. From there you download agents or sensors for a variety of Windows, Mac and Linux endpoints. The Windows sensors come in 32- and 64-bit MSI files: once these are installed they automatically connect with the server instance. There is no interface on the desktop, and nothing shows up other than an entry in the installed programs screen in Control Panel. You don’t even have to reboot your computer to start using the software’s protective features.
Falcon’s core technology is very behavior based. Instead of concentrating on scanning your endpoint for an infection, it tries to first classify if it has seen this behavior before and what it is doing to your machine. They update their rules in real-time from the cloud. When it finds a matching behavior, it is immediately blocked. Unlike some of the other products, you don’t adjust the threat thresholds that kick off the blocked action: CrowdStrike does this in its cloud-based management tool.
The company claims some large installations of 80,000 endpoints that were installed in less than a few hours. This seems accurate, and we were up and running within minutes with our first couple of endpoints.
The main console has a very clean design: main menu strip is on the left side and sub-menus are spread across the top of the screen. The main menus are broken into three dashboards, a news feed about product updates and release notes, a consolidated security events feed called actors, a summary of what has been detected across your endpoint collection, a screening tool that can be used to evaluate any hash or file using drag and drop, an investigation console and a series of configuration settings. This seems very logical and keeps switching back and forth among screens to a minimum.
The settings screens are shown in the Response sub-menu and have a series of on/off switches to enable various features, such as blocking particular exploit categories, sensing Cryptowall or other ransomware or Windows login bypasses. They have beefed up the ransomware detection in subsequent updates too and have a demo video of this up on YouTube. There is an accompanying FAQ that explains what each switch accomplishes.
The three dashboards include an executive summary of what is going on, a summary of what has been detected across your network, and what has been resolved either by the product or by manual intervention. All have a nice series of graphs and charts that are actionable: if you find a particular threat, you can click on it and drill down to get more information about what Falcon found and what it did with it. In many cases, if it finds something objectionable, it will take care of it quickly and automatically.
Sign up for CIO Asia eNewsletters.