The detection screen is where you will spend most of your time. It’s where you can see who has been infected, decide what to do to remove any infection or analyze the exploit with additional tools. There is a more detailed event search screen to track down similar events. A connection to Splunk’s process chain diagram is built-in, which shows you how the exploit moved through your endpoint. There are also search screens where you can cut and paste a hash value of your exploit and drill down further.
While we were conducting our review, CrowdStrike added a new feature called network containment to Falcon. This is similar to its competitors, where you can essentially turn off a PC’s network connectivity, allowing communications with the Falcon host to block any suspected activity and perform any necessary remediation. It can whitelist particular IP addresses and work with several incident response systems.
The investigate screen has search fields for user and computer names and a time range. When you locate your particular endpoint you can view an entire history of what has happened with that particular endpoint, where it has connected across the Internet, what zip and other compressed files have been downloaded, if any removable media has been attached and other information. Entries are all hot-linked so you can drill down further and see what has caused the behavior to be flagged by Falcon.
One small limitation is that users can only be added from the same network domain.
Falcon has a lot of depth and that is both a good and bad thing. If you have an active network with a lot of potential infections, you might be overwhelmed with its various responses and summary screens. But it also takes care of the most common infections automatically, without any operator intervention. CrowdStrike also provides a free host data collection tool called Crowd Response. This can gather system information, describe running processes and work with YARA rules for incident responders and can output reports to HTML for further analysis.
CrowdStrike has a separate connector that is installed on-premises and hands over information about exploits to various SIEM tools. They currently work with IBM QRadar, HP ArcSight, RSA Security Analytics, McAfee (formerly Nitro Security), TrustWave, and LogRythm products. They also work with various other security partners, including ThreatConnect, TripWire, Zscaler, ThreatQuotient, ThreatStream, Infoblox, RiskVision, Check Point and Centripetal Networks. These integrations are through a well-documented API.
Falcon will cost $30 per endpoint per year, with quantity discounts available.
Cybereason comes either as a SaaS-based service or as a series of Linux servers packaged as a VMware ESX-based OVA file. It has agents that support Windows, Linux and Mac endpoints that are downloaded directly from the Web-based management console. It is designed for real-time malware hunting and has a nice series of visualizations to understand what is invading your network.
Sign up for CIO Asia eNewsletters.