I took these steps in order for them to have the ability to respond fully to the comments made by a customer. It was eight days before they returned with a brief statement on February 24, refusing to answer any of the questions asked. -Steve Ragan, Salted Hash
CrowdStrike's statement is produced in full below. On page two of this post, you'll find the interview with the source (incident response, finance) that their statement addresses.
"Without understanding who the customer is, and not understanding the role of this anonymous person, it is difficult to address any specifics of their implementation. Each customer has specific needs for their environment, which impacts how they implement and use our products.
"With a combination of Falcon Host, Falcon DNS and most importantly the data provided by Falcon Intelligence, we believe customers are in a position to dramatically reduce their exposure of a breach. We pride ourselves to provide value to our customers everyday, and we continue to add new capabilities to our products as evidenced by our winter platform release, announced this week."
CrowdStrike's press release on the aforementioned product can be found here. While it wouldn't have stopped our research or reporting, Salted Hash was not aware of any pre-RSA Conference product releases from the company.
An incident response manager shares his experiences:
The image on the left is Falcon Host, the endpoint protection offering from threat intelligence vendor CrowdStrike.
The Falcon platform was launched by CrowdStrike during the 2013 RSA Conference. The image was shared with Salted Hash by a practitioner working in the finance sector - we'll call him Jason.
When asked for details, Jason said the threat actor profiles don't really relate to his organization. It's frustrating at times he said, because a majority of the information on actors in the portal don't pertain to financial threat actors he's seen. It's as if those actors are considered less important by CrowdStrike than nation state actors.
But the adversary portal isn't a large part of his job; in fact he rarely needs to use it.
Just a typical day:
When an endpoint that's being monitored by Falcon Host trips an alert, Jason gets an email, and thus his day begins.
The email contains a login link to the Falcon Host portal, as well as the hostname of the system that triggered the alert and a severity rating. Nothing more is offered, and no matter what the severity, the notice still arrives via email, so there's no special alert for high-level events.
During a demo of Falcon Host, which Salted Hash registered for in order to verify Jason's claims, it was confirmed during the Q&A section that email alerts could be somewhat customized and delivered to individuals or groups. There was no mention of special alerts for leveled events.
Sign up for CIO Asia eNewsletters.