August 4, 2024
Today I want to share my view in August 2024 and comment on the two leading EDR vendors in the enterprise space and explain why I think one is better than the other.
This post is motivated by a few things:
Firstly let me summarise my understanding of the outage which prompted such widespread hysteria and further supported my suspicions of carelessness.
The incident, lasting several hours, affected the availability of key features in the Falcon platform, including threat detection and response capabilities.
CrowdStrike attributed the outage to a technical issue within its falcon agent which lead to widespread service degradation.
Honestly this description above is very light, they messed up in not making sure the kernel actually started when they released new sensor definitions
I would argue that Crowdstrike heavily targets the enterprise windows market so for them to not have this as a part of their automated testing just highlights carelessness
When we look at the EDR space its very populated but its also lacking really strong viable options.
Overall there are many players however I would argue that many just dont really cut the grade for enterprise level security.
If I had to produce a short list of EDR's to consider I would suggest the following
Beyond these five I would not spend much time on the others.
Many people will think this is unfair or wrong or unjust.
But this is based on my experience of selecting technology for over a decade and its not just only what detects the best its also about
There is many things to consider and often I think long and hard on these type of decisions....
I am also biased a bit as I have the most professional experience with western/USA type security setups so thats also something to consider
Anyways its my article and its my view :) so I will continue, just good for you to know those thing
In general what I have liked is
In general what I think is lacking is
I could list more but in general its not that great to use on a daily basis and when you have the negative situation happen with such a large global outage which clearly should have been mitigated with automated testing.
It was obvious we should consider to switch.
Now to preface we were lucky that our renewal was up around the time of the outage but there is no smoke without fire. I had quite disappointed feelings towards them and felt something was off or not solid.
With the global outage unsurprising based on my experience I feel they need to up their game to return to their leading EDR reputation of the early 2020's
So during early 2024, I started to think maybe we should switch and with the outage in Q2 it pretty much finalised my decision, of course I don't make decisions in a vacuum and you need to have stakeholder agreement.
So even though I was quite convinced I hoped to achieve buy in on a switch.
Looking forward from Q2 2024 and onwards into 2025 and beyond I think there will be many who re-consider the relevance of Crowdstrike as a top EDR especially when the repetitional cost has been very high from the outage and overall the solution is certainly not as comprehensive as I first believed which will likely become more commonly shared unless it improves.
My biggest concern would be the falcon sensor for mobile and for any Network Admin or IT Executive you really should double click into this part as you might be surprised to understand how little protection mobiles actually have with the Crowdstrike mobile sensor.
If you want to know where to start digging look into the Per App VPN settings and then you will understand how you only have network traffic filtering and with a BYOD device you cant even get that.
It certainly left me with more questions than answers around SMS zero days and the like :)
Also if you dont VPN all your client phone traffic you have more holes to fill, I am not sure what you want to do about those?? I just accepted we couldn't achieve our goals with their mobile offering in 2024.
From my perspective our primary switching provider looked to be Sentinel 1.
I looked into others but in general they also had their pro's and con's and I had procured trend micro before and i didn't want to re-live that experience.
At the time I purchased before they were very USA focused so maybe it has improved but it wasn't worth the effort compared to the others.
So I would argue Sentinel1 is the primary competitor to Crowdstrike and I am sure they have seen a nice uptick in customer acquisition since the global outage which will likely continue throughout 2024.
There are a few reasons why I would say its worth a switch
Overall because of these reasons above it fits better with my preference to split tunnel and have the option to support BYOD type mobile devices.
I understand this is not the policy of every organisation and that enforcing VPN on all traffic is perhaps your preference but to me being limited into that one configuration is not a scaleable solution.
I prefer to have options and to deploy technology as needed that allow for a mix between convenience for users without compromising significantly on security.
So to me having options for solutions is part of the reason for opting for a change.
I am satisfied right now as we can still achieve our defence in depth objectives whilst also allowing for the choice between BYOD phones and corporately owned locked down Phones.
Since the outage in July, CrowdStrike has reinforced its commitment to ensuring robust and reliable cybersecurity services.
The company is focusing on strengthening its cloud infrastructure, enhancing monitoring and response systems, and implementing preventative measures to avoid future disruptions.
These actions are expected and should be good steps forward to mitigate future issues, I am still skeptical its enough as there are rumours of a data leak also coming out from Crowdstrike although its not confirmed yet.
Moving forward, CrowdStrike needs to rebuild customer trust by prioritising transparency, reliability, and continuous improvement in its service offerings.
This outage has prompted the company to invest more in innovation and resilience, which will ensure it remains a leading force in the ever-evolving cybersecurity landscape but it still needs to address the significant challenges of BYOD and mobile along with its customer experience in general
I would also expect it to struggle a bit economically. I have some sources close them and I know they laid off quite a few good engineers in the past year so its a bit of a challenging time for them and it will be interesting if they can really maintain the dominant reputation they have enjoyed for the past decade or so
So right now I havent concluded on what I like and dislike about this platform however I will revisit this article periodically to update my views on SentinelOne.
As cybersecurity technology and company performances evolve, it's crucial to provide the most accurate and current insights.
SentinelOne’s features, reliability, and overall value proposition will be monitored, especially in comparison to CrowdStrike and I feel that EDR has become a commodity that has low switching costs due to MDM deployments and SASE type network infrastructure.
So you can trust that these updates will ensure that the comparison remains relevant and beneficial for those seeking the best cybersecurity solutions.
Stay tuned for future revisions that reflect the latest developments and my ongoing experiences with both platforms, probably a few months down the line maybe one for Q4 2024
Thanks
Oliver
Also as a bonus i am including this image to give some context on how the EDR's are currently performing
© 2021 OliverDolan.com | All rights reserved
