CrowdStrike Falcon Platform Achieves 100% Ransomware Prevention with Zero False Positives, Wins AAA Enterprise Advanced Security Award from SE Labs

  • The CrowdStrike Falcon® platform achieved 100% protection accuracy and 100% legitimacy accuracy with zero false positives, winning SE Labs’ first-ever endpoint detection and response (EDR) ransomware detection and protection test
  • The Falcon platform detected and blocked 100% of ransomware files during testing, which involved both direct attacks with 270 ransomware variations and deep attack tactics, with 10 sophisticated attacks mimicking observed tactics of cybercriminals
  • The industry-leading Falcon platform is the world’s most tested next-gen security platform and continues to dominate the endpoint security market

The CrowdStrike Falcon platform delivered 100% ransomware detection and protection with zero false positives in winning the AAA Enterprise Advanced Security (Ransomware) Award in the first-ever SE Labs EDR ransomware evaluation. 

SE Labs AAA Enterprise Advanced Security (Ransomware) Award

This new ransomware-focused testing by SE Labs — the leading independent computer security testing organization — validates that the Falcon platform stands alone in protecting organizations of all sizes from ransomware and sophisticated breaches by using a defense-in-depth approach, applying advanced artificial intelligence (AI) to the vast telemetry of the CrowdStrike Security Cloud to power detections and provide real-time mitigation. 

CrowdStrike remains committed to public testing transparency and tests more than any other next-gen security platform in the world. The Falcon platform was named the Best Endpoint Detection and Response product for a second consecutive year in SE Labs’ 2021 Annual Report, delivered 100% detection in SE Labs’ Q4 2021 Enterprise Advanced Security (EDR) test, achieved 100% prevention in the fourth round of the MITRE Engenuity ATT&CK Enterprise Evaluations and won a fifth consecutive Approved Mac Security award from AV-Comparatives in 2022 by demonstrating 100% malware prevention. Gartner, Forrester and IDC have all recognized CrowdStrike as a leader in modern endpoint security.

See how the Falcon platform protects against ransomware in this short video

In a report announcing the methodology and results of its extensive testing, SE Labs noted:

CrowdStrike Falcon performed exceptionally well, providing complete detection and protection coverage against all direct ransomware attacks. It also provided thorough insight into the full network breaches that concluded with ransomware deployments. There were no false positive results. An excellent result in an extremely challenging test.” 

The Falcon platform attained an AAA rating with test scores including 100% protection against ransomware and zero false positives. Here’s how SE Labs put the Falcon platform to the test and what the results mean for organizations that face the threat of ransomware every day.

Testing Falcon Platform Effectiveness Against Ransomware Attacks in Real-World Scenarios

Few cyberattacks strike fear in the hearts of organizations to the degree of ransomware. The prospect of data leaks, extortion, encrypted data, loss of business, negative headlines and the demand to pay ransom to even begin recovery is terrifying. Effective protection against ransomware is a critical part of stopping breaches and improving business resiliency. 

As organizations evaluate competing security solutions, third-party, independent testing that runs in configurations they can use, and that accounts for false positives, is an important part of the validation process. Organizations must be confident in their chosen security solution’s ability to stop sophisticated real-world ransomware attacks. Vendors that claim effectiveness but avoid testing should be viewed accordingly. 

The SE Labs test focused on realism, attacking systems using the same configurations, tools and methodologies observed in the wild, the most effective approach for delivering real-world results. Test networks represented what typical companies, government agencies, financial institutions and infrastructure services use — including systems configured as servers and workstations, and printers, email and web-based file-sharing services — and were repeatedly subjected to the two primary methods of ransomware attack: deep attack and direct attack.

  • Deep attack: Two testing teams simulated 10 sophisticated attacks from the ground up, mimicking the observed tactics of cybercriminals. They started with stolen credentials (or a similar method) to gain access to their target, then stealthily moved laterally through systems and the network. They made use of scripting tools such as PowerShell and Windows Command Shell, or User Account Control exploits to expand their access privileges while avoiding detection. After completely compromising the test network, testers deployed the ransomware payload. Ten different ransomware payloads were used in these test cases, comprising both known ransomware variants and modified versions.
  • Direct attack: Testers replicated scenarios such as an email social engineering attack (i.e., phishing) to send ransomware directly to target systems. SE Labs used a wide distribution of known ransomware including Conti, DarkSide, Dharma, Maze and Revi, in addition to modified variations.

Figure 1. SE Labs protection details for Falcon platform scoring throughout the ransomware direct attacks evaluation. Copyright: SE Labs

Testing the Falcon Platform Against Previously Unknown Ransomware 

A security solution’s ability to protect against previously unknown ransomware is an important part of both deep attack and direct attack testing. SE Labs employed known ransomware that has been used in the wild, then modified the files to make them look different but retain their behavior and functionality in absence of security software. 

Being able to detect and block known ransomware is obviously important. And if a security solution can also proactively detect unknown variants, it is far more effective than products that merely react to known threats. 

According to SE Labs:

“CrowdStrike Falcon performed exceptionally well at protecting against known and new variants of ransomware, as well as tracking network attacks that concluded with ransomware payloads.” 

Between known ransomware and the new variations created by SE Labs, 270 different ransomware samples were used in the testing. The ransomware samples were selected from nine prevalent ransomware families; 10 different ransomware payloads were selected from each family, resulting in 90 original ransomware files and 180 variations that were used by the SE Labs testers.

CrowdStrike: The Industry’s Technology Leader

This AAA rating in Enterprise Advanced Security (Ransomware) is recognition of the Falcon platform’s industry leadership in the automated detection and blocking of ransomware — in addition to its proven effectiveness against the full spectrum of cybersecurity threats.

The Falcon platform scored a perfect 100% protection accuracy rating, having detected and blocked every ransomware attack including the unknown variants. The Falcon platform also achieved a 100% accuracy rating in identifying legitimate applications and websites, and in deep attack testing detected all 10 attacks, exposing the ransomware in every case and offering thorough insight into testing threat chains.

Overall, the Falcon platform received a total accuracy rating of 99%, which indicates it is extremely effective in protecting from subtle attacks and accurately identifying non-malicious objects such as web addresses and applications. As testing was performed in real-world configurations, accuracy means the evaluation also tested for false positives — and the Falcon platform generated absolutely none. 

Because SE Labs’ testing reflected real-world configurations, CrowdStrike’s extremely high scores translate immediately to real-world use cases. High accuracy means no inconvenience for users attempting to use legitimate websites or apps; it means no downtime resulting from the investigation of false positives; it means security operations center (SOC) analysts can spend more time addressing real detections in particular and less time operating security solutions in general — all of which serve to lower organizations’ TCO and minimize security-related business interruptions.

In short, CrowdStrike Falcon platform solutions provide instant value to both organizations and the SOC analysts protecting them.  

The full SE Labs report, including details on how the Falcon platform was tested, is available here.

See for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats like ransomware. Start a 15-day free trial today.

Additional Resources

Related Content