CrowdStrike Falcon® Detects 100% of Attacks in New SE Labs EDR Test, Winning Highest Rating

  • The CrowdStrike Falcon® platform achieves 100% attacks detected in new Advanced Security Test (EDR) from SE Labs
  • This SE Labs test demonstrated that CrowdStrike’s Zero Trust module, Falcon Identity Threat Protection, is a highly effective component in securing your environment against real-world attacks 
  • SE Labs is one of the most prestigious independent third-party testing institutions
  • Falcon wins AAA award with 100% Legitimate Accuracy rating and a 99% Total Accuracy rating
  • CrowdStrike remains committed to its mission to stop breaches and to participate in independent tests, offering transparency into our automated detection and prevention capabilities

CrowdStrike Falcon® received a new AAA award from independent testing organization SE Labs, achieving a 100% Attacks Detected rating in the latest SE Labs Advanced Security Test, part of the endpoint detection and response (EDR) testing category. These test results speak to CrowdStrike’s commitment to transparency and Falcon’s comprehensive insight into detecting relevant elements of attack throughout sophisticated adversary attack chains.

The Falcon platform achieved a 99% Total Accuracy Rating in detecting and protecting systems from sophisticated targeted attacks and 100% Legitimate Accuracy in correctly identifying legitimate applications, files and other objects such as URLs. CrowdStrike Falcon® also recently received the prestigious “Best Endpoint Detection and Response” 2021 award from SE Labs for the second consecutive year. These prestigious awards emphasize Falcon’s outstanding automated detection and prevention capabilities in keeping customers safe from sophisticated adversary attack chains. 

CrowdStrike remains committed to our mission to stop breaches, and regularly participating in independent third-party evaluations enables us to build better and more relevant capabilities to detect and protect customers from sophisticated attacks.

SE Labs Advanced Security Test: The Full Accuracy Story

Realistic testing of advanced security solutions involves more than just simulating complex attack chains used by sophisticated adversaries and assessing detection capabilities. It also requires testing for false positives on whether detections during each stage of the attack chain are accurate and indicative of malicious behavior. Failure to test for incorrect detections or false positives transforms the test into a log decoration competition where security vendors are awarded for how many alerts they trigger and how they describe those alerts, rather than rewarding them for the accuracy of those alerts.

In the latest SE Labs Advanced Security Test, evaluation was done with preventions disabled in the product so testing can progress, similar to MITRE ATT&CK® evaluations. With preventions enabled, each kill chain would be stopped almost immediately, and no measurement of later kill chain stages would be possible. Using the MITRE ATT&CK framework to decorate threat chains performed by four adversary groups (Dragonfly & Dragonfly 2.0, APT34, FIN7 & Carbanak, and APT29) across 16 different APT-style attacks, the evaluation examines how security solutions detect and track all elements of a sophisticated attack chain.

An essential part of the evaluation involves assessing how security solutions handle legitimate applications, testing for false positives or the accuracy of those detection alerts. False positives on legitimate applications, files and legitimate objects such as URLs can cause massive disruptions to organizations, especially when automated remediation procedures are triggered. 

“CrowdStrike Falcon® continued its tradition of excellent performance in this Advanced Security Test, demonstrating complete insights into relevant elements of an attack, detecting and providing visibility across multiple attack stages,” said Simon Edwards, CEO of SE Labs. “Additionally, the Falcon platform had zero false positives, equally important in the dynamic attack environment we are experiencing that has security teams stretched to capacity. With a 100% Legitimate Accuracy rating and 100% Detection Accuracy, CrowdStrike Falcon® achieves top-notch results for detecting sophisticated attacks while minimizing alert fatigue.”

Testing scenarios results revealed that Falcon offers complete insights into relevant elements of an attack, detecting and providing visibility across multiple attack stages. Falcon achieved outstanding detection scores from detecting the initial stages of an attack — such as delivery and execution — to relevant attacker actions, such as privilege escalation and lateral movement.

Validating Zero Trust in the Falcon Platform

This is the first public test to leverage CrowdStrike’s new Zero Trust module, Falcon Identity Threat Protection. The module uses the power of the CrowdStrike Security Cloud, and integrates with domain controllers and multifactor authentication (MFA) providers to identify threats that use identities in malicious ways. 

In the eCrime ecosystem, access brokers sell identity credentials stolen from various organizations (both corporations and government entities), either on criminal forums or through private channels. According to the CrowdStrike 2021 Global Threat Report, one of the top techniques used by eCrime adversaries is to use stolen credentials with RDP (Remote Desktop Protocol) or WMI (Windows Management Instrumentation), some of the most prevalent lateral movement techniques for gaining access across the infrastructure. 

By buying stolen credentials, eCriminals eliminate the need to spend time identifying targets and gaining access, allowing more attacks, quicker deployments and higher potential for monetization — malicious benefits that are especially appealing for big game hunting actors or aspiring ransomware operators. When defenders invalidate an account or immediately force MFA, that stops lateral movement or privilege escalation.

In the recent SE Labs testing, privilege escalation with valid accounts was part of the threat chains performed by the four adversary groups. CrowdStrike Falcon® immediately blocked all attempts at using stolen credentials across all four threat chains, underscoring the power of Zero Trust. Throughout the recent SE Labs test, Falcon displayed repeated MFA prompts for compromised accounts attempting lateral movement. 

With CrowdStrike Zero Trust, organizations can detect when an identity is abused and then stop adversaries’ reconnaissance, lateral movement and persistence within their networks without interrupting business operations. Falcon Identity Threat Protection is an invaluable addition to any Falcon deployment.  

Commitment to Testing and Track Record of Success

CrowdStrike Falcon® recently won the SE Labs “Best Endpoint Detection & Response” 2021 award, winning it for the second time since SE Labs introduced it in 2020. To date, Falcon has won 12 consecutive AAA ratings in Enterprise Endpoint Protection reports from SE Labs since March 2018. Further, CrowdStrike was named a strategic leader in AV-Comparatives Endpoint Protection and Response tests by AV-Comparatives and a leader in the Gartner Magic Quadrant for Endpoint Protection Platforms (EPP), reflecting a long track record for outstanding results and commitment to testing transparency, and we continue to remain fully committed to supporting independent third-party efforts.

Additional Resources

Related Content