SANS Institute Reviews CrowdStrike Falcon Endpoint Protection

SANS Blog Images

SANS Institute analysts have published a review of the CrowdStrike Falcon® platform, offering valuable third-party insight into Falcon capabilities to protect organizations from today’s most dangerous cyber threats.

Citing its own 2016 “State of Endpoint Security” survey, the SANS review begins with the premise that many of today’s endpoint security tools and practices provide inadequate defense against attacks such as ransomware, or stealthy “fileless” exploits that leverage legitimate system tools. The SANS report argues that what’s needed are prevention and detection tools that go beyond signature-based technology to predict an attacker’s movements and block them before damage occurs. This is the baseline against which they evaluated the CrowdStrike Falcon next-generation endpoint protection platform.

Their evaluation involved subjecting Falcon to a series of increasingly complex attack scenarios that included ransomware, phishing, browser exploits, credential theft, privilege escalation, and others. To conduct the evaluation, the SANS review environment included two elements: installing the lightweight Falcon agent and employing a cloud-based test bed that would be used to conduct and observe the attack scenarios.

Here is a summary of Falcon’s performance in several key test attack scenarios:


Detecting and Blocking Phishing and Browser Exploits: This test involved setting up an exploit using Metasploit, and sending a phishing email with a link back to the attacker’s virtual machine. The email was then opened and the link clicked, triggering the exploit. When they checked the Falcon console, the SANS evaluators observed that the exploit was immediately detected and blocked, starting from the point it was launched in Outlook. Falcon also provided the complete context of the threat with actionable intelligence, enabling immediate mitigation.

Detecting and Blocking PowerShell Attacks: There has been an increase in exploits that leverage standard Windows processes to bypass security, with PowerShell exploits emerging as a prevalent tool attackers use. Because PowerShell is a trusted application capable of many complex processes, traditional security solutions have trouble differentiating between malicious and normal PowerShell actions. Administrators allow it to execute since it is certainly not malware, although it can be used for malicious purposes. To test Falcon against a PowerShell attack, SANS ran a credential theft scenario, a type of attack designed to escalate an attacker’s access by using credentials with elevated privileges, giving the adversary administrative control. The attack used Metasploit to compromise a Windows 10 environment. Falcon not only detected the PowerShell execution immediately, it also detected and blocked the follow-up command used for dumping credentials.

Detecting and Blocking Ransomware Attacks and Quarantining Malware: This test involved executing a known strain of the Locky ransomware on a Windows host. When testers executed the malware,  a “high severity” event appeared in the console — the file was immediately marked as malicious, blocked and quarantined for further investigation. (It should be noted that although this testing was conducted before the massive WannaCry ransomware attack struck globally, Falcon also blocks WannaCry. Watch a demo  to see first-hand how Falcon stops WannaCry, or test drive the Falcon platform for yourself.)

The following CrowdStrike Falcon features were also reviewed in the report:


Deployment and Console: SANS reviewers were able to install the Falcon sensor, an extremely lightweight agent of less than 20MB, in less than 20 seconds on a Windows 10 machine. They also found the console simple to navigate, giving them an overview of detection events and activity with easy drill-down capabilities.

Falcon OverWatch Managed Threat Hunting: According to the report, this service has “real experts proactively look at what is occurring in your environment and sending detailed alerts to your team when unusual activity happens in the network.”  The reports explains that because many organizations are struggling to find and retain the right talent for detection and response, or the fact that they may be operationally overburdened, “This service could help significantly reduce the amount of time attackers are in the environment.”

Dashboards and Reporting: The report details the wide array of data available via the CrowdStrike Falcon Executive Summary Dashboard, including numerous “Top 10” breakdown charts of the most severe events and concerns. The SANS report also points out Falcon’s ease of integration with SIEM systems and other in-house tools and platforms.

In summary, the SANS evaluation found that the “CrowdStrike platform offers powerful prevention capabilities, as well as in-depth forensic and monitoring controls, along with live threat hunting services, that reduce the strain on security and response teams attempting to keep up with the fast pace at which threats change.”

Download the complete report: A New Era in Endpoint Protection: a SANS Product Review of CrowdStrike Falcon Endpoint Protection,” or contact us to learn more about the CrowdStrike Falcon platform. To get full access to CrowdStrike’s next-gen antivirus solution for 15 days visit the Falcon Prevent free trial page.

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial