Crowdstrike was one of the first companies doing EDR, and have a first mover advantage they have held onto. Lots of other companies offer good solutions now, but crowdstrike is still considered the gold standard, and they have worked hard to become the “default” for their market segment.
Also thanks to ebpf it’s now very easy to implement EDR without a full blown rootkit in Linux and anyone on the bleeding edge is moving away from this kind of solution
What CrowdStrike is actually selling, is someone who actually looks at the system logs and who pushes a button when something pops up. Roughly.
There are better solutions on the market. Unfortunately CrowdStrike has the more aggressive sales team.
For those wondering, I’m referring to *nix based solutions like SElinux, appArmor, iptables, nftables, cgroups, …
But you need to monitor your logs if you want to take appropriate action.
The problem with SELinux/nftables/cgroups is that they don’t come with a centralised log aggregator, and they don’t do much blocking beyond the defaults for 99% of deployments. Also, SELinux is a massive pain to set up (even compared to AppArmor), and setting it up correctly is even worse.
CrowdStrike does a lot of what SELinux does but it’s easier to configure, works on every operating system, and comes with tools to roll out configuration across an organisation. There’s nothing close to that in the open source world. Even if you set up something yourself, you’ll need to continuously tweak your setup not to get in the way of employees and to prevent alert fatigue from all of the false positives.
I think a preconfigured solution like Security Onion combined with tons of group policy and Ansible can form an open source alternative, but that only monitors, whereas CrowdStrike also blocks. To block behaviour, you’ll need to write code for most platforms, and that’s just as likely to take down your org as an auto update from CrowdStrike.
The problem with SELinux/nftables/cgroups is that they don’t come with a centralised log aggregator, and they don’t do much blocking beyond the defaults for 99% of deployments.
You must not have heard of ®syslog.
Also, SELinux is a massive pain to set up (even compared to AppArmor), and setting it up correctly is even worse.
I beg to differ, I find SELinux easy to setup. But your mileage may vary, depending on one’s experience.
CrowdStrike does a lot of what SELinux does but it’s easier to configure, works on every operating system, and comes with tools to roll out configuration across an organisation. There’s nothing close to that in the open source world. Even if you set up something yourself, you’ll need to continuously tweak your setup not to get in the way of employees and to prevent alert fatigue from all of the false positives.
Apparently, recent events show it doesn’t work on every OS… 😜
When talking about ease of use… Configuration is configuration. If you do not take the time to learn how to use your product, the product you know will always be better than the one you don’t. I’ve used Crowdstrike. I’ve battled them to get their kernel modules signing certificate to be signed by RedHat. I’ve battled them to have the possibility to have the auto update disabled. So no, I am not impressed by the quality of their product.
I’ll bet any day a vanilla RHEL with the correct security related software and the latest updates outperforms and outclasses Crowdstrike.
I think a preconfigured solution like Security Onion combined with tons of group policy and Ansible can form an open source alternative, but that only monitors, whereas CrowdStrike also blocks. To block behaviour, you’ll need to write code for most platforms, and that’s just as likely to take down your org as an auto update from CrowdStrike.
I can’t speak of MS products, as I have not managed them for 20 years, but all of this is not needed on a decent Linux distro.
rsyslog and many other frameworks only work for programs that also output to rsyslog. For programs that do log to rsyslog, structured logging support is rarely available. There’s a reason tools like LogBeat exist; rsyslog is but one log aggregation tool.
SELinux is easy for trivial setups, but its tooling is clunky (and who the hell uses a binary format to store permissions anyway?). I much prefer AppArmor myself.
I don’t think CrowdStrike’s target audience is Linux shops. I get the feeling they have Linux support because some of their customers asked about it, and maybe it’ll work on some loosely configured end user systems, but enterprise Linux doesn’t seem to be their focus.
What do you use for live threat protection on Linux? If there’s a way to avoid these closed source trash fires I’ll gladly take it, but the best I’ve come across has been ClamAV and that’s not that great.
Or in other words, everyone else is complete shit.
No, but yes.
Crowdstrike was one of the first companies doing EDR, and have a first mover advantage they have held onto. Lots of other companies offer good solutions now, but crowdstrike is still considered the gold standard, and they have worked hard to become the “default” for their market segment.
Also thanks to ebpf it’s now very easy to implement EDR without a full blown rootkit in Linux and anyone on the bleeding edge is moving away from this kind of solution
What CrowdStrike is actually selling, is someone who actually looks at the system logs and who pushes a button when something pops up. Roughly.
There are better solutions on the market. Unfortunately CrowdStrike has the more aggressive sales team.
For those wondering, I’m referring to *nix based solutions like SElinux, appArmor, iptables, nftables, cgroups, … But you need to monitor your logs if you want to take appropriate action.
The problem with SELinux/nftables/cgroups is that they don’t come with a centralised log aggregator, and they don’t do much blocking beyond the defaults for 99% of deployments. Also, SELinux is a massive pain to set up (even compared to AppArmor), and setting it up correctly is even worse.
CrowdStrike does a lot of what SELinux does but it’s easier to configure, works on every operating system, and comes with tools to roll out configuration across an organisation. There’s nothing close to that in the open source world. Even if you set up something yourself, you’ll need to continuously tweak your setup not to get in the way of employees and to prevent alert fatigue from all of the false positives.
I think a preconfigured solution like Security Onion combined with tons of group policy and Ansible can form an open source alternative, but that only monitors, whereas CrowdStrike also blocks. To block behaviour, you’ll need to write code for most platforms, and that’s just as likely to take down your org as an auto update from CrowdStrike.
You must not have heard of ®syslog.
I beg to differ, I find SELinux easy to setup. But your mileage may vary, depending on one’s experience.
When talking about ease of use… Configuration is configuration. If you do not take the time to learn how to use your product, the product you know will always be better than the one you don’t. I’ve used Crowdstrike. I’ve battled them to get their kernel modules signing certificate to be signed by RedHat. I’ve battled them to have the possibility to have the auto update disabled. So no, I am not impressed by the quality of their product. I’ll bet any day a vanilla RHEL with the correct security related software and the latest updates outperforms and outclasses Crowdstrike.
rsyslog and many other frameworks only work for programs that also output to rsyslog. For programs that do log to rsyslog, structured logging support is rarely available. There’s a reason tools like LogBeat exist; rsyslog is but one log aggregation tool.
SELinux is easy for trivial setups, but its tooling is clunky (and who the hell uses a binary format to store permissions anyway?). I much prefer AppArmor myself.
I don’t think CrowdStrike’s target audience is Linux shops. I get the feeling they have Linux support because some of their customers asked about it, and maybe it’ll work on some loosely configured end user systems, but enterprise Linux doesn’t seem to be their focus.
What do you use for live threat protection on Linux? If there’s a way to avoid these closed source trash fires I’ll gladly take it, but the best I’ve come across has been ClamAV and that’s not that great.
No, it’s not a binary thing. There are other EDR products but they are the largest.
Crowdstrike marketed to c-suites better than the others.