CrowdStrike updated its Falcon security platform on Feb. 13, repackaging capabilities and providing organizations with new features that can replace and extend beyond legacy antivirus (AV) technologies. “What we have with the Falcon platform now is the ability to do AV replacement [and] EDR [endpoint detection and response] and provide integrated security intelligence, all from a single agent,” CrowdStrike co-founder and CTO Dmitri Alperovitch told eWEEK.
The Falcon platform combines an endpoint agent with CrowdStrike’s cloud service, providing advanced analytics and dashboard capabilities. The realigned platform now includes the Falcon Prevent AV replacement module, Falcon Insight Endpoint Detection and Response, Falcon Discover for application usage inventory, Falcon Intelligence for malware analysis and Falcon OverWatch for managed threat hunting.
The Falcon Prevent module is CrowdStrike’s AV replacement technology. It is being improved with machine learning capabilities that can help to protect endpoints even when they aren’t connected to the cloud.
“We have had machine learning in our cloud for a number of years, but now we’re putting it on the endpoint sensor,” Alperovitch said. “It provides offline protection for customers that need AV replacement.”
Prior to the new update, CrowdStrike had included its AV replacement technology as part of the Falcon Host module. Alperovitch explained that CrowdStrike is now making AV replacement with Falcon Prevent its own module, separate from the EDR capabilities.
“AV is all about detecting and blocking threats,” he said. “EDR is about threat detection, but it’s also about reporting everything that takes place, allowing organizations to hunt for threats from the data and then take sophisticated response actions.”
Falcon Discover is a new module in CrowdStrike’s platform that provides application discovery and usage visibility. Since the Falcon sensors are already collecting detailed information on all processes running across an organization, CrowdStrike is able to understand application usage, according to Alperovitch. The application usage information can be used for software licensing purposes as well as to help identify potentially unmanaged assets.
“One of the things Falcon can do is probe a network and see what other systems are running that do not have a Falcon sensor and are therefore unprotected,” he said. “That can help organizations find rogue devices.”
Falcon Discover also has the ability to monitor privileged accounts, tracking administrative accounts cross an organization. The system can report on how often the privileged accounts are used and where, as well as how often passwords are updated. Alperovitch sees Falcon Discover helping organizations meet compliance requirements.
One of the things that Falcon does not directly provide is data loss prevention (DLP) technology. While Falcon doesn’t perform the traditional DLP role of scanning data, looking for sensitive information, Alperovitch said it does provide insight into application and file usage by users.
“One of the main use cases for DLP is trying to track and prevent a user from trying to exfiltrate data from a company via a USB key or a cloud service,” Alperovitch said. “We’re tracking all filesystem and network activity so while we don’t necessarily know what’s in a document, we can provide organizations with visibility into everything that is happening.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.