• remotelove@lemmy.ca
    link
    fedilink
    arrow-up
    211
    arrow-down
    1
    ·
    4 months ago

    It’s one of the better EDR (Endpoint Detection and Response) tools on the market. For enterprises, they are able to suck down tons of system activities and provide alerting for security teams.

    For detection, when I say “tons of data”, I mean it. Any background logs related to network activity, filesystem activity, command line info, service info, service actions and much more for every endpoint in an organization.

    The response component can block execution of apps or completely isolate an endpoint if it is compromised, only allowing access by security staff.

    Because Crowdstrike can (kind of) handle that much data and still be able to run rule checks while also providing SOC services makes them a common choice for enterprises.

    The problem is that EDR tools need to run at the kernel level (or at a very high permission level) to be able to read that type data and also block it. This increases the risk of catastrophic problems if specific drivers are blocked by another kind of anti-malware service.

    When you look at how EDR tools function, there is little difference between them and well written malware.

    Crowdstrike became a choice recently for many companies that got fucked over by Broadcom buying VMWare. VMWare owned another tool, Carbon Black, which became subject to the fuckery of Broadcom so more companies scrambled to Crowdstrike recently.

    I hope that was enough of a summary.

      • Dran@lemmy.world
        link
        fedilink
        arrow-up
        30
        ·
        4 months ago

        Endpoint is any PC/laptop/sign/POS/etc. It’s a catchall term for anything that isn’t a server. it basically refers to any machine that might be logged into and used by a non-IT user.

    • wizardbeard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      Don’t forget the Superbowl ad and a ton of money put into marketing. It’s not surprising that it attaracted the attention of executives looking for something to tick an audit checkbox.

    • JustinA
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      4 months ago

      It’s a design flaw in windows to require a kernel driver for these kinds of tools.

      Similar tools in Linux like tcpdump and Falco only require cap_net_raw and/or ebpf. These tools are not able to cause a kernel panic, and they don’t have full access to the kernel.

      • remotelove@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        4 months ago

        It goes beyond Windows in this case. All the EDR tools I have worked with generally require kernel extensions for macOS and also Linux. Carbon Black and Apple never played nice together and it always took a week or so for Carbon Black to get an update after Apple did a kernel change. (Apple wouldn’t pre-release a kernel map for third-party vendors, I think.)

        Tcpdump and Falco in your example are detection/read-only. Response tools like CrowdStrike or Carbon Black are also response tools that need to block actions across the entire system.

        I am not sure about CrowdStrike’s functionality in this regard, but I used Cabon Black’s response shell quite a bit which gives a responder ring 0 without needing root credentials.

        There is still a case to be made about security tools not needing kernel drivers I believe. I am not smart enough to do that though.