CS is an EDR (Endpoint Detection & Response) and it connects to other parts like XDR (Extended Detection and Response) and MDM (Mobile Device Management). They differ from the typical antivirus in how they detect threats. The AV usually checks against known threats, while EDR detects endpoint behavior anomalies. For example, if your browser spawns a shell, it will be marked and the process quarantined. Of course, they do share a lot of common domains like real-time protection, cloud analysis, etc., and some AVs have most of the EDR capabilities, and some EDRs have most of the AV capabilities.
This is briefly described.
We're running something similar ( not CS ) where I work.
It seems to me that these tools create lots of problems ( slows down the machine significantly in particular, gets things wrong and quarantines processes/machines when it shouldn't, injects itself into processes so changes behaviour, etc ).
The main question I have is : does anyone have an actual instance of such tools detecting something useful ? No one in the office was able to show one.
I contracted for a company that gave me a company issued macbook with crowdstrike. It logged my execve() or something, because I did a curl from rustup | sh, and this alerted an admin who then contacted me to ask if this was legitimate behaviour.
Worked for a fairly largish org (~40k emps), and one of the "security" gurus roped me into a conversation because he found a batch file in my Teams shared files. The contents:
set JAVA_HOME="what_ever_path"
and asked me to explain this egregious hacking attempt.
My company had a mandatory req of installing it. If you look into it - it logs and spies on everything you do, every dns req, every website, every application etc.
Now my m3-ultra MacBook work computer that they gave is a 4000 USD teams/email machine since I prefer to work on computers without spyware.
I understand your preference. I have two questions:
1) Do you think that an organization should have no protections in place?
2) Why not just work from the machine they provided you, and do everything else on a personal machine?
I assume from your rhetorical question that you don't. I personally don't know enough about it to say whether it does or not - but, I will make what I believe is a reasonable assumption and say that all else being equal, yes, a fleet of machines with a EDR sensor installed is more "protected" than a fleet without.
If you have a point to make, why not just say what you are trying to say; it will be more effective discourse. I am genuinely curious.
They key to tools like crowdstrike is not so much protection, and being able to trace an attack through the infrastructure. They can see that your credentials were comprimised on your machine, and which systems you then connected to (or that bad process did) so they can trace the attack and make sure get it all cleaned up.
My favorite work story is from 10 years ago. We had an internal IRC server for the devs. I'd written an IRC bot to do some basic functions. It was running on my desktop.
I get a call from IT on my work phone. My co-workers hear my end of the conversation:
"No, it's not a bot net. It's just one bot. Yeah, I wrote it and it talks IRC."
