crowdstrike 24/7

Campus IT purchased last summer a cyber-security suite “Falcon Enterprise” from Crowdstrike (yes, that Crowdstrike). Crowdstrike is an American publicly traded company, and for now, pretty successful – meaning that its products are accepted by the customers and their IT personnel.

As I found the FAQ provided by the campus a bit lacking, I collected below a few points worth noting. (The prospectus, a.k.a. “white paper” on Falcon Enterprise can be found here.)

  • Falcon Enterprise is a big, distributed solution. The computers of faculty and staff and campus servers with Falcon installed will run “sensors” – essentially, programs doing deep inspection of what is stored in memory, what processes are running and what traffic goes through ports. The sensors would, of course, have full access to filesystem, – and justly so: to catch a virus, one needs to look inside a file, not only at file header. This is not very dissimilar to what the traditional anti-virus software, which looks for fingerprints (from a regularly updated database) of malice in the files on the computer or server.
  • What is different in the Crowdstrike solutions, is that these data are constantly sent back to the Crowdstrike servers, to be run through their proprietary system. The advantage of this is, of course, that the outbreak of mass infection on a network can be detected faster; and the culprits can be (sometimes) explicitly identified, which (again, sometimes) facilitates remedial actions.
  • The data Crowdstrike collects on endusers’ – ours, – lap- and desktops are stored at Crowdstrike servers for a few weeks. These data nowhere close to comprehensive, of course. But we don’t know exactly what is sent up to the mothership. (Given Crowdstrike’s claim that their software is AI driven, that is learning on the fly of the emerging threats, they don’t explicitly control what is sent and stored either.)
  • Nonetheless, humans aren’t fully out of the loop: the white paper promises a dedicated team that will be monitoring our data 24/7 as they flow into their system. Campus IT personnel will also have – tightly regulated and bound by various legal constraints – visibility into our computers.
  • Overall campus cost are about ~$300K for setup and ~$500K/year to operate. This, however, assumes that the install base is around 48K computers, which brings into focus the big question:
  • Who will be forced to install it on their computers? Right now IT FAQ says that only campus owned machines will need to get Falcon installed. We have about 5,5K faculty (tenure/tenure track, specialized and visiting) and about 8K of staff members, which of course includes facilities management etc. Do we really have about 4 networked computing units per person?

In summary: Crowdstrike’s Falcon Enterprise is a cutting edge IT-security solution, an appropriate answer to modern era unprecedented cyber-threats. Correspondingly, it is unprecedentedly intrusive, to the degree similar to tools run by financial or military organizations.

No comments yet.

Leave a Reply