How does Linux it self or some other software on Linux address what Crowd Strike is doing for Windows?
E: thanks for the answers :)
CrowdStrike’s Falcon Sensor agent can be and is installed on bare metal, VMs and inside Kubernetes clusters. All running Linux.
is there a use case … on Linux
It’s already installed on Linux, in massive companies all around the globe. Leadership sure thinks so.
Like it or not, most cyber insurance policies require all endpoints and hosts be secured with industry approved edr solution. Crowdstrike is a very popular multi platform player in that space. 🤷♂️
If someone starts transferring a bunch of files to an external drive, heuristics will detect that and alert. Source: I worked at crowdstrike six years ago.
How does Linux it self or some other software on Linux address what Crowd Strike is doing for Windows?
Well, it usually drops to a black screen and kernel panics, but lately there’s been a bit of a push for parity with windows.
The Linux BSOD is quite funny. But reading from Crowd Strike’s website the Falcon product is supposed to monitor for breaches(?), so I was curious about what analogs exist in Linux or how the OS it self takes on that role.
Crowdstrike exists for Linux too. In fact, it apparently crashed RHEL and Debian a few months back. That didn’t get so much attention.
Falcon seems to be a cross between an antivirus and an intrusion detection system (IDS). There are many antiviruses on Linux, but only one FOSS AV is popular - ClamAV. As for IDS, snort is an example.
But in the true sense, Falcon is much more than just an AV and IDS. It’s a way to detect breaches and report it back to CrowdStrike’s threat detection and analysis teams. I don’t think there exists a proper alternative even in the commercial sector.
deleted by creator
Is there a use case for CrowdStrike on any platform? No, there isn’t. Anything that messes with the kernel at that level should be considered a security threat on the basis of potential service disruption / threat to business continuity. Do you really want to run a closed source piece of malware as a kernel module?
They completely fuck over their customers in the business continuity aspect, they become the problem and I bet that most companies would never suffer any catastrophic failure this bad if they didn’t run their software at all. No hacker would be able to take down so many systems so fast and so hard.
As if taking down the systems is the biggest cybersecurity threat a company might have.
EDR is a massive security risk, so no.
If youre forced to install it, put it on a VM and don’t let it escape to your real machine. They can exfiltrate all your data and install malware as root.