CrowdStrike and Cylance are two innovators in the field of cybersecurity. Both produce next-generation anti-virus systems and Endpoint Protection and Response (EDR) packages. If you are in the market for endpoint protection, you will be hard-pressed to pick between these two systems.
Before venturing further into a comparison between these two systems, it has to be noted that Cylance is no longer an independent company and its brand is gradually being phased out. The business was bought by BlackBerry Limited in 2019 and although the Cylance name is still detailed on some pages of BlackBerry’s website, the replacement of “Cylance” with “BlackBerry” is becoming apparent. For example, you will see mention of CylancePROTECT and CylanceOPTICS on the BlackBerry website, but the solutions brief for those two systems refer to BlackBerry Protect and BlackBerry Optics.
The CrowdStrike and Cylance brands both produce many different packages and BlackBerry expands on the Cylance suite with even more platforms and services. The systems that the two brands offer in direct competition are CrowdStrike Falcon Prevent vs CylancePROTECT and CrowdStrike Falcon Insight vs CylanceOPTICS. So it is these two rivalries that we will examine in this comparison.
About CrowdStrike
CrowdStrike was originally a consultancy offering expertise to discover and remediate malware and hacker attacks. The business started operations in 2011 and, although the company added its own cybersecurity tools in 2013, it still maintains a consultancy division. The presence of both a library of automated security systems and a team of experts also enables the company to offer managed services.
The first tool that CrowdStrike created was Falcon Prevent. This is a next-generation anti-virus and it is still the key product of the Falcon suite. This is an on-device module and it is available for Windows, macOS, and Linux.
The activities of the company’s consultancy gained it a huge marketing advantage when the team was hired to investigate and remediate the Sony Pictures hack in 2015. That was a security break of global significance and got the CrowdStrike name broadcast on news programs around the clock and around the world. The consultancy also worked on the Democratic Party email hacks, which occurred in 2015 and 2016.
The brand recognition that the consultancy’s activities had a positive effect on the sales of CrowdStrike tools, enabling the business to expand rapidly. The company added to its list of modules in its cloud-based Falcon suite and also created new tools through acquisition. CrowdStrike is now expanding its services in the fields of Zero Trust Architecture (ZTA) and cloud resource protection.
CrowdStrike Holdings, Inc. floated on NASDAQ in 2019 and reported revenue of $1.45 billion for 2021. The business’s share price currently gives CrowdStrike a value of $45.86 billion. The company moved its headquarters from Sunnyvale, California to Austin, Texas in December 2021 and it currently has 3,394 employees.
About Cylance
Cylance, Inc. was set up in 2012 and drew a lot of attention because of the fame of one of its founders, Stuart McClure. After creating the renowned cybersecurity company, Foundstone in 2004, McClure gathered a following in the industry as a thinker and a key analyst of hacking methods. He sold the consultancy to McAfee in 2004, accepting the role of Chief Technology Ofer to the parent company.
Despite being a board member of one of the leading anti-virus providers, McClure frequently mused in public about the inadequacy of AVs, dubbing them retroactive tools that will only trigger once a device is already infected.
Cylance was McClure’s attempt to solidify his thought on proactive cybersecurity products into real-world solutions. The company’s first product, CylancePROTECT was released in 2014. This uses AI systems but not behavioral analytics, which is the core of the CrowdStrike system. Instead, the service scans all files as they arrive on the device, looking for several attributes that would signify malware.
Cylance easily attracted investors, thanks to its reputation of McClure and the company’s ability to deliver on its vision. Cylance expanded its list of products to six by February 2019, when the business was acquired by BlackBerry Limited.
BlackBerry has preserved Cylance’s suite of tools as a separate division but it is slowly deprecating the Cylance brand in favor of its own.
CrowdStrike Falcon Prevent vs CylancePROTECT: Head-to-head
Both CrowdStrike Falcon Prevent and CylancePROTECT install on endpoints. Both are available for Windows, macOS, and Linux and Cylance offers CylancePROTECT Mobile for Android and iOS.
The traditional anti-virus system maintains a database of signatures. These are usually hash signatures of malware files that have been encountered by the research labs of the providers. This means that the virus needs to be in circulation and noticed by a specific research lab before any of the clients of an anti-virus system get any protection. This is the proactive nature of AV that McClure criticized and vowed to stop.
CrowdStrike and Cylance took a different approach and both used Artificial Intelligence but in different ways.
CrowdStrike Falcon Prevent AI processes
Rather than using a signature-based detection system, Falcon Prevent uses an anomaly-based system. This strategy removes the need to constantly update a signature database and it enables the tool to detect any malicious activity, including intruder actions and insider threats. This mechanism also removes the need for an instance of the AV system to wait for an update before it can spot a new virus.
Anomaly detection establishes a record of normal activity and then looks for deviations from that standard. This technique looks at the activities of each user. As each installation is responsible for one device, it only has that one entity to profile. The strategy is called User and Entity Behavior Analytics (UEBA) and this is one of the identifying characteristics of a next-generation cybersecurity system.
The process in Falcon Prevent that establishes a pattern of regular behavior uses a machine learning technique, which is a discipline of artificial intelligence. Over time, the Falcon Prevent system can adjust that record of standard behavior. This tweaking reduces the occurrence of false-positive reporting and makes alerts for suspicious activities more credible.
CylancePROTECT AI processes
McClure eschewed the UEBA route that many other cybersecurity system providers took. He defined an approach for Cylance PROTECT that was neither signature-based nor anomaly-based. In truth, a Cylance method is a form of a signature-based system because it looks for patterns in any incoming file.
The reason that Cylance can claim that its system isn’t signature-based is that it doesn’t check files against a database of hash signatures. Instead, the Cylance team has defined a list of attributes that all malware will have – each piece of malware does not need to have all of the indicators. A quick scan for signs of these attributes is enough for the tool to decide whether or not a newly arrived file is malicious. The company claims that this check can be performed in 50 milliseconds.
The Cylance system has the advantage over traditional signature-based AVs in that its indicators are universal and the system can detect a brand new virus that has never been encountered anywhere else. The company declares that the characteristics that they defined will catch all new viruses even when a hacker comes up with a completely new approach to infection because there will always be the same fundamental goals of any piece of malware.
Cylance can detect fileless malware as well as file-based systems. However, unlike Falcon Prevent, it won’t catch malicious user activity. Cylance has a separate module for user behavior tracking, which is called CylancePERSONA.
The CylancePROTECT system uses AI for triage that speeds up detection. IT can order its attribute tests to filter out the largest number of viruses with the first scan. In many ways, the CylancePROTECT system can be compared to a vulnerability scanner – except that it operates its tests on arriving files rather than system resources.
CrowdStrike Falcon Prevent vs CylancePROTECT: The verdict
Both CrowdStrike Falcon Prevent and CylancePROTECT can block zero-day malware attacks, which makes either of them a good choice. The Cylance system is quicker to spot malware than CrowdStrike’s tool. However, CrowdStrike’s system can spot malicious user activity. By focusing its detection effort on malware, the Cylance system is less capable than the CrowdStrike package. You would need to buy a second package from Cylance to get the user activity tracking that is built into CrowdStrike Falcon Prevent.
CylancePROTECT and CrowdStrike Falcon Prevent are both on-device systems and each form the base package for all of the other services offered by its provider. All of the other tools by both of these companies are cloud-based and communicate with the on-site package, using it as an agent.
CrowdStrike Falcon Prevent and CylancePROTECT are more than just device agents for other software. They can provide extensive protection and will continue to work effectively even when the devices that they support are disconnected from the network. Both CrowdStrike and Cylance have created defense systems that do not rely on updates from elsewhere.
Between these two systems, CrowdStrike Falcon Prevent is the most comprehensive because it offers threat detection and not just malware spotting. However, the CylancePROTECT system is available for mobile devices as well as desktops, which makes that tool more appealing, especially for businesses that allow BYOD on their networks.
You can test CrowdStrike Falcon Prevent with a 15-day free trial. Assess CylancePROTECT with a demo.
CrowdStrike Falcon Insight vs CylanceOPTICS: Head-to-head
CrowdStrike Falcon Insight and CylanceOPTICS are both cloud-based endpoint detection and response (EDR) systems. The two packages are remarkably similar. Each relies on communication with their on-device counterpart to gather activity data and each sends back remediation advice for implementation.
These two systems are threat aggregation services that provide a private local threat intelligence network. A report of a threat from one endpoint is quickly communicated to all other local agents on the network.
CrowdStrike Falcon Insight methodology
Although it is billed as an EDR, CrowdStrike Falcon Insight can be better defined if it is looked upon as a SIEM. The tool collects activity data sent to it by Falcon Prevent instances and then searches through those records for indicators of compromise.
As it is based on the CrowdStrike servers, Falcon Insight software gets updated immediately and threat intelligence sharing between clients of the CrowdStrike service is easy to implement simply by sharing the threat identifications produced by each client node. CrowdStrike offers a global threat intelligence feed as a paid extra. This is called CrowdStrike Falcon X and includes IoC data from external sources.
As all of the source data for Falcon Insight threat detection comes from instances of Falcon Prevent, this tool doesn’t need to worry about converting different log data formats in a consolidation step. However, CrowdStrike offers an extended detection and response system, called Falcon XDR, which adds in the gathering of log data from third-party tools. The Falcon XDR system can also communicate with those third-party systems to implement threat remediation.
CylanceOPTICS methodology
CylanceOPTICS is almost identical to CrowdStrike Falcon Insight in that it coordinates between endpoint-resident CylancePROTECT instances. Cylance claims that its CylanceOPTICS threat detection process runs on each endpoint, while also stating that this is a cloud-based approach.
Reading through this description, it seems that extra threat-detection capabilities are added to the CylancePROTECT instances and then communicated as a local threat intelligence network via the Cylance cloud platform, which hosts the main CylanceOPTICS server.
CrowdStrike Falcon Insight vs CylanceOPTICS: The verdict
The claim by Cylance that its EDR performs most of its threat hunting on the device makes this a more secure option than the CrowdStrike system. Many hacker systems deploy defense packages that include isolating the target device from the network to block the defenses offered by cloud-based cybersecurity tools. So, the continuity offered by CylanceOPTICS is a good idea.
CrowdStrike Falcon Insight is effectively disabled if the device is disconnected from the network. In that scenario, the local Falcon Prevent instance will continue to protect the endpoint.
Although CrowdStrike offers a free trial of Falcon Prevent, there isn’t a similar offer for the Falcon Insight system. However, you can get a live demo. BlackBerry offers a demo of the CylanceOPTICS system.
