CrowdStrike vs FireEye

CrowdStrike offers a cloud-based platform of cybersecurity tools, called Falcon. The services offered on the Falcon platform can be combined. They range from an EDR for the protection of all the endpoints on a site and also cloud protection systems. CrowdStrike also offers an XDR, which coordinates the system protection offered by other cybersecurity tools. Those systems with which the XDR interacts include other CrowdStrike products and third-party tools.

FireEye developed a cloud platform of cybersecurity systems, called Helix. Recently, FireEye merged with McAfee Enterprise and the combined business is called Trellix. The FireEye Helix collection is now called the Trellix platform. The Trellix system is marketed as an XDR. It interacts with other Trellix products, such as endpoint-resident systems and third-party cybersecurity packages.

The Trellix platform and the CrowdStrike Falcon XDR system are very similar. Both rely on the presence of other cybersecurity tools, so they require extra purchases to be effective. We are going to compare these two systems to get a context in which to assess the new Trellix platform.

About CrowdStrike

Crowdstrike AI-native cybersecurity platform website

CrowdStrike started up in 2011 as a cybersecurity consultancy. The company expanded its services by creating its own cybersecurity packages, which the business began to market in 2013. The company also offers managed services, a business model that benefits from both the consultancy and cybersecurity tools divisions of the company.

The first product offered by CrowdStrike was CrowdStrike Falcon Prevent, which is an on-device next-generation anti-virus system. The tool is available for Windows, macOS, and Linux. All of the other Falcon products are delivered from the cloud on a SaaS model. These cloud-based units require the presence of Falcon Prevent on all of the endpoints of the business because as well as implementing anti-virus services, Falcon Prevent acts as an agent for all of the other Falcon systems.

CrowdStrike has experienced rapid growth and the company has been able to expand the list of modules that it offers from its cloud platform, Falcon. The company has managed to keep up with developments in cybersecurity by adding a vulnerability manager and cloud security systems that include zero-trust access products to offer a different approach to system security.

CrowdStrike’s rapid growth is due to the publicity attracted by the high-profile attacks that the consultancy arm works on. The business has been able to shorten the development time for new products by acquiring specialized startups that offer innovative solutions to new security challenges.

CrowdStrike Holdings, Inc. has been listed on NASDAQ since 2019. The company reported revenue of $1.45 billion for 2021, although it did not make a profit in that year. By May 2022, the company had a market capitalization value of $45.86 billion. CrowdStrike has 3,394 employees and moved its headquarters from Sunnyvale, California to Austin, Texas in December 2021.

About FireEye and Trellix

Trellix Platform

The history of FireEye is more complicated than that of CrowdStrike. The business started up in 2004 but it didn’t produce its first product until 2010. The company then expanded rapidly from its US base, excelling in capturing market share in the Middle East and the Far East.

The founder of the company, Ashar Aziz, stepped down as CEO in 2012 on the appointment of David DeWalt to run the company. DeWalt had previously been the CEO of McAfee and his role was to bring the company into a position in which it could go public.

The company was research-led, which created a great deal of expense, preventing FireEye from chalking up a profit for most of its existence. In December 2013, the company went public, raising capital despite the lack of profit.

Investment from shareholders enabled the business to take over Mandiant in December 2013 for $1 billion; this company had previously been in a partnership agreement with FireEye. Mandiant excelled at cyberattack research, threat intelligence, and threat response. The company expanded through a series of acquisitions and Kevin Mandia, the founder of Mandiant took over as CEO in 2016.

FireEye’s first product was a sandboxing appliance. This piece of hardware trialed new software and opened files in a virtual environment to prevent malware from getting into operating systems or onto the network. The company then expanded through its many acquisitions to offer threat intelligence and malware protection systems. The company ported its software range to the cloud, creating its SaaS platform, called Helix.

In June 2021, CEO Kevin Mandia got his old company back. He split FireEye into two companies, selling off the Helix platform and its cybersecurity products to the Symphony Technology Group for $1.2 billion. What remained of FireEye was the research, consultancy, and threat intelligence services that were built around the original Mandiant. As a final step in his circular journey, Mandia renamed FireEye to revive the Mandiant name. Thus, FireEye is no more.

The Symphony Technology Group (STG) is a private tech investor and, a few months before acquiring FireEye, it bought McAfee Enterprise for $4 billion. STG merged the two businesses to launch Trellix in January 2022. Trellix is a privately held company, while Mandiant is a public company, listed on NASDAQ. However, Mandiant’s newfound independence will be short-lived – in March 2022, Google announced that it would be buying Mandiant for $5.4 billion and integrating it into its Google Cloud division.

What is an XDR?

XDR is a modification of the abbreviation EDR, which stands for endpoint detection and response. The term was coined in 2018 by Nir Zuk, founder, and CEO of Palo Alto Networks. The interpretation of the abbreviation is that it stands for extended detection and response. However, Zuk states that “X” represents “anything.”

You can read more about XDR in my guide, What is XDR? However, if you don’t have time to read that report, you just need to know that XDR is a SaaS-based coordinator of data from other tools and it mines that information for threat hunting and then sends back remediation instructions.

One requirement to meet the definition of XDR is that it is “vendor specific”. This implies that all of the tools that the coordinator communicates with should be produced by the same supplier. This attribute has become severely weakened since the term was defined because many XDR systems now implement security orchestration, automation, and response (SOAR). Although on the flattest definition of SOAR, this data and activity sharing concept could be restricted to the products of one vendor, in reality, it is implemented as a method to communicate with third-party tools.

The benefit of XDR and its use of SOAR is that it can be expanded. If the XDR producer adds a new product to its fleet, it can easily build a widget to include its cooperation in the XDR service. Similarly, as it is cloud-based, the software of the package is easy to amend. The supplier doesn’t have to prod all of its customers into downloading and installing an update file – they just run the update on their own servers.

SOAR is often expressed in sales copy as “integrations”. Many of the major XDR producers have a long list of integrations that allow their products to interact with partner systems produced by other companies. CrowdStrike Falcon XDR and the Trellix platform both have integrations to third-party tools, which disqualify them as XDRs if the original “vendor-specific” requirement is adhered to.

Similarly, the “SaaS-based” requirement can be stretched. No cloud-based cybersecurity system is exclusively operated on cloud servers. At least some elements have to be performed on the protected platform – data collection, for example.

CrowdStrike Falcon XDR Vs Trellix platform: Head-to-Head

CrowdStrike Falcon XDR operates on endpoints through the Falcon Prevent next-generation AV. The service also interacts with Falcon Firewall Management to identify incoming traffic on each endpoint, which implies visibility over network activity. The supervision of network security is a blind spot in the Falcon suite. Cloud assets are monitored through connections to Falcon Cloud Workload Protection and Container Security.

The gaps in the vision of Falcon systems are filled in by SOAR, which can gather data from third-party tools. The SOAR system in Falcon XDR is referred to as integrations and it connects through to the products of specific vendors rather than a universal linking method. The providers that are on the list of integrations are called the CrowdXDR Alliance.

CrowdStrike also produces an EDR, called Falcon Insight. This mainly works in tandem with Falcon Prevent. The addition of SOAR creates the Falcon XDR product. Below is an illustration of CrowdStrike’s vision for its XDR System.

XDR Architecture

While Falcon Insight operates a lot like a SIEM, CrowdStrike makes a point of stating that its XDR service isn’t a SIEM, so there are fundamental processing strategy differences between the two systems as well as the different pools of source data. Falcon XDR doesn’t aggregate data. Instead, it can be described as blowing away the chaff. It doesn’t store activity data, it scans the data as it passes through and only starts collecting information if it spots an Indicator of Compromise (IoC).

An IoC triggers a new mode in data processing, which causes the threat-hunting module to start. This collects specific data that relates to the device and user account that were involved in the initial IoC. If the next event in the predicted chain does not appear, the threat hunter drops its collection and returns to a wait state. If the next step is seen, the system raises a warning-level notification and continues to watch those specific entities.

The Falcon suite includes a threat intelligence service called Falcon X. A subscription to this package plugs into the XDR and improves its threat-hunting capabilities. With Falcon X, the XDR knows specific patterns of activity to look for because the Falcon X system prioritizes those attack vectors that have been recorded as prevalent across the world at that time.

The Trellix XDR strategy is depicted below.

Trellix XDR strategy

Although the shapes of the two illustrations from CrowdStrike and Trellix are different, the effect is the same. With Trellix’s diagram, we see a central XDR unit interfacing with a range of surrounding cybersecurity products. These offer cloud, endpoint, and infrastructure security monitoring to protect users and data. The collaboration point on the diagram represents SOAR.

The endpoint protection service in the Trellix system is provided by McAfee Endpoint Security. This is a standalone product that will operate as an AV even when the device it protects is disconnected from the network.

Cloud security is provided by the Trellix Cloud Security Service Edge package. This includes a secure Web gateway, a cloud access security broker (CASB), and zero trust access to fence applications. This is a little different from the CrowdStrike protection approach because it doesn’t include a cloud workload protection system.

Like CrowdStrike, Trellix is weak on network security. Instead, the structure of the Trellix protection system relies on endpoint security on-site and zero-trust network access protection for applications,

The SOAR system in Trellix is called Trellix Partnerships. This is part of the Trellix system that hasn’t yet been merged because the integrations list is segmented into McAfee Partners and FireEye Partners. However, this strategy makes up for the lack of network security in the Trellix bundle.

CrowdStrike Falcon XDR vs Trellix platform: The verdict

CrowdStrike and Trellix focus on endpoints in their XDR strategies, which leaves networks overlooked. Both offer strong endpoint security and new systems to protect cloud assets. However, the connections between sites and devices are less protected. For cloud assets, CrowdStrike protects the platforms that host applications, while Trellix guards access to individual applications.

Both CrowdStrike and Trellix make up for the gaps in their security suites by deploying SOAR to appropriate the power of third-party cybersecurity packages.

The best way to assess these two systems is to try them. However, neither CrowdStrike nor Trellix makes that task easy because neither provides a free trial of their XDR systems. Trellix doesn’t have a demo system either. You can assess CrowdStrike Falcon XDR by accessing a demo and you could try the 15-day free trial of Falcon Prevent.