- The CrowdStrike Falcon® platform achieved 100% attack detection with zero false positives in the Q2 2023 SE Labs Enterprise Advanced Security (EAS) test, earning the AAA award for its perfect performance in the rigorous evaluation.
- SE Labs analysts’ intelligence-led testing employed the real-world tactics, techniques and procedures (TTPs) of four advanced threat groups, using four different threat series with full attack chains for each (16 attacks in total) in an attempt to evade detection by leading endpoint detection and response (EDR) products.
- This latest performance underscores our mission to stop breaches and shows our continued commitment to participating in independent testing, which provides transparency into the Falcon platform’s industry-leading automated detection and prevention capabilities.
The CrowdStrike Falcon® platform recently earned the SE Labs AAA award by delivering 100% attack detection with zero false positives in the Q2 2023 SE Labs Enterprise Advanced Security (EAS) test. The platform achieved perfect scores across every evaluation category.
This year’s evaluation presented a unique challenge to testing participants. SE Labs tested solutions to a full kill chain attack, from initial contact through reconnaissance, data exfiltration and lateral action. However, in order to capture each security product’s full insight into every stage of an attack, SE Labs analysts deliberately shut down each product’s preventive capabilities, giving the attackers an unhindered ability to run their full kill chain.
With the Falcon platform’s advanced protection in place, attackers will fail to break out and advance anywhere near to the stage of actually breaching a system. But the goal of the evaluation was to test detection capabilities. Shutting down prevention allows the detection test to evaluate the degree of total insight a product has into every stage of an attack — not only detection of the threat or attack but also associated activity including privilege escalation, actions and lateral movement.
Points were awarded based on detection accuracy through every stage of each attack. In addition, the security products were also awarded points based on their ability to classify user interactions with legitimate applications and URLs, and false positives were penalized during testing because they negatively impact users.
SE Labs Q2 2023 EAS Detection Test Was Realistic and Demanding — and the Falcon Platform Crushed It
As part of the testing scenario, SE Labs emulated the real-world, observed tactics, techniques and procedures (TTPs) of four known, formidable adversary groups: Russia-nexus Turla (known as VENOMOUS BEAR in CrowdStrike adversary naming), China-nexus Ke3chang (VIXEN PANDA), China-nexus Threat Group-3390 (EMISSARY PANDA) and North Korea-nexus Kimsuky (VELVET CHOLLIMA). For each of these adversary groups, the testers ran four attack scenarios, for a total of 16 different attacks.
SE Labs describes the importance of this approach, which it says comprises the widest range of threats of any currently available public test:
“This test exposed market-leading endpoint security products to a diverse set of exploits, fileless attacks and malware, comprising the widest range of threats in any currently available public test. All of these attack types have been witnessed in real-world attack over the previous few years. They are representative of a real and present threat to business networks the world over … It is important to note that while the test used the same types of attacks, new files were used. This exercised the tested product’s abilities to detect certain approaches to attacking systems rather than simply detecting malicious files that have become well-known over the previous few years. The results are an indicator of potential future performance rather than just a compliance check that the product can detect old attacks.”
Source: Q2 2023 SE Labs Enterprise Advanced Security EDR Detection report
CrowdStrike Falcon performed flawlessly during each of the attack stages across the four different adversaries:
- Delivery: 100% detection
- Execution: 100% detection
- Action: 100% detection
- Escalation: 100% detection
- Post-Escalation Action: 100% detection
- Lateral Movement: 100% detection
- Lateral Action: 100% detection
The Falcon platform had zero misses, for a 100% detection score during testing. This means the platform was fully aware of every stage of every attack, providing 360-degree visibility across the entire attack surface. It was able to report exactly what was happening, and if preventions hadn’t been disabled as part of the testing process, the Falcon platform would have taken action to block the attack from progressing.
In addition, with the same configuration, Falcon also scored a 100% Legitimate Accuracy rating, meaning analysts were not wasting time and resources chasing false positives. This is a big win for Falcon customers. The global shortage of cybersecurity professionals shows no signs of abating, and the digital skills gap continues to widen, making these highly trained security experts’ time extremely valuable. Any time spent investigating false positives is time that SOC analysts are not spending to prevent a costly breach. Falcon’s perfect performance and lack of false positives means fewer SOC analysts are required to effectively operate a company’s security stack.
More Than an Award: The Falcon Platform Delivers 100% Detection Accuracy to Customers
During the SE Labs EAS testing, points were awarded based on detection accuracy through every stage of each attack and on their ability to classify user interactions with legitimate applications and URLs, while false positives were penalized. This scoring is reflective of the real-life cost-benefit analysis of deploying a security solution — one that can see all aspects of an attack and stop it. However, it’s also important that the solution does not disrupt the business or waste valuable SOC analyst time with false positives.
With 100% detection accuracy (perfect detection with zero false positives), the Falcon platform won the AAA Award for the SE Labs April/May 2023 EAS test. However, the important message is more than just a headline about the award itself.
This performance is another example of CrowdStrike proving through independent, third-party testing that the Falcon platform is a leader at stopping sophisticated adversaries in their tracks, while offering a low total cost of ownership. Moreover, this independent testing was performed by SE Labs using the same version of Falcon used by CrowdStrike customers. There were no unrealistic configurations, vendor optimizations or special capabilities in play. The Falcon platform enables customers to deploy our agent to thousands of endpoints in minutes, rapidly activating the same industry-leading protection used in this evaluation in their environments.
CrowdStrike’s Commitment to Independent Testing
The SE Labs Q2 2023 EAS test is an example of the importance of participating in impartial, third-party testing. Evaluations by organizations like SE Labs are an invaluable resource, enabling security professionals to gauge the real-life performance of different security solutions under realistic, real-world attack scenarios. Independent testing also helps to drive innovation and product improvement and leads to a stronger cybersecurity industry in general. The benefits of these initiatives are why CrowdStrike remains firmly committed to industry research and independent testing.
The Falcon platform’s performance in public tests is also a showcase for the effectiveness of our advanced technology. It demonstrates just how effective machine learning, artificial intelligence, cloud-native architecture and CrowdStrike’s vast network of telemetry are at preventing breaches. It proves that CrowdStrike is a cybersecurity industry leader for a reason.
Additional Resources
Leave a Reply