Dr. Max Transforms Security Operations and Cuts Costs by 30% with CrowdStrike

Dr. Max, one of Central Europe’s largest pharmacy and healthcare retailers, needed to reduce complexity and gain control over security across a large, distributed environment. With tens of thousands of endpoints, users, and cloud workloads to protect, the team lacked a unified way to detect and respond to threats efficiently.

By consolidating on the CrowdStrike Falcon® platform, Dr. Max reduced security incidents, gained full visibility across its environment, and cut critical cloud risk exposure by 90% over 18 months. The organization unified security across endpoint, identity, cloud, and SIEM, enabling its security team to operate with greater speed and confidence.

Before deploying CrowdStrike, Dr. Max relied on five separate security tools, each with its own agent, console, and integrations. This created unnecessary complexity and slowed the security team down.

“Before CrowdStrike, our team was spending more time troubleshooting the tools than focusing on actual security incidents,” explained Daniel Ghetu, Group Head of Security at Dr. Max.

This complexity introduced friction across the business. Technical issues caused by the security tools themselves averaged roughly 10 incidents per month, while large updates created network congestion and disruption.

By consolidating on the Falcon platform, Dr. Max eliminated all five tools and reduced security licensing costs by more than 30%. The team now operates from a single console.

“Our team now operates from a single pane of glass, which has dramatically reduced the burden of managing disparate tooling and vendor relationships,” Ghetu said.

Operational improvements followed quickly. Tool-related issues dropped to zero, and network congestion tied to security updates was eliminated. Agent lifecycle management also became significantly more efficient.

“With the Falcon platform, agent updates are now managed directly through CrowdStrike, eliminating the dependency on the workspace team entirely and freeing up significant time across both teams,” he said.

The transition to the Falcon platform also transformed endpoint visibility. Dr. Max deployed CrowdStrike Falcon® Insight XDR across 23,000 endpoints in just three days, achieving full coverage across its environment.

“Before deploying the Falcon platform, we were essentially blind, handling 4-5 security tickets a month … not because our environment was clean, but because we simply couldn’t see what was happening,” Ghetu said. “Once we rolled out CrowdStrike, that number jumped to around 80-100 per month. That wasn’t a sign that things got worse; it was the first time we had real visibility into our environment.”

With that visibility, the team focused on reducing risk across its environment.

“Over 18 months, we used that visibility to actually harden our posture across patching, USB controls, and identity protection remediations,” he said. “Today we’re down to 15-20 tickets a month, and the difference is that these are real, actionable incidents. The volume dropped because the attack surface really shrank, not because we learned to ignore alerts.”

At the same time, operational performance improved. Patching cycles dropped from 3-4 weeks to a single day, and mean time to detect and respond improved from days to minutes.

Dr. Max operates a large e-commerce environment with more than 1.9 million containers and over 2,400 nodes active in a seven-day period. Securing this environment at scale required real-time visibility and the ability to act quickly across thousands of workloads.

“Before deployment, we lacked the visibility needed to manage risk across a cloud environment of this size effectively,” Ghetu said.

After deploying CrowdStrike Falcon® Cloud Security, which provides unified visibility and real-time protection across cloud workloads and containers, the team quickly identified previously unknown risks and active threats, including misconfigurations, attack paths, hardcoded secrets, and vulnerable containers.

“These weren’t confirmations of suspected problems; they were new findings that would have remained hidden without CrowdStrike,” he said.

At the outset, Falcon Cloud Security identified roughly a dozen critical indicators of misconfiguration affecting thousands of resources. Over the next 18 months, Dr. Max reduced critical IOM exposure by approximately 90%.

“Being able to identify and remediate these risks across hundreds of thousands of containers, in an environment directly tied to live e-shop revenue, has had a meaningful and direct impact on both our security posture and business continuity,” Ghetu said.

Today, cloud threats are detected and investigated within seconds, enabling the team to respond quickly before they escalate or impact business operations. Security teams can investigate malicious activity, understand affected resources, and remediate risks before they disrupt uptime across Dr. Max’s e-commerce environment.

Dr. Max works with an external SOC provider, and CrowdStrike Falcon® Next-Gen SIEM serves as the foundation for detection and investigation. Consolidating security telemetry into the unified Falcon platform eliminated the need to switch between tools and manually correlate data.

“The switch to Falcon Next-Gen SIEM has fundamentally changed how our SOC operates day-to-day,” Ghetu said.

With centralized visibility and AI-assisted correlation integrated into workflows, analysts can move faster and focus on higher-value work.

“Analysts can now surface the right context and reach conclusions in a fraction of the time previously required,” he said.

Investigation time has been reduced by approximately 90%, and response times have improved by 40-60%. With the technology layer no longer a constraint, the team is now focused on optimizing processes.

Identity has become an increasingly important focus for Dr. Max as attackers target credentials and access paths.

Deploying CrowdStrike Falcon® Next-Gen Identity Security, which detects identity-based attacks and exposes attack paths in real time, gave the team visibility into identity-related risks, including Kerberoasting vulnerabilities, privilege escalation paths, and misuse of service accounts. These insights helped the team prioritize and reduce identity-based risk across the environment.

“Identity security moved meaningfully up the priority chain. This is increasingly where attacks land first in Dr. Max,” Ghetu explained.

Identity insights also helped uncover operational issues. By flagging anomalous authentication activity, the team identified underlying technical problems affecting business-critical applications.

With unified visibility and protection across endpoint, identity, cloud, and SIEM, Dr. Max has built a security program that can detect, prioritize, and respond to threats in real time. The organization now operates with the speed and control required to protect a large, distributed healthcare retailer.