News of the Week (September 19-23)

15 min read

1. CrowdStrike (CRWD) -- Annual Investor Event

The CrowdStrike team was adamant about not sharing any financial data during the week. The event was solely about product announcements and progress. Disappointing, but there was still a lot of necessary information coming from this for investors to absorb.

a. Notes from Founder/CEO George Kurtz:

On Competition:

“We test more than anyone else. We are the technology leader in the space. Our technology is better than the other companies that are out there. The testing results provide that… we continue to take share from next generation and incumbents alike.”

Client retention rate continues to set new records. This implies gross retention over 98.2%.

On Tech Differentiators Highlighted:

  • Falcon can “always stream the right amount and type” of telemetry back to the cloud. Conversely, competition requires a detection to initiate this data sharing in a batch mode manner requiring manual authorizations. This is slower, more cumbersome and less efficient while CrowdStrike’s platform is continuously streaming needed information to the right place.
  • Most competitors also share data in a purely “collect and forward” manner. There’s no automated data evaluation and contextualization process as there is with CrowdStrike via tools such as its Threat and Asset Graphs. This leads to data inundation and other issues such as annoying false positives distracting already scarce security teams. As an aside, CrowdStrike’s Falcon Complete offering with managed protection takes this headache completely out of the hands of a client’s internal security team.
    • CrowdStrike’s Falcon agent has a data requirement microscopically smaller than most of its competitors. That also helps make vast data contextualization possible.
  • The ability to install the Falcon Platform without a re-boot. No other competitor can, which gives CrowdStrike a great on-boarding advantage. Kurtz joked about legacy financial institutions and how adverse they are to allowing any kind of re-boot. Perhaps that’s why CrowdStrike dominates in that sector.
  • The Threat Graph captures the most events in the industry “by far and away, period.” And with the smart filter/contextualization discussed above, it can do so without sacrificing performance and false positive levels while STILL incorporating non-security data sources. Humio and its wildly impressive data compression capabilities is a key cog enabling this lucrative formula to exist.

On Recent Industry Developments:

  • The Falcon Platform observed a 170% rise in critical vulnerabilities YoY.
  • 71% of these critical vulnerabilities don’t use any malware. This makes traditional anti-virus (and some of the fresh takes on it) utterly worthless. That’s partially why CrowdStrike’s legacy share gains have been so materially notable.

George’s Chat with Salesforce CIO Juan Perez:

“What CrowdStrike does for UPS (Perez’s former company) and Salesforce is incredibly important. The solutions that CrowdStrike brings to the table are critical and make me feel more comfortable managing security posture… CrowdStrike is best in class for supporting a number of enterprise cyber activities. It’s vital to work with best in class in that domain.” -- Perez

Some Case Studies:

  • A financial institution with 600,000 endpoints went with CrowdStrike. It budgeted for 2 years of on-boarding time as it had been conditioned to expect. CrowdStrike on-boarded in 50 days.
  • CrowdStrike reached an endpoint on-boarding speed of 25,000 per hour while deploying on AWS.
  • CrowdStrike’s 4,700 business value assessments this year revealed a 170% average client return on investment (ROI). The report also demonstrated CrowdStrike’s 77% better investigation speed, 84% boost in identity hygiene speed and 70% lower effort to deploy and maintain vs. the competition.
  • One large retailer saved millions by going with CrowdStrike and consolidating its 9 security agents onto the Falcon Platform. These anecdotal data points are very important. Why? CrowdStrike’s cost per endpoint is more expensive than most. It gets away with that by agent consolidation and better efficacy/automation serving as a powerful enough force multiplier to justify the higher price.
  • Per Forrester, Falcon LogScale (formerly Humio) generates a potential 210% ROI for customers.

b) Notes from CrowdStrike Chief Sales Officer Jim Seidel’s Chat with Customers & Partners:

On Falcon Complete:

“We added Falcon Complete as a buffer in the challenge to find and retain talent. Having a guaranteed eye on what’s going on with managed endpoints allows us to be more flexible and work on other things in our environment. It’s hugely important for us.” -- Brad Jones VP of Info Security and CISO at Seagate

With 1.2 million un-filled jobs in security, this is key.

On Security’s Durability:

“Cyber security is the most survivable part of the budget from our vantage point. There have been cuts made to other categories, but no evidence of security budget degradation here.” -- Leo Makhlin SVP of Worldwide Technology

“August was the hottest month in our history in terms of renewal and net new. September hasn’t disappointed thus far… the market is roaring especially for value add services like [CrowdStrike’s].” -- Optiv CEO Kevin Lynch

c. Product News

Humio is Now “Falcon LogScale:”

CrowdStrike re-named its log management acquisition (Humio) to Falcon LogScale. Beyond that however, it also added longer term (several year) data retention capabilities that had been lacking from the offering. Furthermore, CrowdStrike is leveraging its threat hunting team to offer a “Managed Falcon LogScale” product for teams wanting to off-load more of the log management and observability duties.

There are 5 areas of observability:

  1. Event Monitoring (“is it running?”)
  2. Metrics/Performance Monitoring (“is it working”)
  3. Availability Monitoring
  4. Business Insight (“is business growing?”)
  5. Metrics Monitoring (improvement/optimization)

CrowdStrike is fixated on categories 1 and 2 as it sees those as vital bases if it ever wants to successfully expand to the other 3 areas (which it does). It will be interesting to see how big this segment can get with well-entrenched, formidable competitors like Datadog. This is not a greenfield opportunity -- yet the company is objectively finding real success already.

On XDR:

As a reminder, XDR means Extended Detection and Response. It builds on Endpoint Detection and Response (EDR) by infusing other, non-endpoint data sources into the Falcon platform to expand threat detection to other parts of the software ecosystem. Three things are vital for XDR:

  1. A great EDR product, which CrowdStrike’s rapid share gains point to.
  2. A long roster of high quality 3rd party data partners to augment that EDR base and fuel relevant data telemetry.
    1. This week, it announced Cisco, ForgeRock, Fortinet, competitor Palo Alto Networks and Microsoft’s (another competitor) Azure cloud program as the latest partners of its XDR alliance (basically a massive data sharing entity).
  3. The ability to effectively use all of this data which the Falcon Platform paired with Humio’s data compression capabilities enable.

I want to reiterate that one of the tech advantages listed above is particularly pertinent to this topic. CrowdStrike’s ability to contextualize and evaluate data vs. automatic “collect and forward” is a near pre-requisite for a strong XDR initiative. Why? When you’re borrowing data from every corner of the world like XDR does, that data MUST be sorted and ranked if it’s to be at all valuable. This capability paves the way for CrowdStrike winning in XDR.

“Data without insight and context is meaningless. That’s why he commit to providing customers with the needed context to see threats faster.” -- CrowdStrike CTO Michael Sentonas

To further hammer CrowdStrike’s commitment to XDR, it re-named its Falcon Insight EDR module to Falcon Insight XDR. According to Kurtz, this “unlocks XDR for all EDR customers” -- importantly without any interruption to its existing EDR functionality that customers have come to know and love.

As part of this announcement, CrowdStrike and network security vendor Zscaler announced a Zero Trust Integration to expedite detections even further.

Subscribe now

On a New Partner Business Growth Initiative:

CrowdStrike launched the CrowdStrike Powered Service Provider Program (CPSP). This is similar to a brand ambassador or affiliate marketing endeavor. The program will help its service providers (selling partners) “unlock broader value add bundles and enhance profitability.” As part of the launch, these partners will now be able to choose individual Falcon modules to offer customers in an a la carte manner, or offer the entire platform at a materially discounted rate. With this new program comes an “Elite Tier” of invite only partners like Deloitte with larger selling incentives and integration opportunities.

New Cloud Native Application Protection Platform (CNAPP) Capabilities:

CrowdStrike integrated its Asset Graph into Falcon Horizon and other cloud security modules. This allows for singular, simplistic visualization of a company’s entire cloud environment. With that view, CrowdStrike will offer Cloud Infrastructure Entitlement Management (CIEM). This is basically a fancy term for a condensed view of authorizations and configurations (AKA who is allowed to view and utilize what) to proactively prevent threats in the cloud. This is no longer just an endpoint company… and far from it.

Existing cloud competition “generally lacks identity and access controls and uses manual methods to ensure a least privilege approach” according to Chief Product Officer Amol Kulkarni. This automates least privilege and comes with a one-click remediation features that “stands out amongst new offerings” according to IDC VP Frank Dickson. IDC is an independent research organization which has to be careful about showing bias towards a single company. This was a big statement.