Flavors of Security - CrowdStrike

This is part of the Flavors of Security series, in particular Part 2’s investment focus on what drives the hypergrowth stories within the cybersecurity space. If you need to learn the security terms & product abbreviations, you can look up the terms that first post.

CrowdStrike (CRWD) - Endpoint Protection (Device)

Platform: Falcon Platform
Ecosystem: CrowdStrike Store
Partners: Technology Partners

Flavors of Security:

  • Current: EPP/EDR, MDR
  • Next wave: ?

Massive Tailwinds:

  • Mobile workforce
  • Growth of mobile devices and BYOD policies
  • IoT devices
  • ML/AI-driven Security

Differentiators:

  • Cloud-based -- no appliance or infrastructure needed. Infinite scale, unlimited capacity.
  • Platform w/ incremental add-ons, and a partner ecosystem accessed through an app store.
  • Strong adoption of ML/AI internally, labeling themselves as "AI Powered". Heavy focus on "crowdsourcing" of threat detection, which means they run their ML/AI driven threat detection over the entirety of their customer base.
  • Ease of install and use. Multiple layers of product & engagement levels available. Ancillary services like DF/IR available as needed.

Platform capabilities:

  • Protection: EPP, MDR, Sandbox, NGAV
  • Prevention: EDR, UEBA, NTA, IDS
  • Response: DF/IR

Products:

Endpoint Security

IT Admin Tools

Threat Intelligence

  • Falcon X (Threat Intel) - ML/AI features in order to identify & block Indicators of Compromise (threatening actions & behaviors)
  • Falcon Search Engine - searchable database of malware
  • Falcon Sandbox for malware analysis

Other Environments

  • Falcon on GovCloud - FedRAMP approved cloud offering
  • Falcon for Data Centers - bring Falcon platform on-premise

Subscription Levels:

  • Falcon Pro - base level with Prevent (EPP) and X (ML/AI)
  • Falcon Enterprise - ... plus Insight (EDR), Device Control, Overwatch (MDR)
  • Falcon Premium - ... plus Discover (network & usage tracking for admins)
  • Falcon Complete - all-in-one package with a dedicated team of MDR experts called "Complete Team" available 24x7x365 an EPPaaS for those who don't want to manage devices themselves

Services:

Partners:

Partner program is called CrowdStrike Elevate.

  • Falcon Connect API = enables partner integration
  • Falcon Orchestrator = open-source tool built on Connect API to automate workflows and SOAR integrations into actions for DF/IR, forensics, monitoring and alerts
  • Falcon Streaming API = enables SIEM integration

Partners:

Categories: SIEM, SOAR, Analytics, Network Security, Threat Platforms

Magic Quadrants:

EPP - from Gartner EPP report, 2019

Competitors:

  • EPP - Symantec, Sophos, Trend Micro, Microsoft, Kaspersky, Blackberry/Cylance, VMWare/Carbon Black, Elastic/Endgame, McAfee, Cisco, Palo Alto, Fortinet, FireEye
  • EDR - VMWare/Carbon Black, Cisco, Check Point, Blackberry/Cylance, Microsoft, McAfee, Sophos, Elastic/Endgame
  • MDR - FireEye, Rapid7, Cisco

Gardner customer reviews:

Thoughts:

For detailed background, see my CrowdStrike Deep Dive, May 2019.

CrowdStrike hit the market with a bang, IPOing to a massive valuation right out of the gate, then rose quickly. The share price definitely got ahead of itself, which is why I only owned a nibble from the IPO. But those heady times have ended, as over last 2 months it has been halved from its top, as the SaaS bloodbath took a big toll and as political winds are swirling around it again.

As a reminder, EPP is the endpoint protection (device), and EDR is the continual monitoring of those endpoints, typically with NTA (network) and UEBA (user behavior) analysis to detect threats. Being cloud-based is the massive trend in EPP, as that allows maximum visibility across devices (whether it is located on-premise, cloud or mobile); Gartner predicts that cloud EPP will grow from 20% of new deals to 95% by 2025.

Crowdstrike is very hands on. It starts with their installed agent, whose simplicity gets high marks in reviews. But this isn't set and forget -- their services are very proactive. You don't use their wide array of services piecemeal - you buy a certain subscription level (Pro, Enterprise, Premium, Complete), which encircles a widening pool of ancillary services and engagement levels. For the most turnkey package, a customer can sign up for Falcon Complete, which provides it all as a complete "EPPaaS" service that they will manage for you. As an example of how proactive their services can get, you can get Falcon Overwatch as a network traffic analysis service over the entirety of your endpoints. At Enterprise pricing tier, you get the standard level of Overwatch, which just gives you a limited MDR service with email alerts. At Premium pricing tier, it gives you a full MDR service, with escalated notices, access to a response analyst, and quarterly briefings.

Unlike Zscaler, their marketing is crystal clear about what services engage at what pricing tier, and link to detailed pages per feature. Their pricing is clear, and is per-endpoint. It's very easy to get started using their service, and you can try it for free for 15 days to evaluate their service. After I signed up, a sales rep contacted me, and was very engaged.

As another reminder, DF/IR means forensics and response consulting services. Outside of their SaaS platform, you can engage their DF/IR services at any time for researching and handling a breach, or investigating your current security posture.

CEO on Q220 Earnings Q&A: "If you look at network data, I think the value of endpoint data is much higher than network data. Network data you've got to shift through, you've got to look at flows and at a high level. You have to understand what's happening with encrypted traffic and a lot of the attacks - it's very difficult to piece together what happened just with network flows. And that's why customers are demanding visibility on the endpoint. With our system, they can tell them that the process exactly what is happening across a fleet of hundreds or thousands of computers, which you would never be able to do with a network products and network data. So again, network data can be valuable in certain areas, but we believe there is an exponential difference in the value of endpoint data."

Fast forward a month, however, and Crowdstrike has subsequently partnered with Zscaler -- so they are providing the endpoint protection of the device itself, and letting Zscaler protect the traffic. Their threat detection systems will integrate together. Sounds like a potent one-two punch.

On a different angle, CEO on the last earnings call mentioned that AWS is contributing a heavy influx of new endpoints. It seems AWS has put a focus on Crowdstrike as their recommended provider for Endpoint Detection on their AWS Marketplace "Solution" pages.

Going forward, it is difficult for me to envision other ancillary angles from here. So I am not sure what will drive growth here beyond EPP. We'll have to watch and see if Crowdstrike is a one-trick pony that we can ride until the hypergrowth soon stops, or if they will have other waves of revenue from future ancillary services (like Okta and Zscaler are doing quite adeptly). The Zscaler partnership is a good sign that they will not pursue security over the network traffic, only the device itself.

But, oh my... there are a LOT of endpoints out there... and growing.

Gartner just put out a new report comparing EPP platforms across different customer profiles. CrowdStrike did very well in their ratings, being in the top 3 regardless. But it was the clear winner for cutting-edge companies (Type A), second place for stay-current (Type B), and third place for cost-conscious ones.

Strengths:

  • A leader in Endpoint Protection Magic Quadrant. Their ML/AI driven cloud-based platform seems clearly above the rest. Forester just made them "Top Ranked".
  • Fully managed service with Incident Response and MDR. The notoriety from their investigations of high profile breaches has lead to new customers.
  • Lots of competitors that are trying to buy their way into this market. Competition is even getting bought out by VMWare, Blackberry, and Elastic. Crowdstrike has the benefit of being SOLELY focused on endpoint security.
  • Customer growth is INSANE. +24% customers in ONE QUARTER. Companies are flocking to Crowdstrike's solution. Easy to get started; the simplicity of their installed endpoint agent gets very high marks from customers.
  • Heavy CARTA focus. The entire premise of their platform is using ML/AI to detect patterns on endpoints across the entirety of their customer base, and using behavior-based analysis to detect malicious activity (instead of being signature-based).
  • Has a very rich partner connectivity platform called Falcon Connect. Very strong on partner integration, with a wide set of APIs to integrate various aspects - in particular orchestration, monitoring & alerting. Not that many partners yet, but the new partnership with Zscaler shows that they are focused on being a part of a more complete solution.

Concerns:

  • EPP is nowhere near as embedded a service as Okta or Zscaler, and can typically be swapped out easily for a competing solution. The hypergrowth and high $NER points to it being sticky, even after factoring in the competitiveness of EPP market. However, it makes me have a more critical eye on them than Okta and Zscaler, which are way more deeply embedded in IT workflows.
  • Not ideal for non-internet connected devices. But that is pretty much the only down-side to being cloud-based.
  • I don't see what is going to power their next wave of growth, but it seems of little consequence... EPP/EDR is the hottest topic in cybersecurity (see all the acquisitions in this space), and they are at the top with ~100% sub rev growth. The current wave is going very strong.
  • AWS and Google are cloud partners, but not Azure. Falcon supports Azure endpoints, but Microsoft isn't a partner like the other 2. Perhaps it is due to Microsoft being a EPP competitor (though only on Windows systems).

-muji