Check out all the on-demand sessions from the Intelligent Security Summit here.
While CrowdStrike remains as focused as ever on its flagship endpoint protection offering, solutions in the Falcon platform for identity security and XDR are addressing major security challenges for customers far beyond the endpoint itself, CrowdStrike chief product and engineering officer Amol Kulkarni said in an interview.
Along with launching extended detection and response (XDR) – as well as identity security that leverages zero trust principles – CrowdStrike has also brought an emphasis over the past year on workload security, including container security, Kulkarni told VentureBeat.
In terms of zero trust, CrowdStrike believes it has developed a solution that enables zero trust to actually be deployed at scale in the enterprise – an extremely difficult thing to accomplish, he said.
In the past, “only the likes of Google, who did the BeyondCorp initiative, was able to actually implement zero trust at scale,” Kulkarni said. “Our differentiator is that frictionless ability to implement all of that – so that you can actually deploy it at scale, in production.”
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
Kulkarni, who previously spent seven years at Microsoft, joined CrowdStrike in 2014. At the time, the company was generating less than $10 million in annual recurring revenue (ARR), he says. CrowdStrike is now at $1.73 billion in ARR, as of January 31. “It’s been quite a ride,” Kulkarni said.
What follows is an edited portion of the interview with Kulkarni.
VentureBeat: For anyone who doesn’t already know a lot about CrowdStrike Falcon, what are the main things you’d want people to know about the platform?
Amol Kulkarni: In terms of the Falcon platform – and the approach that we’ve taken to building security and then building the overall platform – the core focus is on three main things. The first is building it as a cloud-native platform, where we are doing cloud-delivered security. We were the first ones to do that back in 2011. And we’ve stuck with that. We do not have an on-premise option for customers.
Second is, it’s all driven through what we call the security cloud. This is similar to Salesforce, who built the customer relationship cloud / sales cloud, and Workday, who built the HR cloud. Or ServiceNow, building the workflow – and now the IT – cloud. What we’ve done is built a comprehensive security cloud. So this is a distributed data fabric that is collecting telemetry from all of the workloads that we protect, and collecting trillions of data points, and correlating them within this data fabric.
And then the third one, which I think is also super critical – but honestly doesn’t get highlighted as much – is we believe that the security has to be implemented and decisions have to be taken very close to the workload, very close to the edge – or at the edge. That is important in order to prevent attacks. And that’s what we do with our intelligent sensor, which is the agent that runs on the workloads that we protect. That sensor is actually doing event processing – complex event processing – in real-time and taking decisions in real-time, assisted by the cloud. But if there are disconnects with the cloud, and so on, it’s autonomous from [from the cloud] to be able to continue protecting the workload.
VentureBeat: So your agent covers both endpoints and workloads?
AK: We of course started with endpoint security – laptops, desktops. But even from the beginning, we included servers and desktops and other things in that endpoint security realm. We built the system for any compute environment. What that meant is we were able to extend it to run on public cloud instances or your private cloud instances, virtual machines, very easily. In recent times, we’ve extended it to do additional security on mobile devices and IoT devices. So [we’ve been] essentially expanding the types of hosts or devices or compute environments that we can run and we can protect – that’s what we call workload security.
But there are two other [elements] which are very crucial. One is identity security. A lot of attacks are actually originating [with] or leveraging users and user accounts, to penetrate an environment and then laterally move across the environment. So identity security is that second leg of the story, in addition to workload security / runtime security. We’ve [developed that] organically as well as through an acquisition – of Preempt Security – that we did a couple of years back.
And then the third one, which we believe is also critical, is data security. And that’s work we are doing now. We recently acquired a company called SecureCircle, and that brings in some of the core technologies to do prevention for data security. We’re doing a lot of the work to build the telemetry around data movement tracking, which goes into the security cloud, that will power a variety of different data security products going forward.
VentureBeat: From a product perspective, what would you point as the biggest moves that CrowdStrike has made over the past year?
AK: So one of the key parts that drives our platform is the omnipresence of intelligence. We think in terms of the “OODA loop,” which I’m sure you’ve heard about. Observe, orient, decide and act. As part of that, we do a lot of security observability through our agent. We collect trillions of data points. But then you have to orient that data. Just putting a bunch of data in and throwing it to the user is not very helpful. You won’t get actionable insights out of it. So we do orientation through the lens of what is malicious and what is not, through the lens of AI, through the lens of behavioral analytics. But we also do orientation through intelligence. Our threat intelligence is industry-leading. We use that threat intelligence to figure out which attacker, or which actor group is trying to attack, what tech techniques and tactics they’re using, which industries they are focused on, and so on. That helps with that correlation in the security cloud. To help the customer see what is important for them, what is the most critical that they need to address? So in the last year, we worked on [our] intelligence graph, which stores and connects all of the threat intelligence that we have – and cross-connecting that intelligence to the customer’s environment, to the other graph that we already had, called the threat graph. So that to me, from a platform perspective, that was a big one.
Another key thing that we did last year was to develop a number of products in cloud security. So leveraging the core platform, and expanding it to focus on cloud security. So we shipped a [Falcon] Discover module that lets customers understand their cloud environment very easily at a glance. Because that’s the first step – what is running in the cloud? Most people don’t even know. Then we added a posture management piece – CSPM module – that focuses on, are you configured correctly in the cloud? And if not, it alerts you to the misconfigurations that you then go and remedy. So [we’ve done] a lot of work on cloud security.
Then we’ve continued to add the runtime security pieces with container security, which is a very fast-growing workload. More and more, customers are using containers, deploying their services in containers. And so natively supporting container security, as well as host security, with very low overhead, without complexity, has been a key initiative for last year.
Then the big one also was integrating the identity solution, that we acquired from Preempt Security, into the core platform. So we shipped a couple of products on identity security. They were very timely with the SolarWinds attacks, and all of the attacks that are leveraging identity as an entry point. We’ve been very pleased with how we’ve been able to detect and prevent and help protect our customers against those attacks.
VentureBeat: Since identity security is a newer area for CrowdStrike, what sort of momentum do you believe you’ve achieved so far in that area?
AK: Last year was definitely a marquee year for getting the word out, and there’s now a lot of recognition [in the market]. First and foremost, the initial part was really emphasizing the need for identity security. That was not as much of a known threat vector, and the industry was not as aware of the need for a solution there. But as Active Directory-based attacks continue to grow, and as we see more and more zero days for Exchange and Active Directory, it’s become very critical. And so, we feel great about the understanding now that the industry has around identity security, as well as thinking of us as a real leader in that space, who has the best detection technology – but also has a unique conditional access prevention technology, which is very frictionless.
VentureBeat: Those elements you just mentioned – the detection and conditional access – those are the big differentiators for your identity security solution?
AK: For the detection – as customers’ workloads really proliferate across various different hosting environments, you tend to have a lot more directories, a lot more identity solutions. So what you need is an identity threat detection solution that understands various different identity stores or directories, and understands threats on that. So that’s the identity threat detection piece. We will look at a variety of directories – Active Directory on-premise, as well as Azure Active Directory in the cloud, Okta, Ping, a bunch of directories – so that we can provide a holistic view for identities. Know all users, know all service accounts and what they’re doing – that’s the detection piece. And that looks at things like Golden SAML attacks and all of the Kerberos-related attacks that are common with token reuse. Then the second part is the prevention piece – that’s the conditional access module. Or the zero trust module, as we call it – which allows you to layer in dynamic conditional access without any friction, without having to modify the underlying services.
VentureBeat: And how differentiated is that?
AK: That’s very unique. We believe they are the only ones who have that capability, in that frictionless way – where you can add that capability by simply deploying an agent on the Active Directory domain controller. You don’t have to do anything else. There is no additional server to be deployed. There are no network topologies to be done, no certificates to be shared, and so on. And it can basically intercept any access request, and overlay conditional access dynamic policy on top of it. So let’s say you’re accessing Salesforce, and you’re accessing from your laptop – that’s fine. That’s normal behavior, it will go through fine. But then suddenly, your account is used from some other location, which is anomalous – then that will get blocked. Or it is used from a device which is not secure, which is not configured correctly. So the device posture is taken into account to implement zero trust in addition to the user posture. And we combine device posture and user posture to make a decision dynamically.
VentureBeat: Which part of that is particularly unique and differentiated?
AK: The main thing I would say is unique and differentiated is the fact that it is seamless to the user. Zero trust obviously has been there for a long time – like two decades. But any real solution at scale really has not been possible for a long time – because any such solution required integrating multiple different products together, stitching them together and building a very complex solution. Only the likes of Google, who did the BeyondCorp initiative, was able to actually implement zero trust at scale. Our differentiator is that frictionless ability to implement all of that – so that you can actually deploy it at scale, in production, everywhere you go.
VentureBeat: Maybe you could give an example of how this is frictionless – what is the friction that others have that you don’t have?
AK: To implement zero trust – if you look at some of the white papers that some of the large companies have published, they ask you to take and license three or four different products. Then they require customers to do custom development to stitch those together. That means that they have to log into multiple consoles, troubleshoot things. Even after doing that, it’s not giving you full coverage. So it’s a very complex solution. For us, it’s simply the case of using our agent [as] customers are already doing, running that on the Active Directory domain controller and configuring a policy in the cloud console – saying these are the elements that you use to determine the conditional access. And that just happens. Then it integrates with any multifactor authentication provider that you have. We support numerous ones. So any one that you are using, whether it’s a cloud-based or on-prem one, you basically get seamless conditional access, without really having to do any additional coding or stitching together.
VentureBeat: I know Microsoft has been heavily promoting a zero trust approach – would you contend that their solution for zero trust is one of these approaches that brings more friction?
AK: Very much so. Their white paper is like 30+ pages long, and the number of products you have to use – just looking at the diagram that they have is so complex. I cannot imagine people actually implementing it. And honestly, that’s the reason why people have not been able to until now.
VentureBeat: But it’s not just Microsoft – it’s others as well?
AK: Zero trust is a very overused term. Everyone, small and big, claims they have a zero trust solution. There are different aspects to zero trust. But the core part of taking the device posture and the user posture, and making a dynamic access decision, is the core – and that’s what we believe we do in a very seamless way, unlike anyone else.
VentureBeat: When it comes to your XDR offering, do you consider this to be an “open” XDR?
AK: We absolutely consider it an open XDR. That’s the reason we started the [CrowdXDR] Alliance. Open XDR is something some people have been bandying about, without really having any meat to it. Like, what does it mean? And when we defined the Falcon XDR [module], when we defined [CrowdXDR] Alliance, one thing we said is, we are building that so that we create a common schema for XDR – a common data schema, a shared data schema, that is crucial to reduce the friction for all of the partners, anyone playing in that ecosystem, to be able to make sense of the data, to correlate that data. To me that’s a big differentiator with that openness associated with the XDR schema as being the key part of the approach that we’re taking.
Then of course, related to that is what we define as XDR – because XDR is, again, very overused right now. The way we’ve clearly defined it is to say, the X in XDR is extending from EDR. That’s the first and foremost. You have to start from a very robust EDR, and extend it to other areas, like email security and cloud security, and so on, to get a holistic view. So that’s the first one. And out of that, you should be able to get new detections. The D is really saying, find new alerts, which would not be possible with a single product. And finally, the R is about responding to anything – any of the detections across the entire security stack. Not just one product, but across all the different domains.
VentureBeat: How much do you think security is shifting to XDR? And how important is XDR to CrowdStrike’s future – do you see yourselves being known as an XDR company in the future?
AK: I think the challenge in the industry is that the security stack, or the technology stack, within enterprises continues to grow in complexity. Because anyone adopting a new technology, nothing gets obsolete in the enterprise – unlike consumer, where new technologies come in, or technologies get obsolete. We have customers who have mainframes and they are on the cutting edge of cloud, using containers. So that’s the breadth that they have. And with that, you need a solution that really reduces the complexity for the end user. So we believe XDR has a lot of potential in that regard, to be able to solve for that integrated view across the entire security stack, and provide cross-correlation across the best of breed platforms. We’ve explicitly kept XDR as a layer on top. So customers can – and most of our customers do – use the core EDR products, the core identity security products. But then they can also leverage XDR to extend beyond the first-party products to support the third-party partners.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.