The continuance of large numbers of security vulnerabilities in Microsoft software and architectural weaknesses in some of its systems, such as the Active Directory identity service, should be troubling to any customer, CrowdStrike co-founder and CEO George Kurtz told Protocol.
"Customers are asking the question, 'Do I really want to put all my eggs in one basket, with a company that has a long history of not creating secure software?'" Kurtz said in a recent interview.
"Some will. Some are going to do it,” he said. “But there are a lot of companies that are saying, 'This can be a real risk to the company, using both Microsoft for security as well as applications, cloud, and everything else.'"
Kurtz, of course, is far from unbiased, given the fierce competition between his company's Falcon endpoint detection and response product and Microsoft's EDR, Defender. IDC figures have shown CrowdStrike in the lead on endpoint security market share, with 12.6% of the market in 2021, compared to 11.2% for Microsoft. However, CrowdStrike's growth of 68% in the market last year was surpassed by Microsoft's growth of nearly 82%, according to the IDC figures.
Speaking with Protocol, Kurtz discussed Microsoft's strategy of bundling Defender into its higher-tier Office 365 productivity suite, known as E5, as well as Microsoft's efforts to keep vulnerabilities out of its software. He also spoke about upcoming product categories that CrowdStrike plans to add as new modules on the company’s platform and the company's acquisition strategy.
This interview has been lightly edited for clarity and brevity.
Is it safe to assume that external attack surface management is going to be your next module?
It is. We're really excited about that. [Reposify is] a really cool company out of Israel, great technology. What they're focused on is really automating the understanding of internet-exposed infrastructure or cloud infrastructure, where things might be misconfigured or exposed — which is a huge problem.
Can you give any sense on what modules you might look at adding after that?
We can’t really can't comment on the future [modules]. But I think if you look at the areas that we've been focused on, I'll maybe start there.
Obviously, people know us for endpoint and for cloud workload protection and visibility. We got into the identity space with Preempt — that's not an Okta competitor, it's more identity threat detection and prevention. And then we did an acquisition of SecureCircle in the data space because we do think that [data loss prevention] is a market that can be disrupted. It's kind of like the legacy [antivirus] market: [There are] not a lot of people happy with it, [it] doesn't work so great.
So it's really about putting those together and filling out more capabilities in each one of those three buckets. Obviously, we've got great capabilities, but there's always more than we can do, there's always additional companies out there [that could fit as] a module.
Do you think you would potentially do a larger acquisition at some point?
I think we evaluate deals as they come in, on a case-by-case basis. But our focus really has been smaller deals, good teams, and good technology.
In terms of the competitive landscape, I get the impression that Microsoft's E5 bundling of Defender can be pretty tempting for some customers. What are you doing to win EDR customers in light of that strategy by Microsoft?
Well I think you’ve got to start at the top, which is: There's really a crisis in trust with Microsoft for a lot of [customers]. I mean, every Tuesday is another zero-day Tuesday. So do you want your security architecture to be built by the same people who have more CVEs to their name than anyone else in the industry? Many don't.
The simple answer is, don't put all the eggs in one basket. And they want dedicated technology that is more advanced than signature-based AV. Defender, in part, is a signature-based AV product, with some other things bolted on top of it. So it starts there.
We've had many enterprise customers that looked at Microsoft, and when they looked at it, they're like, "We need five or six different consoles." They've come back and said, "We need many, many more people to run the Microsoft suite that we can't hire, and it would cost us more money than having the E5 license already in use." [CrowdStrike offers] immediate time to value, a better outcome, and lower costs. And that's what wins deals.
So the cost savings from E5 licensing is not the full story, then?
Who's going to run it? Who's going to administer it? How many consoles are you going to have? How much people-power does it take to actually run? Just do the math. Our customers have done the math, and we help them as well. We are significantly cheaper to operationalize than Microsoft. And we're going to have a better outcome.
What makes CrowdStrike so much less people-intensive?
Because we've got one console. We've got a single-agent architecture. Because of the architecture and the modular format, all built in the cloud, it doesn't require [as many people]. If you have a whole mishmash of different technologies that you bought and put together with five consoles, it's going to take a lot more effort to manage and operationalize it. We're built in the cloud. Microsoft started [as an] AV product. [CrowdStrike] is just a different architecture that is easier to use and requires less users to use it.
On at least one occasion in the past, a Microsoft executive suggested that security vendors shouldn't criticize each other because they should be working together on behalf of customers. What do you think about that idea?
Everyone wants to make sure customers are protected. But I think they should start with creating secure software. And when you look at some of these vulnerabilities, and some of the patches that have to be re-patched, and you look at just architecturally some of the decisions they've made, like with Active Directory, it's terrible. How is it that Microsoft technology is one of the only technologies that you can actually steal a password and reuse it without ever cracking it? It's just that the architecture is bad, and they have a lot of legacy decisions that still haunt customers today. That's Microsoft's fault.
Is there anything that you'd give Microsoft credit for in terms of security, or that you think was a good move on security by them?
They've done some decent acquisitions, for sure. And they've hired some good people there. But you can't just market your way out of it. You can't blame other people. And you've got to look inside and start fixing some of your own issues.
