Q&A: Crowdstrike CEO On The Evolving Endpoint Security Market And The Need For Security Integration

Kurtz On The Record

Crowdstrike has been one of the largest companies pioneering the next-generation endpoint security market, adding capabilities around prevention, threat hunting, forensics, and more to its endpoint detection and response platform. In a recent interview with CRN, CEO George Kurtz said he sees the market for next-generation endpoint security starting to mature, clashing head on with legacy endpoint security vendors that are looking to evolve their market approach. The result, he said is new entrants into the market, an upcoming wave of consolidation, and increased competition. With all the noise and confusion in the market, Kurtz said there is a particular opportunity for security solution providers to help customers develop integrated, best of breed solutions. Take a look at what he had to say.

Where does the endpoint security market stand right now?

It's certainly maturing. There's a lot of market awareness that the existing technologies are not working. When you look at the big guys – McAfee, Symantec, and Trend Micro – it's really analogous to what happened in the firewall space with Palo Alto Networks … The issue is the incumbent players can't make the transition architecturally to the cloud. Everyone I speak to wants a cloud model because that's where they're going … The challenge you have with the incumbent, legacy players is that their architecture … can't morph into what customers want, which is the ability to provide protection and visibility harmonized across both their internal systems and their cloud environment. If you can't do that, you won't be able to solve that problem … What we see out there is the legacy guys trying to sell the suites and add some features, as opposed to really being able to move to a native cloud architecture that has the flexibility, the scale and the speed to be able to deal with the enterprise environment of today. That's a big change, and that's why I think you see guys like us [at Crowdstrike] being very successful.

How is the market for next-generation endpoint security technologies evolving?

In terms of the next-gen folks in our competitive stack, we still see a lot of feature companies. Those features will be subsumed into the larger players. An example of that is machine learning and artificial intelligence. That's a feature – that's an algorithm. I can get any computer science second-year kid to come up with that algorithm, but it's how you build the platform out and what you do with it [that matters] … What do customers want? They don't want five agents. They want to get rid of them. They want one agent, and they want functionality across the platform. I think there's been a maturation and a realization that for the fifth time that the big guys have now claimed they will add a new feature and solve the world's problems, and that they're not going to get there. There's a lot of discontent with the incumbent players. I've never seen an industry where you have so many large players that enterprise customers want to move off of … There's a lot more skepticism.

If you're a legacy endpoint security vendor, can you overcome the skepticism around antivirus?

I think they would have to buy someone. But, fundamentally you would have to have the ability to change your architecture. I was at a big player [at McAfee as worldwide CTO and EVP] and I know what they can do and what they can't do … It's really the classic innovator's dilemma. You have smart people at all these companies, but you have to stop production and spend like three years and a lot of money to build a native cloud architecture … I wasn't in a position at McAfee to be able to do that because you can't stop the planes and trains – you have legacy customers. That is the challenge that most of the big guys run into. How do they get out of that? They have to acquire the technology to be able to get out of that trap and be able to make it work. But, just acquiring it and having another agent … that's not what customers want and the challenge big companies have. They don't have the architecture … You can't just buy stuff and slam it together … It's very difficult for some of the older guys, and even some of the newer guys, to just transform into a true native cloud architecture.

What do you think of network security companies who are now looking to make the move to endpoint security? Do they have an advantage?

It's going to be interesting … The difficulty that you find is that the DNA in a company is different. When you think about the DNA in Cisco or Palo Alto Networks – it is network ... Can they get there? I'm assuming they can get there … The technologies may be there, but the organizational structure isn't always there to make those successful.

You don't just flip a switch and say now we're endpoint guys. The reality, though, is when you think about a breach it's not a network breach. It's an endpoint or a server breach – that's where all the data is. The network is just like a highway where the bad guys drive to get to the house or the business to go rob it. I think that's why you've seen such a resurgence in the endpoint market … These are things that you really have to spend a lot of time building out and it's not just a blip to move into the endpoint space and be competitive. That's why a lot of the networking companies want to partner with us because we do provide that level of visibility through APIs to get that.

Where will the balance settle between network and endpoint security investments?

I think it will settle somewhere in the middle. When people look at an architecture, you have security reasons and you have compliance reasons. Firewall isn't going away. Network access and control is not going away. Compliance is not going away. When you think about all of those, I think what customers want is less complexity, less cost, they want to focus on their business, and they want vendors and manufacturers to just work together. I think that's been the challenge. If you look in our space, there aren't really great standards. Everyone makes their own stuff up. You have to be able to communicate and work with other partners, and that's really what customers are demanding. They are pushing us towards that. So, where do things settle? Probably somewhere in the middle.

Do you expect to see a lot of consolidation in the endpoint space?

I do. I think there's so many vendors out there and there's only so many [that can succeed]. There's a lot of niche players and there's a lot of players that only solve one piece of [the problem]. What we constantly hear from CIOs is they are looking for real estate and cost reduction in the system tray… Take back our endpoints. Make endpoints great again!... That's what people want. They're tired of a bad user experience. They're tired of signatures not working. They're tired of 15-minute boot times. They want it to work and they want it to not be in their way.

When you sell into a company, do they replace the things they've already bought or it is layered on top?

We're doing a lot of AV replacement of the big guys: McAfee, Symantec, etc. We're replacing them … We talk about nine different technologies that we consolidate … We're looking at being able to replace prevention technology as well as detection, as well as forensic and incident response technology across the gamut. That's been very well received. There's a lot of players that maybe just focus on response, or forensics, or advanced threat. We're even replacing some of the advanced threat guys like FireEye on the network side … I think across the board, when we look at what we can replace, it's a pretty compelling value proposition to get stuff off the endpoint, to create a communications architecture with those endpoints whether they're on or off the network, and to then provide a suite of applications that run on top of that and can solve specific use cases, whether it's next-gen AV or visibility or EDR or threat hunting or any of the other things we offer.

I feel like everyone in endpoint is moving to offer full platform – where are you in that process?

We feel like we're already there. We have spent five years building out the platform and getting it right. We see a lot of our competitors not having that. They might just have the AV piece, but they're really light in detection and response … It gets back to the architecture: to be able to handle 30 billion discrete events a day and growing, you have to be able to have the right architecture. That's where a lot of companies fall down: they say they have a cloud architecture or they say they have these capabilities, but they just have a bunch of boxes in Amazon, and it's not really a native cloud. When we looked across the spectrum of the competitors in our space, today we're the only one to have a single agent, native cloud, next-gen AV, EDR, and managed threat hunting in one platform. No one else has that. There are pieces of it, but no one has that single agent native cloud.

Who are you most worried about in the endpoint market as a competitor?

I mean, there's a lot of players out there … There's a huge TAM and opportunity for the legacy players to be able to replace their renewals. That's their biggest opportunity. There's a lot of noise and competitors that are out there and everyone will get their fair share, but there are a couple of big elephants that are there that have huge renewal bases. People are migrating towards implementing a next-generation technology that actually works … It's the [biggest challenge] and the biggest opportunity for us.

How important is integration in the security industry today?

I think it's really important when you look at Crowdstrike and what we have built, and you know all the history that we're all McAfee guys – the McAfee mafia. When I started the company everything to me looked simple – McAfee, Symantec, Trend Micro. We wanted to look more like Salesforce and build a true cloud platform. When you think about what that means, it really focuses on an API-driven strategy and an ecosystem … If you really want to be a true cloud platform that is one-stop shop for endpoint, you have to have a rich ecosystem and you have to have rich APIs. That's one of the things we have spent a lot of time on. If you talk to our customers, they will tell you it's a very robust API architecture and it allows us to be able to integrate into the overall security fabric that they have … In today's environment, we realize that we're one piece of the security ecosystem. They have made purchases in the network space … We're one piece of the puzzle. We think we're an important piece, but we want to be able to work with that entire ecosystem. Customers don't want to get locked into [one vendor].

There seems to be a debate in security between best of breed and platform security. Which do you see customers demanding?

I guess I have to ask you – if I had a leaky lifeboat, would you want to buy it? They want the best of breed and they want them to work together via APIs. They realize that security is so complex … We are really good at what we do and I think customers understand that you have to specialize. It's like you don't go to your general practitioner and say you need a brain operation. You have to go to a specialized person – it's really the same way in security. What we see in the large vendors is that they are trying to play general practitioner. That is not working for customers. If it was working, you wouldn't have companies like Crowdstrike. As customers move their environments to the cloud ... they want to be able to embrace specific technologies. The suite that locks someone in is not really something that customers want. It's what the big guys want to sell. They really want the best of breed and they want to be able to mix and match at the higher end enterprise level.

How do you balance being integrated with others in the security industry, and being competitive?

There's always a little bit of "co-opetion," but we focus our efforts and our ecosystem in areas that we know we don't play in and we know we won't play in. If you think about network enforcement, gateways, firewalls, identity – those are not things that we're going to do but they're part of the overall security ecosystem. We're happy to have great partners in those areas.

What's the role of resellers in a more integrated security ecosystem?

What I've found is security is very local. There is an expertise that local resellers have and they have relationships on the local areas, not just in the US but around the globe. It's important for us to understand some of the local nuances in some of those geographies. That's first and foremost. What the reseller community wants to do is provide additional value-add. They understand the other parts of the ecosystem, who plays well together, and how to solve security problems. We look to partner with folks that are providing a more consultative-type sales approach, as opposed to pushing a box and marking it up. We think there's a lot of value add that resellers can bring and there's a lot of money that can be made by them to assemble the best of breed technologies into an integrated solution… At the end of the day, the customer is going to get the best solution.

What other areas of security are interesting to you right now, other than the endpoint security market?

I think the orchestration space is interesting because it adds the automated component to what people are looking for. They don't just want to know they have a problem; they want to be able to automate and have the systems take care of themselves. I think that's an up and coming area that has a lot of promise … It's one thing to tie it together from a visibility perspective, and it's another to tie together with the automation. You even see that with some of the Splunk Adaptive Security. They're a big partner with us, we have a lot of integrations with them, and we have a lot of joint customers that use our technologies together. The ability to take action and automate is, I think, a recurring theme that we're seeing.