Strike First, Strike Hard: How George Kurtz Has Built CrowdStrike Into A Cybersecurity Powerhouse
CrowdStrike CEO George Kurtz is fired up as his elite endpoint protection platform continues to win over customers, and he’s pulling no punches when it comes to taking on his rivals.
BlackLake Security was about to initiate a three-year CrowdStrike subscription renewal for an oil-and-gas customer when it received shocking news: The customer had been wooed by lower pricing and was switching to Microsoft.
But BlackLake founder and CEO Mark Jones knew the customer didn’t fully understand how much functionality and performance it would be giving up if it made the change, so he convinced the customer, which Jones declined to name, to take a call with BlackLake and CrowdStrike to let them lay out all the ways CrowdStrike’s technology beats Microsoft’s.
CrowdStrike’s engineer didn’t even make it halfway through the presentation before the customer changed its mind and decided to renew, Jones said.
“Microsoft will come in and give you a price that makes you go, ‘Wow, is CrowdStrike really that much better?’ Well, yeah, it actually is,” Jones told CRN. “You get what you pay for.”
[RELATED: CrowdStrike CEO George Kurtz Takes Big Swings At Microsoft, SentinelOne]
With wins like that under his belt, it’s no wonder CrowdStrike co-founder, President and CEO George Kurtz is confident in the company’s technology, pulling no punches whether he’s fighting off hackers with his company’s elite endpoint protection platform or taking on rivals like Microsoft and SentinelOne by calling out where he says they fall short.
“When you look at our success, we’ve got the financial success and the performance, but that starts with having the best technology and the best platform, not just the best AV [anti-virus] product,” said Kurtz, who’s ranked as the ninth most influential leader on CRN’s 2021 Top 100 Executives list.
CrowdStrike’s technology earns kudos from industry analysts as well. The Sunnyvale, Calif.-based company’s Falcon platform beat out 11 competitors to take the crown as Forrester’s top endpoint security SaaS product this year. And in Gartner’s 2021 Magic Quadrant for Endpoint Protection Platforms, CrowdStrike, along with Microsoft, earned the highest ratings by a significant margin.
Kurtz’s confidence also comes in part from CrowdStrike’s ability to outlast many of its early foes. A slew of startups, including CrowdStrike, emerged in the 2000s and early 2010s to take on weaknesses in Symantec’s and McAfee’s anti-virus products with a modern approach that’s predictive, signature-less and goes beyond prevention. But most of those challengers cashed in their chips in 2019, with Carbon Black, Cylance and Endgame getting bought by VMware, BlackBerry and Elastic, respectively, for a combined $3.7 billion.
“They didn’t build a platform. They were one-trick ponies that built a slightly better AV product than the legacy players that were out there,” Kurtz told CRN in an exclusive interview in July. “But for me, it was all about, ‘Let’s build the platform the right way. And let’s have investors that understand this is a long play.’ We saw the big play of being the Salesforce of security.”
Elastic told CRN that Endgame’s product combined anti-virus with endpoint detection and response. BlackBerry and VMware Carbon Black did not respond to a request for comment.
CrowdStrike went public in June 2019 at a then-industry record $6.6 billion valuation. It was the fastest-growing public company in all of cybersecurity in 2020, with sales surging 82 percent to $874.4 million. And the customer wins keep on rolling in this year, with revenue expected to jump 56 percent to $1.36 billion. Seventy-five percent of its sales come through the channel.
CrowdStrike substantially increased its market share in 2020 to become the world’s second-largest corporate endpoint security vendor, capturing 9.2 percent of the $8.2 billion market. That trails only Trend Micro, according to research firm IDC. And as of press time, CrowdStrike is worth $59.43 billion, making it the most highly valued pure-play vendor in all of cybersecurity.
‘A Crisis In Trust Around Microsoft Technologies’
CrowdStrike has become one of Microsoft’s most vocal security critics, with Kurtz blasting “systemic weaknesses in the Windows authentication architecture” for exacerbating the impact of the SolarWinds hack during written and oral testimony before the U.S. Senate in February. Shortcomings in how Microsoft authenticates credentials have been replicated in the cloud, furthering customer pain, he said.
“In other technologies, you can’t necessarily just steal passwords and use those encrypted passwords to authenticate to something,” Kurtz told CRN. “But in the Microsoft world, you literally can steal an encrypted password, without even decrypting it, and pass that hash to another Microsoft system and access the system as if you knew what the password was.”
Kurtz is far from the only CrowdStrike employee criticizing Microsoft, with Vice President of Public Sector James Yeager putting the company on notice in late June after the Russian foreign intelligence service breached a Microsoft support agent’s machine and used the account information it obtained to launch highly targeted attacks against customers.
“[Microsoft] continues to get exposed as a company [that] is completely incapable of providing the most basic level of protection for themselves and their customers,” Yeager wrote on LinkedIn. “If you cannot secure your own infrastructure, then why should anyone trust you to secure their critical infrastructure and data?”
Frank Shaw, Microsoft’s head of communications, fired back at Yeager, saying it’s irresponsible to suggest that any company or person is immune to attacks in today’s threat landscape. “It’s unfortunate to see some vendors attempt to further their position via innuendo and inaccurate accusations rather than seeking ways to contribute collaboratively,” Shaw wrote in a LinkedIn response to Yeager’s post.
The company declined to respond to Kurtz’s specific allegations, telling CRN only, “Microsoft is the world’s largest cybersecurity provider, securing customers from the chip to the cloud, backed by more than 3,500 defenders at Microsoft and the more than 8 trillion security signals we process every day.”
But from Kurtz’s perspective, companies that use Microsoft security products to safeguard Microsoft technology are exposing themselves to “systemic risk” and would benefit from having products and authentication standards in place that weren’t built by just one company.
“We’re seeing a crisis in trust around Microsoft technologies,” Kurtz said. “Companies are taking a second look, saying, ‘Do I really want my security to be from the same vendor that is providing my operating system?’ Looking at the history of vulnerabilities that are out there and how they’ve been exploited, they’re basically saying, ‘Maybe we should reduce the risk by going with another vendor.’”
Microsoft’s biggest competitors in the endpoint, email, identity and cloud security spaces -- CrowdStrike, Proofpoint, Okta and Netskope, respectively -- came together in June 2020 to form the Spectra Alliance, which is focused on securing remote work at scale and establishing a zero trust security posture. Kurtz said Spectra Alliance customers benefit from the breadth of capabilities and dedicated security focus.
“If you look at CrowdStrike, every day all we do is think about security,” Kurtz said. “If you look at Microsoft, they’re thinking about their cloud and office productivity and gaming systems. It isn’t their sole focus. Security is a very broad landscape. There’s not one security company that does everything. It’s just very complicated and broad. And I think having a dedicated focus … goes a long way.”
Kurtz said CrowdStrike customers also benefit from new features being pushed out via an agent rather than requiring an update of the entire operating system like Microsoft, which adds some latency.
“Ours is a full platform approach that covers multiple operating systems with great capability. When you look at our Mac [platform], when you look at our Linux [platform], our technology is far superior to Microsoft,” Kurtz said. “It’s not a bolt-on to an operating system. When you look at Microsoft’s technology, it is based on a 2004 acquisition they did. It still uses signatures. And it’s covering a small slice of the overall ecosystem.”
Both the Spectra Alliance and Microsoft have capitalized on growing demand for advanced security capabilities, with customers opting for a best-of-breed approach that includes CrowdStrike when they have the expertise internally to tie together security products from different vendors, according to a security solution provider executive, who asked not to be named. The solution provider works with both CrowdStrike and Microsoft.
But where Microsoft Defender for Endpoint tends to be most popular is with enterprises that value simplicity and have already adopted other elements of the company’s security stack, according to the executive, who said his company is seeing Microsoft “more and more.”
“If you’re already a Microsoft shop, sometimes people say, ‘I might as well just extend my current architecture and use Microsoft. I’m already Microsoft-heavy,’” the executive said. “It is a solution that works. It may not be best-of-breed, but it doesn’t necessarily require extra effort to create that integration.”
A Laser Focus On SentinelOne
If Microsoft is CrowdStrike’s top endpoint security competitor today, the company’s biggest emerging rival in the endpoint security market is without a doubt SentinelOne. SentinelOne burst into the public market at the end of June with the biggest cybersecurity initial public offering of all time, raising $1.2 billion on a record-breaking $10 billion valuation, smashing CrowdStrike’s IPO valuation from two years ago.
CrowdStrike has been laser-focused on SentinelOne, with Kurtz citing four customers during the company’s three most recent earnings calls that have switched from SentinelOne to CrowdStrike due to what he said were efficacy, scalability, performance, interoperability and outage issues experienced with SentinelOne. Kurtz said SentinelOne suffers from being built as an anti-virus product with no compression algorithm to work at scale.
“When you try to retrofit these AV products on-premises, you get into a big scalability issue trying to move data at scale and not impact performance and not impact margins,” Kurtz said. “Developers and users were having so many problems with system resources and slowdowns and false positives that companies were forced to turn things off, which is why they moved in the direction of CrowdStrike.”
SentinelOne COO Nicholas Warner fired back, saying his company was born in the cloud and pioneered a revolutionary approach to unifying endpoint protection, detection and response through behavioral AI technology. The company’s platform is highly rated for system performance by third parties like Gartner and doesn’t rely on humans writing signatures or monitoring activities in a console, Warner said in a statement.
“It’s telling to see the amount of time a worried vendor spends talking about a fast-rising competitor,” he said. “We thank them for raising SentinelOne’s awareness and validating our market traction. The reality we see in the market is that enterprises are still being breached too often, including CrowdStrike’s own customers,” pointing to research that indicates CrowdStrike Falcon was installed on some endpoints compromised during the SolarWinds hack last year. (CrowdStrike said, “No existing CrowdStrike Falcon customer with default recommended settings was breached.”)
Ninety-six percent of SentinelOne’s sales went through the channel in the fiscal year ended Jan. 31, 2021.
Kurtz also lambastes SentinelOne for “buying growth” in an effort to impress investors. SentinelOne’s loss of $117.6 million in its most recent fiscal year actually exceeded the $93.1 million of revenue it generated over the same period. CrowdStrike in fiscal 2021 recorded a smaller loss of $92.6 million with 9X the revenue when compared to SentinelOne.
“You can only buy growth for so long, and you can see that show up in their margins,” Kurtz said. “The gross margins actually went down from 58 percent [in SentinelOne’s quarter ended April 30, 2020] to 53 percent [in the quarter ended April 30, 2021]. That’s not a good trend. At some point, you’ve got to reverse the losses and start generating cash.” CrowdStrike’s gross margin held steady at 74 percent over the same period, according to Securities and Exchange Commission filings.
SentinelOne has gone after CrowdStrike’s customers aggressively with a “win-at-all-costs” mentality and has been willing to discount steeply to acquire new business, according to a cybersecurity services executive who works with both companies and asked not to be identified.
“With the IPO and all the noise out there, SentinelOne is sort of the new bar that just opened up,” the executive said. “A lot of people are walking in there and having a drink. The product does what it says it will do. SentinelOne definitely doesn’t have the portfolio that a CrowdStrike has today, but will it over time? I think we’ll have to see.”
Embracing AWS Marketplace
Kurtz’s sharp criticisms of Microsoft come as CrowdStrike has embraced top Azure rival Amazon Web Services. CrowdStrike’s annual recurring revenue generated through the AWS Marketplace grew by 650 percent to “well over” $50 million in the fiscal year ended Jan. 31, while transaction volume during that time grew by more than 300 percent, Kurtz said during an April investor briefing.
“It’s been a really good relationship. I’d put [CrowdStrike] at the very top in terms of our partners,” said Chris Grusz, director of business development for AWS Marketplace. “They’re providing that feedback and working with us side by side. It’s a very nice experience for our joint customers. They’ve done all the work to really make it as easy as possible for our customers to buy their solution via AWS Marketplace.”
CrowdStrike has been a design partner, launch partner and leading adopter of AWS Marketplace’s channel partner private offer (CPPO) feature, which allows solution providers to put CrowdStrike subscriptions directly on a customer’s AWS bill through feeds into downstream reporting systems and integrations with governance tools, dramatically shortening the time needed to close deals, Grusz said.
Deals transacted by CrowdStrike through the AWS Marketplace close almost 50 percent faster since payment terms don’t need to be set or negotiated separately for each customer, and the CrowdStrike subscription appears directly on the bill as soon as the customer hits “accept,” according to Grusz.
“Companies like SHI and Optiv and WWT are actually offering CrowdStrike to their customers based on the AWS Marketplace,” said Matthew Polly, CrowdStrike’s vice president of worldwide alliances, channels and business development. “[CPPO] really streamlines the procurement process. You don’t need wet signatures or even a DocuSign. It’s a click-through process.”
CrowdStrike’s AWS investments span the entire organization from integrating the company’s CRM system into the AWS customer portal to coordinating and collaborating on field sales efforts for joint customers, Grusz said. CrowdStrike and AWS have done co-sell and demand generation campaigns together since 2018, and work has begun on the 2022 campaign.
“We’ve got a pretty strong muscle built up with them on how we do demand gen, and it’s been a big contributor to their success through AWS Marketplace,” Grusz said.
‘You’ve Got To Feed The Channel First’
“As a partner-first company, we’re always striving to get more revenue through the channel and more channel pull,” Kurtz said. “We spent a lot of time building the channel and creating opportunities. You’ve got to feed the channel first, and then it rewards you. And I think we’ve done a really good job of that.”
One example is its partnership with Optiv, where CrowdStrike has long been one of the 400 vendors appearing on the solution provider’s line card. But in recent months, the relationship between the two cybersecurity heavyweights has transformed.
Instead of viewing CrowdStrike’s industry-leading incident response practice as a competitive threat, Optiv, No. 25 on the 2021 CRN Solution Provider 500, started seeing it as a business opportunity. As a result, the industry’s most valuable vendor and its largest pure-play solution provider began delivering a joint offering that combines CrowdStrike’s incident response muscle with Optiv’s remediation expertise.
“What gives me great joy is it’s two really good companies joining together on a very critical mission to help our clients in a moment of distress,” Optiv CEO Kevin Lynch told CRN.
The unique arrangement allows Denver-based Optiv to ride CrowdStrike’s incident response coattails and get brought into new accounts, with CrowdStrike spearheading the initial triage work to identify, isolate and remove the adversary from the victim’s environment. Once the adversary has been thwarted, Optiv takes the lead on the post-incident cleanup, restoring data, rebuilding systems and fixing infrastructure flaws.
“We have moved to that ecosystem status where we’re doing more together and we’re thinking about the things that we can do together,” Lynch said. “We’re not just looking at what they have today and taking it to market.”
CrowdStrike has sought to provide the channel with more service delivery opportunities and began building out managed services partnerships two years ago. Today, Polly said the company has more than 300 MSPs wrapping their own services around CrowdStrike’s technology. Strengthening its managed services muscle helped CrowdStrike penetrate some of the world’s largest enterprise accounts as well as gain market share among customers with fewer than 5,000 employees.
“We’re focused on making sure that partners have a profitable way to engage with CrowdStrike across a variety of different vectors,” Polly said. “We built that technology and built [an MSP] program to start with, and we’ve steadily been adding those partners.”
For systems integrator EY, CrowdStrike is the primary endpoint security technology it uses in its managed services offering, which marries CrowdStrike’s Falcon platform and incident response services with EY’s risk assessments and security consulting services to minimize the potential impact from ransomware, said EY Global CTO Nicola Morini Bianzino. Both CrowdStrike and EY bring the other into opportunities that are a good fit.
“They’re really strong in the incident response, we’re strong on the front end, and their technology really underpins both,” Bianzino told CRN. “There was no real overlap or conflict between our two services organizations.”
EY has seen the strongest interest in CrowdStrike’s technology from very large organizations in the consumer goods, telecom and utility verticals since those industries are very sensitive to potential security risks. The two companies first partnered in October to better identify, prevent and respond to cyberthreats and expanded the relationship in May to combat ransomware and accelerate zero trust.
“EY is one of the largest services companies on the planet, and they’re all in on CrowdStrike. Because we’ve got the best technology out there, they’re leveraging our technology to empower their digital transformation services,” Kurtz said. “We’re having conversations at the highest level of the company -- board level, at the CXO level.”
Further downmarket, managed detection and response company eSentire has seen huge demand for CrowdStrike Falcon among customers with at least 500 employees in the manufacturing, legal and health-care spaces, said Chief Channel Officer Bob Layton. Since late 2019, eSentire customers purchasing an expert-level bundle have been able to choose between Carbon Black, Microsoft Defender or CrowdStrike’s Prevent NGAV and Insight EDR offerings.
“The customer base and the customer requests for CrowdStrike are very robust,” Layton told CRN. “As CrowdStrike’s voice in the market becomes louder and louder, we’re starting to see more people come to us with Falcon licensing.”
CrowdStrike has made its platform more MSP-friendly by investing heavily in multitenancy, allowing partners to manage multiple customers from a single parent console and apply different settings based on what each customer purchased, Polly said. The company has also given MSPs a self-service portal where they can easily spin up, install and start to manage CrowdStrike agents on customer endpoints.
CrowdStrike also has adopted a business model where MSPs can be invoiced monthly on a per-customer basis to better align what partners owe with the money MSPs are collecting from their customers, Polly said. And for customers who want to have CrowdStrike manage its own technology, the company is tapping partners like CDW to bring its Falcon Complete managed detection and response offering downmarket.
Looking ahead, Kurtz said partners would be well-served by adding CrowdStrike’s Falcon Cloud Workload Protection to their portfolio since most customers don’t have any technology in place today that safeguards cloud workloads. The proliferation of such workloads is incredible, with CrowdStrike protecting 1.2 billion ephemeral containers each day, he said, noting that number is only expected to grow.
“It’s not like you show up on a cloud workload and you’re replacing McAfee and Symantec,” Kurtz said. “There’s just nothing there. I think it is really an underprotected area, and I think it’s an under-represented TAM [total addressable market].”
After six years teaming with CrowdStrike and seeing significant growth, elite partner Consortium Networks and its founder Larry Pfeifer have a unique perspective into the vendor’s trajectory. Following its IPO success, CrowdStrike hasn’t rested on its laurels and instead has continued to act boldly, he said, pointing to its move to acquire two companies and roll out a whole new model for threat intelligence.
“I don’t think their CEO has ever taken their foot off the gas pedal. I think he’s been relentless,” Pfeifer said. “They’re not afraid of breaking what they got to make it better. I can’t think of another company that’s done that.”