CrowdStrike CEO George Kurtz Takes Big Swings At Microsoft, SentinelOne

CrowdStrike CEO George Kurtz pulls no punches on why he believes his company has the edge over rivals Microsoft and SentinelOne.

CrowdStrike CEO George Kurtz has never been afraid of calling things as he sees them, especially when it comes to two of his top foes: Microsoft and SentinelOne.

CrowdStrike and Microsoft are recognized by research ­ firm Gartner as having the best endpoint protection platforms, but Kurtz said Microsoft suffers from a lack of focus on security and architectural issues with how it goes about authenticating credentials.

SentinelOne, meanwhile, just completed the biggest cybersecurity IPO of all time, but Kurtz said the endpoint security upstart is “buying growth” and struggles to have its technology perform at scale. SentinelOne responded to Kurtz’s allegations in detail while Microsoft declined to directly engage with Kurtz’s claims.

Here’s why Kurtz thinks CrowdStrike has the edge over its biggest rivals.

You said the architectural design of Microsoft’s authentication process poses a risk. How much of a risk?

I think it poses a big risk. We talked about Active Directory attacks and credential theft. It started back in 1999 when the original ­first edition was written, and now, these systemic weaknesses in credentials and authentication from a directory structure perspective have been replicated into the Microsoft Cloud and their directory services. You’ve seen things like Golden SAML, which we talked about. You have Golden Ticket attacks, which are mostly on-prem, and now you have Golden SAML attacks, which multiplies the exposure across cloud environments and different customers. So it’s certainly an issue that needs to be highlighted and addressed.

Should Microsoft have acted sooner to address the Golden SAML vulnerability? If so, how?

I think it [Golden SAML] should have been addressed, and that’s for them to figure out how to fix their architecture. If you just look at the basic credentials in Microsoft System, and then you look at just about any incident response case that we’ve ever investigated that involved Microsoft technologies, I can’t think of one that didn’t have credential theft. Not one. That’s a massive vector that if you can compromise one system within ­five minutes, you can compromise an entire domain, which routinely happens. Fixing their architectural challenges around credentials and Active Directory, that’s a Microsoft question, but it certainly needs to be addressed.

Do you see similar issues with credential theft from other vendors or is it unique to Microsoft?

It’s less so [an issue with other vendors]. In other technologies, you can’t necessarily just steal passwords and use those encrypted passwords to authenticate to something. So if you stole a Unix password, you can’t just take it and pass the hash to log into another system. It just doesn’t work that way. But in the Microsoft world, you literally can steal an encrypted password, without even decrypting it, and pass that hash to another Microsoft system and access the system as if you knew what the password was.

What might a more community-driven approach to authentication look like?

You’ve got a systemic risk with a monoculture with Microsoft with their Active Directory plus their own operating system. There are various open standards out there in terms of authentication, and leveraging a standard that wasn’t built by just one company I think could be bene­ficial to the community.

Do you see increasing concern around the risk associated with a Microsoft monoculture?

We’ve seen a crisis in trust around Microsoft technologies. Their operating system obviously is ubiquitous. Companies are taking a second look saying, ‘Well, do I really want my security to be from the same vendor that is providing my operating system?’ Looking at the history of vulnerabilities that are out there and how they’ve been exploited, they’re basically saying like, ‘Maybe we should reduce the risk by going with another vendor that isn’t necessarily the ones that have to patch our operating system.’ And we’ve seen that from multiple big companies that are out there.

Why do you think a best-of-breed approach where customers use CrowdStrike for endpoint, Proofpoint for email and Okta for identity security is superior to standardizing on Microsoft?

I think it’s a best-of-platform approach. Years ago, you would have best-of-suite, you’d have best-of-breed. And today, in my opinion, it’s best-of-platform. So you’ve got a platform like CrowdStrike and Okta and Zscaler, and organizations want to be able to plug those APIs together and just have everything work. If you look at CrowdStrike, every day all we do is think about security. If you look at Microsoft, they’re thinking about their cloud and office productivity and gaming systems. It isn’t their sole focus. Security is a very broad landscape. There’s not one security company that does everything; it’s just very complicated and broad. And I think having a dedicated focus where every day, every CrowdStriker is getting up and thinking about how we protect our customers and stop breaches goes a long way

How do you think customers benefit from working with a pure-play security company like CrowdStrike versus a broader technology company like Microsoft?

I think it’s about focus and speed. If you look at Microsoft technology, a lot of times you’ll have to wait for an OS update to get new features out of your EDR. That doesn’t happen with CrowdStrike. We’ll just update our agent and add new features or update our cloud or what have you. So we’re not depending on the operating system updates. That adds a lot of latency in terms of those features. I think that’s a pretty good example.

Why doesn’t CrowdStrike feel Office 365 is consistent with a secure IT architecture?

I think it’s the cloud element, when you think about the directory services that you have to have for that architecture. You’re taking an antiquated authentication system and now you’re just applying it to the cloud. So that’s our challenge. We don’t use Office 365.

Why do you believe CrowdStrike’s approach to endpoint protection is superior to Microsoft’s?

It’s a full platform approach that covers with great capability multiple operating systems. And again, it gets back to that focus. When you look at our Mac [platform], when you look at our Linux [platform], our technology is far superior to Microsoft. When you look at the platform and the modules—19 modules covering vulnerability management, our services like managed detection and response, our integrated threat intelligence—it’s a full platform like Salesforce that’s dedicated to security. It’s not a bolt-on to an operating system. And it isn’t based on a legacy product. When you look at Microsoft’s technology, it is based on a 2004 acquisition they did. It still uses signatures. And it’s covering a small slice of the overall ecosystem when you think about its focus on the Windows world.

Why do you think that SentinelOne got such a high valuation at IPO?

I certainly think the market timing is pretty good to IPO at the moment. Multiples are up. I think there’s a pretty big tailwind from an IPO perspective.

What does the valuation that SentinelOne got say more broadly about the endpoint security market?

[Endpoint security] is a big market, and there are lots of opportunities for companies that are out there. It’s a big TAM [total addressable market], big market. When you look at the threat landscape, there are lots of continued threats out there. And I think that bodes well for anyone in the endpoint security market.

Do you feel it’s sustainable for SentinelOne to be losing as much money as it is today?

You can only buy growth for so long, and you can see that show up in their margins. The gross margins actually went down from 58 percent [in SentinelOne’s quarter ended April 30, 2020] to 53 percent [in the quarter ended April 30, 2021]. That’s not a good trend. Buying growth [only works for] so long. I think we’ve seen this story before with FireEye when it first became public. And at some point, you’ve got to reverse the losses and start generating cash.

What have you heard the experience is like for customers when they attempt to deploy SentinelOne?

It was built as an AV product, not a full EDR, not a platform. There’s no compression algorithm for the experience of working at the scale we work on in the cloud. And when you look at how we built the technology, the fact that we don’t have to reboot systems, the fact that they do. The fact that it impacts and uses so much of their system resources. We started with the agent collecting data, and then we added prevention, as opposed to starting with an on-prem product—which they did—that was AV-focused. When you look at a true platform versus an AV on-prem, when you try to retrofit these AV products on-premise, just like Cylance, you get into a big scalability issue trying to move data at scale and not impact performance and not impact margins. What we found is that developers and users were having so many problems with system resources and slowdown and false positives that companies were forced to turn things off, which is why they moved in the direction of CrowdStrike.

What have you been able to do with the Humio acquisition compared with what SentinelOne gained from its Scalyr acquisition?

The Humio technology is fantastic, and that’s the technology that SentinelOne actually wanted [SentinelOne disputes this]. We were fortunate that we’ve got the right company, and those folks wanted to join us, so Humio became part of the CrowdStrike family. And SentinelOne had to choose something other than No. 1 in the market to buy. So, from my perspective on the Humio side, its index-free ingestion makes it incredibly scalable. The performance is unbelievable in terms of your ability to search across unstructured data. Its compression algorithms—we can actually search in compression—really reduces costs. And it runs in a hybrid mode, so you don’t necessarily have to have all the data in one spot under the cloud. You can distribute the data to different places. We think that’s a real advantage in terms of flexibility. Customers love it. We’ve got some really big deals done, which I called out at the last earnings call. We continue to build that out, and we’re as excited as ever about that acquisition.