In an exclusive interaction with CSO Online during his India visit, Andrew Littleproud, Vice President, APJ, CrowdStrike talks about the company’s differentiated approach to endpoint protection versus the traditional security vendors. Andrew has a good track record of building successful organizations like McAfee and Blue Coat in the past. "CrowdStrike is by far the most exciting vehicle I have embarked upon as our cloud-based technology has turned the endpoint industry on its head", he says.
The security landscape is getting murkier, dangerous and darker with sophisticated hacks like ransomware-as-a-service relentlessly hampering businesses and there are old-age techniques like phishing still working. Are hackers one-up in the game in 2018?
It’s actually down to individual target customers and the dependence on different countries with the individual organizations’ approach towards security .That will dictate whether the bad guys are one step ahead. Organizations which are more cognizant of what adversary groups look like and how their techniques and the tradecraft is evolving, are one step ahead of the adversary groups. We have seen self-propagating ransomware, destructive attacks etcetera as they continue to evolve. It is incumbent for the customers to put in a security architecture in place to meet the yet-to-be-defined threats, and that’s what keeps customers one step ahead of hackers.
What giant threats do CIOs and CISOs face because the perimeter is broken, data is everywhere, and endpoints are exploding in their IT infra? Is it difficult for them to protect everything?
It is about how they are viewing their medium- to long- term strategy to put in solution or architecture to meet that change in the dynamic industry. Things like ‘blurred perimeter’, and ‘the data everywhere’ have evolved to make the companies more effective to use security to enable those things to occur and first to take competitive advantage. Companies looking to secure environment and locking down their environment that does not allow tech shifts—they are effectively hamstringing their own company to become competitive.
CIOs and CISOs need to have an agile strategy to lay a foundation that meets the threat landscape that has changed in the last five years. Some of the traditional security vendors in the past two decades have done great work for a large period of time. But I think the organizations relying on old or outdated technologies may suffer the consequences if they don’t lay down that agile security environment.
The 2018 GSISS survey by IDG and PwC highlighted that 40% of respondents didn’t have a security strategy in place. What are the roadblocks to this casual approach?
It’s a straight question, but needs quite a complex reply as it depends on the country and the industry type. Regulation and legislation drives a lot of organizations to remove those roadblocks. Organizations can be dependent on the perception of their size and whether they will be targeted. This leads to a trade off on risk appetite against saving from potential investment perspective.
Organizations need to continue to be educated more. CrowdStrike is a big believer in customers understanding the threat landscape and threat intelligence. Customers should also understand the various tradecraft techniques used by adversaries aimed towards their industry. Unfortunately, most people don’t have enough cyber education. There is government legislation across industries like finance, healthcare, etc., but I think that governments have to put in harsher penalties to ensure that the organizations protect their customers’ information.
CrowdStrike’s vision is to stop breaches, which is the case with most security companies. Why should organizations buy into your story on cloud-delivered end-point protection and the fairly new concept of EDR?
Cloud-delivered end-point and EDR are elements of our story; but CrowdStrike story is much broader. The customers need to take advice from multiple sources. CrowdStrike's most recent analysts’ whitepapers and industry reports mention those elements in the new-age endpoint protection strategy, such as managed threat hunting and improved visibility, that can lead to more robust security.
Littleproud’s Bucket list for CISOs and CIOs
Patch the vulnerabilities effectively and more often.
Be open minded to embrace the next gen architecture.
Don’t just add shiny security product for a new attack.
Do not allow the adversary to stay in your environment.
Conduct compromise assessments on your own, or by third party.
The organizations will buy into CrowdStrike notwithstanding those elements that we spoke about, as it lies around macro levels and specific security levels. Today’s security architectures should be integrated, connected, with real-time sharing of information to garner threat intelligence. CrowdStrike’s cloud-based model drives down operational cost, while driving up operational efficiency to stay agile to security threat landscape and yet-to-be-defined threats.
Our approach is to protect customers not just from traditional malware attacks but also from non-malware attacks. Over 40% companies, as per third party reports, are compromised by non-malware attacks— fileless, zero day, ransomware, insider threats and that takes different approach than traditional ‘let’s try block everything on perimeter’.
CrowdStrike has built its architecture grounds up from that premise and in fact turned the endpoint industry on its head. And that’s where we have arrived today compared to twenty years of traditional approach of security vendors.
What is the GTM of CrowdStrike? Is it building own customer base from scratch or integrating your solutions with other security vendors’ technologies at customer end?
It’s a combination of both. In our early days we purely complemented the customer approaches towards security. As we have evolved to deliver more capabilities, companies have choice to either complement their existing infra with CrowdStrike and all the way through to the customers replacing certain on-premise technologies by turning another module in cloud with CrowdStrike. They themselves are buying into the story to reduce complexity, drive down operational cost and the fact that they don’t need to have much more on-premise staff managing the environment.
We work in a way that complements the existing environment and we can actually replace with more effective solutions. The other way we can bring value to existing environments is through published series of APIs as we provide integration from our cloud into on-prem products like SIEM, firewall or IPS devices.
CrowdStrike solutions are all cloud-based; but all the heavy lifting is done in the cloud. We connect the customers to our cloud through a single lightweight sensor (20 – 25 Megabytes) on each device. The philosophy is to collect the telemetry once and then the heavy processing is done in the cloud. Through different functional modules then you get the capability delivered at the endpoint. Collect one time and use many times. We work with AWS and we are one of their largest customers globally. In fact AWS has also put our solution in their cloud marketplace.
How much of the security pie do you cover for a typical enterprise customer like Symantec, as an example could cater to 80% of that pie?
It depends on what the customers consider as a complete security architecture. We don’t do network security; but we are focused around end point platform. We can actually reduce the requirements of other technologies that might be adjacent to end point. For example we released capabilities around sandboxing and our malware query tool that allows us to take elements of malicious file through a reverse repository where we can actually identify where those malicious codes are based or used in other attacks. We continue to release modules almost every quarter and as we do, our pie chart (at the customer end) gets larger.
“Our customers talk about quickest ‘time to value’ deployment from a security vendor than in the past because the sensors get deployed, telemetry starts collecting and functional modules are operational.”
Vice President, APJ, CrowdStrike
We are redefining what actually the end point is. Customers are starting to build their strategy around CrowdStrike platform / architecture. Once they see the value in use case and its effectiveness and easy to ‘manage and use’ solution, they approach us to turn on other module. The same solution which we enable on cloud can take 3 to 6 months if the customers opt for on-premise mode. They subscribe to whatever functional modules they need for number of users as per their business needs.
Advanced endpoint protection, next-gen firewall, actionable intelligence sound more of marketing terms because breaches continue to hamper businesses. Do CIOs and CISOs get influenced by these sexy or shiny jargons?
You can call it whatever you want, but at the end of the day the customers have a problem. Our mantra is to stop breaches, we have seen companies spent lot of money on security over the years and if they get breached, it’s not because it is somebody else’s security solutions, but because they haven’t necessarily had an architecture approach. Falcon is a main suite of products, and offerings from CrowdStrike that includes Falcon Prevent that is next gen antivirus.
However, I do think that vendors marginalize each other’s messaging by using the same jargon too quickly. They hear the new terms at roadshow or tradeshow and that gets plonked in their pitch. I feel for the customers as they keep hearing the same thing from different vendors. The difference being the fact that when we speak to customers, we can immediately prove by implementing our technology within hours. We can give them trial area to play and we can create POC to test their use cases and take them to production.
We have a financial institution as a customer where 60,000 nodes were deployed within few hours. Think about the time it would take to deploy the same as on-premise.
Who’s your man Friday or the chief influencer at the customer end? Do you have competition in the domain you work or it’s all alone?
We cover multiple stakeholders at the customer end as we present our story at board levels to CMO, CEO, CFO, LOB besides CIOs and CISOs. We have a number of advisory councils bringing different C-level execs. For us, influence is from CIOs, chief risk officers, CISOs and speaking to business units to understand their challenges to be solved. Then, we talk with people in business or speak to other people in IT team like desktop group or server group.
From competition perspective, there are elements of what we do that other companies do and vice versa. In terms of our approach and architecture what we defined from 2011 onwards has created something unique. Our customers will talk about quickest ‘time to value’ from security technology vendor than that they deployed in the past. That’s because the sensors get deployed, telemetry starts collecting and functional modules are operational.
What would be your Dos and Don’ts for CISOs and CSOs as they build their security posture in the digital world? What are the few things they are doing wrong?
CSOs and CIOs should continue to patch the vulnerabilities effectively because most ransomware attacks recently exploited unpatched systems. Organizations need to be open minded to embrace the next generation or future architecture.
Littleproud’s Key Priorities at CrowdStrike in APJ
1. Continue branding activities and educate the market.
2. Do customer acquisitions and create customer value.
3. Build a great organization for the people to work.
4. Imbibe a DNA of customer-facing responsiveness.
The companies have too long felt safe around adding more products, and the vendors have created this situation wherein for new threat or new attack type, a new shiny token is added and the customers are left to handle the complexity thereafter.
Make sure that you don’t allow adversary to stay in your environment. Most companies do not realize that adversary is living inside their environment as they enter through different techniques. They basically live off the land, using the company tools and remain unsuspicious. As per our report, on average adversaries can stay undetected in the environment for 86 days. They should definitely not assume that just because they haven’t been impacted that they haven’t been breached. It is bit adjacent to letting the adversary still inside your infra.
They should do more compromise assessments on their own, or by third parties to identify if they are in a state of compromise.
Lastly do you still see organizations viewing cloud and security as chalk and cheese across APAC?
Companies are getting comfortable with cloud but it depends on which country and which vertical we talk about. Companies embracing cloud for number of different business requirement have to make sure of having security architecture in place. They can’t be chalk and cheese as they have to come together because security is enabler for companies to use cloud. The fact they have used cloud, different industries and different countries are more or less comfortable with adopting our technology on that basis.
Largely people are moving to wholesale acceptance and adoption rather than moving away from wholesale adoption. The future will be combination of on-prem and cloud technologies and that is why we have created APIs to integrate with on-premise products.
CrowdStrike as a company is at different stages in different geographies across APJ. We are going through a process of branding and educating the market. Once established, we are looking at customer acquisitions. We do a business value analysis prior to a sale, and business value realization 12 months after the sale, thus creating customer value. As we grow at a rapid pace, we want to imbibe the right culture of same DNA of customer-facing responsiveness in our team and build a great work place.