Business Continuity Management / Disaster Recovery , CrowdStrike Outage Updates , Governance & Risk Management
ISMG Editors: CrowdStrike Competitors Analyze Outage, Impact
Also: UN Convention Against Cybercrime Efforts; Serving SMBs' Cybersecurity Needs Mathew J. Schwartz (euroinfosec) • August 30, 2024In the latest weekly update, Information Security Media Group editors detailed how CrowdStrike's competitors have been using its recent outage to highlight how their technology and business approaches differ; why security vendors are rushing to serve the unique cybersecurity needs of small and midsize organizations; and the status of the United Nations' efforts to develop a treaty designed to combat cybercrime.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The panelists - Mathew Schwartz, executive editor, DataBreachToday and Europe; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, ISMG business; and Chris Riotta, managing editor, GovInfoSecurity, discussed:
- What the CEOs of Palo Alto Networks and SentinelOne have separately been saying - both on a business and technical front - about last month's global IT outage triggered by a faulty CrowdStrike update;
- How fresh cybersecurity solutions are being developed for the specific needs of small and midsize organizations, as detailed by Alberto Yépez, co-founder and managing director at Forgepoint Capital, in a recent interview;
- Why a coalition of technology organizations is urging United Nations members to reject a draft United Nations cybercrime treaty.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 16 edition on the hacking of the U.S. election and the Aug. 23 edition on how the supply chain attack on SolarWinds is redefining cybersecurity disclosure obligations, especially for CISOs.
Transcript
This transcript has been edited and refined for clarity.
Mathew Schwartz: Hello and welcome to the ISMG Editors' Panel, where we round up the latest cybersecurity news and trends. I'm Mathew Schwartz, your guest host for this week's episode, and it's my pleasure to welcome my ISMG colleagues to the studio here. Tom Field, senior vice president of editorial; Michael Novinson, managing editor for ISMG business; and Chris Riotta, managing editor for GovInfoSecurity. Gentlemen, great to have you here.
Tom Field: Good to be here.
Schwartz: Now, to do the opening of our proceedings here, I'm going to go first to Michael. Michael, you have been listening in on a number of cybersecurity firms' earnings calls, and these earnings calls have been referencing a very small outage the world may have heard of that had to do recently with CrowdStrike. And CrowdStrike's competitors have highlighted how they're different - technically and as a business. What have you been hearing? Is it surprising you?
Michael Novinson: Thank you for the opportunity Mat. We've gotten to hear from two pretty high-profile CEOs. So far, we've heard from Nikesh Arora, the chairman and CEO of Palo Alto Networks, as well as just this week, we heard from Tomer Weingarten, the co-founder and CEO at SentinelOne. So, Nikesh had a little bit to say about the outage. Tomer had a lot to say. There are two different perspectives here. One talks about the architecture and the technology and how approaches differ from a development software update perspective, and the other is the business opportunity that results from the outage and customers re-evaluating opportunities. So, starting with Palo Alto Networks. Nikesh highlighted how both companies talked about how their testing process is completely different. So for Palo, they've been using a 1%-3% cohort before rolling out updates. They do them in a phased manner. And these are all the things that CrowdStrike is planning to do going forward but hasn't been doing to date. And then, from a business opportunity standpoint, they catch that into specifically in the XDR market, which is a market where CrowdStrike was first since they were born. As an endpoint detection response vendor, Palo has expanded their presence in this market more recently and has made some endpoint security acquisitions roll out its XSIAM offering in September of 2022 and then is taking over the IBM QRadar business, transitioning those cloud-based customers over to XSIAM. So, as CrowdStrike was there first, they have a bit of an incumbency advantage. Nikesh was talking about how the customers are evaluating XDR opportunities. The company is not the number one player in the market, but this is exciting. It's no longer a slam dunk for some of the other folks in that space. So, that's what he had to say. Tomer had a lot more to say. He was getting into, from a technology standpoint, specifically, how they rely on their use of AI due to which there is less integration into the kernel. I'm going to give you a couple of quotes as I'm talking about this to give you a sense of the flavor. So, starts with this quote - "The scaling disruption caused by this incident is a stark reminder of the risk posed by vendor concentration. This was an avoidable incident that was born out of disregard for software deployment best practices. This failure will not be quickly dismissed." So, as you can see now that we're a month out, people were being gentle the first couple of days. Didn't want to be seen as ambulance tracing, but people are certainly a lot more aggressive this year or at this point in terms of the rhetoric. So, from a technology standpoint, what Tomer was talking about is that SentinelOne requires fewer updates that they've been for the past 5-7 years moving away from being embedded in the kernel. They're not at all with Mac or with Linux, and it's limited from a Windows perspective. They've embedded AI models into the endpoint agent, and even when they download updates into SentinelOne, they live in a different part of the system, which is beneficial for stability. In terms of customer takeover, what they're talking about is that there's been several conversations with some very high-profile customers, some who've already committed to switching, some who are exploring switching, but the sales cycle and endpoint security is typically a 9-12 month sales cycle. So, while there are a couple of folks who are looking to leap right away, that's the exception rather than the rule. This is something that's going to play out over multiple quarters. There weren't any financials given. There are no projections in terms of uplifts in the coming quarters, specifically from this CrowdStrike outage. The conversation was more at an anecdotal level. Also what Tomer was talking about, in terms of what people are asking investors about takeout programs, is that they're not doing anything from a go-to-market standpoint and they're not doing discounting or teaser rates, but they have invested a lot into literature and collateral that's highlighting the differences in architecture between how CrowdStrike is architected and how SentinelOne is architected. They're trying to aggressively get those out into the market. And I'll leave you with one quote here, which is "I think these are very nuanced elements of how these products work that have not been in the spotlight nor were they clear to customers. And I think what happened, obviously put this front and center." So certainly, from the standpoint of folks such as SentinelOne, which is quite a bit smaller than CrowdStrike, they're not going to let this issue go to rest anytime soon.
Schwartz: Having smaller competitors decry vendor concentration is interesting. You also mentioned that the security tools don't run in the kernel for Linux or Mac. But, I don't think any others do either, and that is one of the challenges with Windows. Microsoft has promised to unveil what it plans to do that's different. It's getting some pressure from Germany in particular, saying, why does security software still need to hook into the kernel? What can you do about it that doesn't stifle competition will be the subtext there. Still, a very dominant issue it seems today.
Field: From your perspective Michael, and I'm putting you on the spot here a bit, but CrowdStrike survived this, and I ask that because I'm of the mind that there are very few organizations that have been taken down because they suffered a security incident, very few! Target is emblematic of one that survived, even though it's talked about to this day. But, I have also heard opinions from people in the business. Someone told me last week, they gave CrowdStrike two years after this. I'm curious what your opinion is.
Novinson: To the grand scheme of things, they're going to be fine. If you look at the market cap, their valuation is down about 25%-30%. That's been holding fairly steady for the past few weeks or so. That's certainly significant. It's about $30 billion. I don't have that in my pockets, but you still have to remember even with that valuation hit, CrowdStrike is still the second-most valuable pure-play cybersecurity company in the world, behind only Palo Alto Networks. SentinelOne, who would be the most direct competitor, is a fraction of that. So, CrowdStrike is at about $55 billion valuation. SentinelOne is at $7 billion. So, the biggest competitor to CrowdStrike, and there's IDC, just to put out there in terms of endpoint security market share data, is Microsoft. Microsoft is not only bigger than CrowdStrike at this point in endpoint security but they are also growing faster. Certainly, folks would argue that people are choosing Microsoft over CrowdStrike. It's not a security-driven decision, given all of these security issues that Microsoft has customers, particularly in the mid-market and below, that are cost-conscious and have these E5 licenses and bundling, which is hard for a pure play security vendor to do since they don't have an OS that they're also selling. It certainly takes some wind out of their sails and they will grow more slowly, but I don't think, barring a repeat of this, that something like this will happen again. To address Mat's point about the kernel, I was on a call with financial investors, and they're not going to get hypertechnical. This wasn't a call with CISOs. But, the big points that Tomer was making, because obviously, CrowdStrike is committing to doing less in the kernel and to doing phased updates, is that we're not starting now with the new deployment process, and we have a 5-7-year head start because we've been requiring less updates that we've been embedding AI into the endpoint agent that updates live in a different part of the system, away from the kernel. And these are things we've been doing for several years, rather than just starting now to figure out how to do that. So his point was, from a security standpoint, that CrowdStrike has a head start here rather than SentinelOne. What's interesting in terms of that is where CrowdStrike's bread and butter is coming from, but historically that has been from large enterprises. That's where they were born from. That's where their tagline has been - We Stop Breaches, and that's where they played. And certainly, both SentinelOne and Microsoft typically played down the market. SentinelOne had a very strong network of managed security service providers and partners, and they worked a lot with these professional service automation vendors to reach customers, and CrowdStrike tried to move down the market, but what's interesting now is that there are the large enterprises, and those are the ones who are probably most security conscious but also can be most flexible from a pricing standpoint. So, they're considering other things and are taking a deep look at the architecture and saying, "Yes, SentinelOne's architecture is more secure than CrowdStrike's. There is some opportunity for taking away customers." But it's going to be gradual. And Tomer was saying to have some numbers behind these anecdotes and looking 9-12 months into the future.
Schwartz: Fascinating stuff. Thank you Michael for sharing the latest on CrowdStrike and the impact, or fallout, depending on how you view it. So, we've been focusing on a company that works with some of the biggest organizations in the world. Tom, you recently had a conversation with Alberto Yépez, our friend who's the co-founder and managing director at Forgepoint Capital, talking about security isn't one size fits all. He was talking about the unique cybersecurity needs of small- and mid-sized businesses. What were you hearing?
Field: You couldn't have given a better transition talking about the upmarket and the downmarket, and that was part of the conversation I had. We met at Black Hat a few weeks back and talked about the state of the cybersecurity marketplace and investment. We also talked about how to not talk about AI and the real use cases. We talked about the securities and technologies that he's bullish on today, and we spent a good deal of our conversation talking about the unique cybersecurity needs of the small- to mid-sized market. We talk about this marketplace like it's a minority, but the reality is that 98% of businesses are considered small- to mid-size, and they're a part of the larger enterprise supply chains. So, when you talk about their security deficits, their security needs and organizations that are trying to meet those needs now, it's a significant conversation. So, I was pleased to have this discussion with Alberto, and I want to share with you an excerpt of what he shared with me in that conversation.
Alberto Yépez: SMB are largely underserved. So, I agree with you 100%. It's the backbone of our economy. In the U.S., we talk about an SMB market, where it tends to be the larger companies, and smaller countries are SMB businesses. So, we're seeing more innovation. We're beginning to see more delivery as a service, as you know transformation could only be possible because of the cloud capability in the service delivery platform. So, it is only going to become more and more important. We've been very fortunate to be part of the journeys of teams such as Huntress as a company. They exclusively focus on working with the SMB saying, "We want to give in the best quality cybersecurity defenses as the largest companies in the Fortune 500." So, I would say, largely underserved. We see more investment. We need even more. It's not enough. More importantly, smaller organizations don't have the skill set, and are more willing to invest now, because it's being delivered as a service, and therefore, they don't have to make all the other investments in infrastructure and knowledge and keep talent. Not only attract and retain talent, but now they're getting partners that are helping them with that key component of their life as a company.
Field: We've heard bits and pieces these three years. Phil Reitinger and his organization have focused on small- to mid-sized organizations for some time. We spoke earlier this year with Dawn Cappelli with the OT-CERT. And OT certainly is considered a small- to mid-sized organization, particularly community utility infrastructure. I've seen lots of pieces of this coming together now, and the timing is terrific, because the organization might be smaller but the needs are just as great, if not greater.
Schwartz: I am hearing a lot of discussion lately as well about the ability of small- and mid-sized firms to access technologies they might not have been thought about. Microsoft is one example of things that people often default into. But as Alberto was saying, working with cloud delivery. I'm also hearing about managed security service providers, and there are more of them now targeting the small- and mid-sized market and making a compelling business case for why you might want to work with them.
Field: You're exactly right in the threat landscape we all face every day. It's a compelling argument to start looking at the next options. So, the timing is terrific to have more conversations about this.
Novinson: I'll add one quick thing on this, which is we are seeing kind of a new generation of SMB-focused vendors, certainly one portfolio company of Forgepoint's, Huntress, which has done a lot for the SMB market, focusing on, as they say, serving the 99%. Certainly, ThreatLocker as well, who took the allowlisting technology and brought it down the market. From a provider standpoint, many of the companies that are serving the SMB in the mid-market have been around for decades. Sophos, WatchGuard, Sonicwall and Bitdefender certainly have legacy technology to bet around. But, we're seeing some new companies get scale, unicorn valuations and significant nine-figure ARR focused on the SMB in the mid-market, which is certainly a promising sign for organizations in that space.
Field: Agree. Won't be the last time we have this conversation Mat.
Schwartz: I would be surprised if it was. Considering all of the discussion about getting the right defenses in place, hopefully, those defenses are working correctly. That is all in the service of improving your defensive posture. And speaking of helping us with defense, the United Nations has been working on a convention against cybercrime. Chris, you have been following these events closely. What's the latest on the UN's effort and why is there some opposition to what's been going on lately?
Chris Riotta: Yeah, it's a fascinating story. It seems on its surface like this would be a highly popular initiative by the United Nations and Western countries, but there's been a lot of controversy and a lot of growing concerns around some of the specifics. But, before we dig into those, it's important that we take a quick step back and see how we got here in the first place. So, the process for this Cybercrime Convention first began in 2017 when Russia, of all member states, first proposed the idea of creating a UN cybercrime treaty. So, the move was met with significant skepticism, especially from Western nations, including the United States, which opposed starting negotiations under the UN's auspices at the time. The concern was, and it still resonates today, that the convention led by Russia might not prioritize the protection of global digital security, internet freedoms and the privacy rights that we all rely on today and know of when it comes to The World Wide Web. So, fast forward to December 2019, the UN General Assembly voted unexpectedly to establish an intergovernmental committee tasked with drafting the treaty. The decision was significant because it sort of set into motion the process that many experts feared would kind of sideline the interests of democratic nations in favor of a more authoritarian approach to cybercrime. The concern at the time again was that the language in the treaty would fail to adequately safeguard many of the freedoms and rights that are central to the open Internet. So, as the treaty took shape, there was a coalition of technology organizations represented by the Cybersecurity Tech Accord, and they began to raise some significant alarms. They warned that the treaty, as drafted, could facilitate cybercrime rather than prevent it. This is because the treaty would allow for the sharing of personal information between nations with little to no oversight or transparency. It also lacks clear thresholds for criminal intent, which puts security researchers, journalists and even whistleblowers at risk of prosecution in many countries that could choose to abuse the treaty's provisions. We could foresee this happening in Russia or something of the sort. The convention requires all member states to criminalize unauthorized access to information and communications technology systems. And while this sounds reasonable on its surface, the devil is in the details. Critics argue that the treaty's broad and vague language could be exploited by authoritarian regimes to crack down on legitimate activities under the guise of combating cybercrime. Now, the UN General Assembly is preparing to vote on the finalized draft, which could come into effect in a few months, sometime this fall. The Cybersecurity Tech Accord, which is led by a delegation, is joining a growing number of organizations, including Human Rights Watch, the Electronic Frontier Foundation and major technology firms like Cisco, which are all pushing member states to either reject the convention in its current form or make significant amendments to the final draft. They argue that the treaty is too flawed to adopt and that it could create significant challenges for cybersecurity professionals and ethical hackers who play a crucial role in maintaining the safety and security of our digital world. I spoke to Nick Ashton-Hart this week, who leads the Cybersecurity Tech Accord and the delegation to the United Nations, and he told me, "The best option now is for a majority of the UN's member states to decide not to adopt the convention at all." So, the UN processes do allow members to submit amendments after the finalization of a draft, but each of those proposals would be subject to debate and require approval by a majority vote to be included in the final version of the text. So, it's pretty complex. As is, Ashton-Hart said that members such as the U.S. will be limited to supporting implementation through capacity building and technical assistance. My whole story on this has been published across ISMG's verticals and on web info security. So, you can check those out if you want to dig into it a little bit more.
Schwartz: A fascinating story. As you say, it seems like it should have been a slam dunk, and now it seems like a lot of people are waiting for it to go away unfortunately.
Riotta: Yes. If implemented as is, the convention could undermine global cybersecurity efforts by discouraging very activities such as ethical hacking and security research that are so crucial for identifying and mitigating cyberthreats. So, it could create this chilling effect that a lot of the experts that I've spoken to say that would make professionals a lot less willing to engage in necessary cybersecurity work due to the fear of legal repercussions.
Schwartz: There's so much nuance when it comes to attempting to legislate procybersecurity and anti-cybercrime sorts of initiatives. Thank you very much Chris. That was fascinating. Thanks everyone for your analysis of the latest and greatest cybersecurity news. Thank you so much for being here.
Field: Thanks for having us.
Novinson: Thank you Mat.
Field: Wherever you are, see you soon.
Schwartz: That's right. Back to your regularly scheduled host, very soon with Anna Delaney. Until then, I'm Mathew Schwartz with ISMG. Thanks for joining us.