Crowdstrike User Experience

This below comment was left by a SA user “Steampowered” on a recent Crowdstrike article on competitive advantage (link: https://seekingalpha.com/article/4316486-exploring-crowdstri…) and was a well-articulated user experience vignette.

I know there are forms of etiquette for not doing a wholesale copy/paste of external articles, but given this was a comment, I felt it okay to carry over to the board.

Thanks,
Eric

“It interests me to see the way most people attempt to value what Crowdstrike is doing based only the company’s financials. I am a user of the product, so I will say a few words on that. I am the IT Director at a small company, and we use Crowdstrike to prevent malware and breaches.

Most people in finance are familiar with the concept of “black box” trading models where people invest in a hedge fund without knowing exactly how the fund managers make their decisions for trading. Investing in endpoint protection (a fancy word for anti-virus) is a similar endeavor for an IT professional. The scope of IT security is so broad, and the mechanics of endpoint protection are so technical, that IT professionals must shop for endpoint protection without understanding the details of how it works. This causes many endpoint protection companies to go whole-hog into marketing to sell their product.

Crowdstrike takes a different approach and goes light on the marketing. Instead Crowdstrike invests the majority of their attention and resources into making a great product. They are gambling that having the best product will make them the best company in the long run.

George Kurtz, the CEO of Crowdstrike, was previously the Chief Technology Officer at McAfee. He decided to leave McAfee after riding on an airline seated next to someone who was frustrated at how McAfee’s anti-virus slowed down his computer dramatically while still missing some important threats. George Kurtz envisioned a better way to go about endpoint protection, but the change required a totally different approach. So he would need to start a new company.

At the time McAfee primarily searched for threats by looking at digital signatures (or hashes) of known files which act as payloads for malware. This approach works less and less because malware evolved to change the file slightly and evade detection. This has to do with a hash algorithm’s sensitivity to initial conditions (a close match is a non-match).

Crowdstrike’s software attempts to monitor computers and networks for behavior which matches the behavior of malware. Crowdstrike’s software operates like a world-wide network, monitoring hundreds of thousands (or millions?) of computers simultaneously for this suspected behavior. If Crowdstrike confirms a detection on one computer or one network, then Crowdstrke searches for this same behavior everywhere else in the world – instantly. So being a Crowdstrke customer allows you to benefit from this network effect. Obviously no human or group of humans can monitor hundreds of thousands, or millions, of computers and networks simultaneously though.
So Crowdstrike wrote software which does this.
But the process is not 100% automated. Crowdstrike’s software is actively managed by a team of (very smart) humans who man 24 hour shifts in a Security Operations Center (SOC). Most small-to-medium size companies cannot afford to implement a Security Operations Center. Even when a company has the financial resources for a SOC, most companies don’t know how to manage a SOC. And hiring SOC employees is nearly impossible because of the labor shortage of IT security professionals. Crowdstrike bundles this highly sought-after SOC service with their software and brands the SOC service as “Falcon Overwatch”. The Falcon Overwatch service was another invention of Crowdstrike, because nobody else was offering this when it came out (to my knowledge).

So how well does it do in real life? After being a customer for almost 2 years, I am completely impressed. Not only is the end-user software interface one of the best-designed web interfaces I have ever used. The Falcon software itself (what they call their anti-virus) seems to detect malware much earlier than anything else.

During this past fall one of our vendors had a computer become infected with malware, and that vendor’s computer sent spam emails containing links to spread the malware. One of our low-level billing employees received one of these malware-laden emails, and she clicked on the link. Crowdstrke software immediately identified the code as malware and notified me, the IT Director, while I was working in a different US state. The billing employee continued to do her work on the computer while the Crowdstrike software triaged and contained the malware until I had time to respond.

The email containing the malware link was very clever, because the email was crafted with formatting to appear like the billing emails we receive from that vendor all the time. Except the link at the bottom of the email did not contain a legitimate invoice. Instead the link attempted to install malware. I inspected the malware which was blocked from running on her computer. The malware had an encrypted payload which decrypted itself from a remote IP address before attempting to install itself. The main function had the variable name “venom”. The malware creators named their function “venom”!
I called the vendor to let them know one of their computers was sending malware to all of their customers, but they were completely unaware. The girls answering the front desk transferred my call, and I could hear occasional giggling in the background while I waited. The administrators could not reach their IT staff, and nobody knew what to do. So I left my contact info.

2 hours later I attempted to inspect the malware, but windows no longer allowed me to view the contents of the file. Windows finally identified the file as malware, and Windows decided to “protect me” from viewing the file. I opened G-Suite Gmail which hosts our email and attempted to obtain the file from the link where the malware originated. But Google also identified the link as a malware delivery link and would no longer allow me to download the file. But this was two hours after the attack! Way too late.

This experience blew my mind. Crowdstrike identified the malware instantly, while Microsoft and Google took 2 hours to figure out the malware. Google and Microsoft have way more money than Crowdstrke, but Crowdstrike is apparently way better at detecting malware (at least in this case).

I sleep easier knowing Crowdstrike is protecting our network. Not only would I be at risk of losing my job if our company became infected with ransomware. I would also feel embarrassed and feel terrible if our company were ever to be held hostage to a ransomware attacker. Crowdstrike is the best solution for us, and I suspect Crowdstrike is the best solution for most companies with employees who work on computers (most of the office-bound workforce).”

27 Likes

Eric,
Thank you so much for reposting that comment. It was an extraordinary experience just reading it.
Best,
Saul

5 Likes

A bit more from the same author.

I think economy of scale and network effects are on the side of Crowdstrike. The new model for endpoint protection (which was pioneered by Crowdstrike) is heavily dependent upon having tens or hundreds of thousands of endpoints enrolled in the system. New startups might try to copy Crowdstrike, but Crowdstrike is already benefiting from a massive network. At this point Crowdstrike is moving on to capture the larger customers, such as Fortune 500 companies, who are unwilling to bet their company’s security on a startup.

I will admit I don’t read the company’s financial reports. But I do purchase many different IT products in my role at my job. I have a sense when company is being wasteful or stagnating. I don’t get that impression at all with Crowdstrike. Instead I feel like they are continuing to innovate.
maybe Crowdstrike was unknown to you before Trump. But people who do IT for a living know about it.
Back in 2015 Google invested $100 million in Crowdstrike, and Google is perhaps in the best position to evaluate the best antivirus solution on the market. Many of Google’s employees use Windows and Macs, which are both vulnerable to malware. Especially Windows. Google needs antivirus for its thousands of employees (well, those thousands not using Linux anyway). Google wanted an ownership interest in the company which protects its employees from becoming entry points into it’s systems.

I use Crowdstrike at the company where I work as IT director, and the product is transformative. All I know is they have the best-endpoint security solution on the market. Gartner agrees. New Orleans just declared a State of Emergency due to malware attacks this week. IT security is such a problem in my industry, and Crowdstrike has the best solution.
One innovation of Crowdstrike was to charge more than other competitors. People are used to paying $50 per year per computer. But preventing a penetration (preventing a hack) is much more valuable than that. Atlanta paid many millions to unscrew its networks after their ransomware attack last year. Baltimore also suffered many millions in losses. Crowdstrike charges around $150 to $230 per computer per year, which is really expensive! But they plow that revenue into making the best product on the market. There is a reason banks love Crowdstrike - they can’t afford to be hacked.
So Crowdstrke has the best product, they charge the most, and their customers are growing at a fast clip, all in one of the fastest growing industries there is - IT security.
They are 5 to 7 years ahead of everybody else, and everyone is copying their innovations. The reason the FBI went to Crowdstrike is because they are the best. Having Crowdstrike protect our network gives me job security and reduces my stress.

46 Likes

Thank you so much, Eric, for posting this “testimonial”. I am not a technology person, but a business/marketing person. I struggle mightily with much of the technology-oriented information presented on Saul’s excellent board.

But this anecdotal experience brought home the value of CRWD to me. Business success is ultimately about delivering benefits… in a way that is quantifiable, and understandable, and relevant… to a skeptical audience. If an investor like me can truly understand those benefits, then the financials become that much more valuable in proving (or not) the case for the investment.

m

1 Like

I know there are forms of etiquette for not doing a wholesale copy/paste of external articles, but given this was a comment, I felt it okay to carry over to the board.

Post the link!

https://seekingalpha.com/article/4316486-exploring-crowdstri…

SA provides it!

https://softwaretimes.com/pics/sa-comment-link.png

Denny Schlesinger

8 Likes

Wow, talk about a glowing testimonial!

The author should send it over to Crowdstrike itself, who should post it on their own testimonials page :slight_smile:

I really wish Crowd would make a consumer version of their products! I’d be customer.

Best,
Matt

11 Likes

Crowdstrke has the best product, they charge the most, and their customers are growing at a fast clip, all in one of the fastest growing industries there is - Sounds like another one of our companies - Alteryx

3 Likes

Crowdstrike takes a different approach and goes light on the marketing. Instead Crowdstrike invests the majority of their attention and resources into making a great product. They are gambling that having the best product will make them the best company in the long run.

I really like CRWD (it’s my second largest of my positions which are ordered by conviction and my perceived risk-reward). I tend to think that this review is authentic (even though the author did not identify the company for which he/she works) and even if it wasn’t authentic, I’m sure there are hundreds of reference customers on which Crowdstrike can draw.

However, the above comment in this review is not really accurate. While I believe Crowdstrike has the best product and invests heavily in new products and existing product improvement (R&D), Crowdstrike invests a huge amount in sales and marketing. I’ve often heard their commercials on the radio. They should invest a lot in sales and marketing. Here are some of the facts:

For Q3 2020 (last reported quarter):
R&D spend: $36.0M
S&M spend: $68.7M

For the first 9 months of FY2020:
R&D spend: $91.5M
S&M spend: $190.8M

So there you have the real numbers, Crowdstrike approach includes investing a ton of money into sales and marketing…about 2x of their investment into R&D.

Chris

39 Likes

Chris, this IT person may look at it in relation to other endpoint providers. Symantec spent $1.5 billion on S&M spend their FY ended Mar 2019, and $913 million on R&D. Which brings me to the point about ESTC. How could ESTC’s Endgame acquisition ever come close to that?

3 Likes

The difference between Symantec and Crowdstrike, however, is every dollar spent on their R&D (and any resources for that matter), go to this new generation cloud native EPP architecture. Symantec is still trying to band aid legacy systems because they do not want to take the profit hit.

This is like Tesla devoting all resources to the new EV technology while Ford is still working on camshaft designs at the same time in addition to EV.

7 Likes

Which brings me to the point about ESTC. How could ESTC’s Endgame acquisition ever come close to that?

Yep. I agree which is one of the main reasons I sold my remaining ESTC yesterday.

2 Likes

Which brings me to the point about ESTC. How could ESTC’s Endgame acquisition ever come close to that?

It won’t. But I don’t think EPP is a winner take all. CRWD is the clear leader and should do very well. But there will be companies that will not want to pay up $200/end point. Companies will be fine with a platform that is #1 in search, #2 in xx etc. ESTC is trying to be a platform for all - infrastructure, SIEM, security, logging. It’s pricing approach is indeed revolutionary. Competing with DDOG in all segments. Market clearly believes that ESTC’s 60% growth won’t last. Else why would it have a P/S of 16, even SMAR which is growing slowly and has similar margins has a P/S of 24. If (that is a big if) ESTC reports that federal contracts came through this Q and its billings numbers go up (remember that was their holdback last Q and the reason why the stock price tanked IMO) then the stock should see a quick rebound. If the federal contracts do not come through is the stock price sufficiently derisked? I believe it is. But Interesting conundrum for ESTC longs nevertheless.

Long ESTC, CRWD, SMAR.

13 Likes

Good read on how Crowdstrike works.
At the end of 2019, Our company was infected by a ransomware and paralysed for 1 week. After this event, apparently under the advice of the parent company, the IT team decided to install Crowd strike protection. The parent company specializes in acquiring hybrid IT companies. So they know what product is best and they chose Crowdstrike!

6 Likes