This below comment was left by a SA user “Steampowered” on a recent Crowdstrike article on competitive advantage (link: https://seekingalpha.com/article/4316486-exploring-crowdstri…) and was a well-articulated user experience vignette.
I know there are forms of etiquette for not doing a wholesale copy/paste of external articles, but given this was a comment, I felt it okay to carry over to the board.
“It interests me to see the way most people attempt to value what Crowdstrike is doing based only the company’s financials. I am a user of the product, so I will say a few words on that. I am the IT Director at a small company, and we use Crowdstrike to prevent malware and breaches.
Most people in finance are familiar with the concept of “black box” trading models where people invest in a hedge fund without knowing exactly how the fund managers make their decisions for trading. Investing in endpoint protection (a fancy word for anti-virus) is a similar endeavor for an IT professional. The scope of IT security is so broad, and the mechanics of endpoint protection are so technical, that IT professionals must shop for endpoint protection without understanding the details of how it works. This causes many endpoint protection companies to go whole-hog into marketing to sell their product.
Crowdstrike takes a different approach and goes light on the marketing. Instead Crowdstrike invests the majority of their attention and resources into making a great product. They are gambling that having the best product will make them the best company in the long run.
George Kurtz, the CEO of Crowdstrike, was previously the Chief Technology Officer at McAfee. He decided to leave McAfee after riding on an airline seated next to someone who was frustrated at how McAfee’s anti-virus slowed down his computer dramatically while still missing some important threats. George Kurtz envisioned a better way to go about endpoint protection, but the change required a totally different approach. So he would need to start a new company.
At the time McAfee primarily searched for threats by looking at digital signatures (or hashes) of known files which act as payloads for malware. This approach works less and less because malware evolved to change the file slightly and evade detection. This has to do with a hash algorithm’s sensitivity to initial conditions (a close match is a non-match).
Crowdstrike’s software attempts to monitor computers and networks for behavior which matches the behavior of malware. Crowdstrike’s software operates like a world-wide network, monitoring hundreds of thousands (or millions?) of computers simultaneously for this suspected behavior. If Crowdstrike confirms a detection on one computer or one network, then Crowdstrke searches for this same behavior everywhere else in the world – instantly. So being a Crowdstrke customer allows you to benefit from this network effect. Obviously no human or group of humans can monitor hundreds of thousands, or millions, of computers and networks simultaneously though.
So Crowdstrike wrote software which does this.
But the process is not 100% automated. Crowdstrike’s software is actively managed by a team of (very smart) humans who man 24 hour shifts in a Security Operations Center (SOC). Most small-to-medium size companies cannot afford to implement a Security Operations Center. Even when a company has the financial resources for a SOC, most companies don’t know how to manage a SOC. And hiring SOC employees is nearly impossible because of the labor shortage of IT security professionals. Crowdstrike bundles this highly sought-after SOC service with their software and brands the SOC service as “Falcon Overwatch”. The Falcon Overwatch service was another invention of Crowdstrike, because nobody else was offering this when it came out (to my knowledge).
So how well does it do in real life? After being a customer for almost 2 years, I am completely impressed. Not only is the end-user software interface one of the best-designed web interfaces I have ever used. The Falcon software itself (what they call their anti-virus) seems to detect malware much earlier than anything else.
During this past fall one of our vendors had a computer become infected with malware, and that vendor’s computer sent spam emails containing links to spread the malware. One of our low-level billing employees received one of these malware-laden emails, and she clicked on the link. Crowdstrke software immediately identified the code as malware and notified me, the IT Director, while I was working in a different US state. The billing employee continued to do her work on the computer while the Crowdstrike software triaged and contained the malware until I had time to respond.
The email containing the malware link was very clever, because the email was crafted with formatting to appear like the billing emails we receive from that vendor all the time. Except the link at the bottom of the email did not contain a legitimate invoice. Instead the link attempted to install malware. I inspected the malware which was blocked from running on her computer. The malware had an encrypted payload which decrypted itself from a remote IP address before attempting to install itself. The main function had the variable name “venom”. The malware creators named their function “venom”!
I called the vendor to let them know one of their computers was sending malware to all of their customers, but they were completely unaware. The girls answering the front desk transferred my call, and I could hear occasional giggling in the background while I waited. The administrators could not reach their IT staff, and nobody knew what to do. So I left my contact info.
2 hours later I attempted to inspect the malware, but windows no longer allowed me to view the contents of the file. Windows finally identified the file as malware, and Windows decided to “protect me” from viewing the file. I opened G-Suite Gmail which hosts our email and attempted to obtain the file from the link where the malware originated. But Google also identified the link as a malware delivery link and would no longer allow me to download the file. But this was two hours after the attack! Way too late.
This experience blew my mind. Crowdstrike identified the malware instantly, while Microsoft and Google took 2 hours to figure out the malware. Google and Microsoft have way more money than Crowdstrke, but Crowdstrike is apparently way better at detecting malware (at least in this case).
I sleep easier knowing Crowdstrike is protecting our network. Not only would I be at risk of losing my job if our company became infected with ransomware. I would also feel embarrassed and feel terrible if our company were ever to be held hostage to a ransomware attacker. Crowdstrike is the best solution for us, and I suspect Crowdstrike is the best solution for most companies with employees who work on computers (most of the office-bound workforce).”