Crowdstrike went out and acquired a security company called Preempt. Based on this article, https://www.crowdstrike.com/blog/crowdstrike-advances-zero-t… It appears that customers were asking CRWD to beef up their zero trust credentials so crwd went out and did something about it. I spent some more time digging into Preempt and came away pretty excited from a technology standpoint.
First a very basic primer on what CRWD does. CRWD has a multipronged approach to endpoint security that is broken down into the agent that is installed on each endpoint(for simplicity sake you can think of this as a computer) and their central database that they use to crowdsource threat information. I don’t want to get too into the weeds but I think it is important to understand from a basic level what they do so as to understand why Preempt is so cool.
CRWD’s main product monitors your endpoint(computer) for malicious activity. It is just looking for things that appear out of the ordinary. Some antivirus programs do this by looking for virus signatures…the digital fingerprints of the virus, others look for more indirect markers like suspicious activity, maybe a certain file growing too large as it gobles up data. Crowdstrike has amplified this (so have a few other companies) with their AI powered central database, so if suspicious activity is found somewhere then everyone that has crowdstrike across the world will now look for that activity.
They also have a firewall which prevents stuff getting into the endpoint or out of it. Their firewall has some nice features that we don’t really need to get into other than some of it is based on users or applications. More why this matters later.
They also have a product called IT hygiene. This is a service that companies can use to make sure applications are all updated, correct versions etc, how often they are used, what things certain users typically use.
They have a bunch of other services that are great but not totally germane to this conversation.
Lots of what crwd does (they do much more than this, but this generalization is useful ) is look at historic norms and if something deviates from that norm then it flags the activity as suspicious.
Now we are leaving CRWD for a second and talking about identity management. Most/all companies have some sort of identity service. People’s identity is tied into permissions or credentials which are rules that inform what they can access such as files, applications, networks. From an end user standpoint this model is nice because people just have to prove their identity and then they can use all their applications, access their files and networks. From a security standpoint this is nice because it allows for the zero trust model. The old model of security was basically a locked front door. If you had a key to the front door you had access to everything in the house. The zero trust model means you need a new key(credential) for each and every single thing you access or do in the house. You have to prove you can open the fridge, show your credentials turn on the tv, change the channel, etc etc.
Preempt is really interesting because they go into an organization and get the identities and credentials information from the IaaS (identity as a service) provider (OKTA, PING MSFT and many others) . Preempt then uses that information to build security profiles so they can see if an entity is accessing something unexpected or if the entity somehow has permissions it shouldn’t. They can look at security hygiene in a very robust way and spot insider attacks in real time. With the information Preempt can tell if an account is too high risk because it has access to too many things. All in all it is a very cool product that appears to make managing identity and permissions much more holistic as well as real time threat analysis.
The combination of Preempt and CRWD is going to be really powerful because CRWD is looking for patterns whereas Preempt has knowledge of exactly what the rules/permissions are, If those permissions are appropriate, and if credentials are being used in an appropriate way. Preempt will allow CRWD to have a much greater understanding of what should be happening as well as allow CRWD to give companies much greater insight into their security hygiene. This will make the security products that CRWD already has much more powerful. IT hygiene will be much more useful to companies , the firewall product will have a much greater understanding of what should be happening and the activity monitor now doesn’t just have to look at historical norms but has an understanding of what is actually allowed.
Preempt has a blurb that 80% of breaches involve credentials…I haven’t seen numbers from a neutral third party but that number certainly lines up with what I have heard from people who work in the industry. Makes a lot of sense for CRWD to strengthen their offering with much more robust knowledge of identity. Apple recently fixed a bunch of security vulnerabilities as discussed in this article, https://arstechnica.com/information-technology/2020/10/white… . Some of the vulnerabilities were bugs that allowed accounts to escalate their privileges, others were accounts that had too privileged (too much access to too much information). Apple had no idea that they had those vulnerabilities. Preempt would have notified them the second an account started doing something it wasn’t supposed to and it would have flagged the account that was too privileged as part of their security hygiene report.
One of the concerns I had when discussing the merger with other board members was the focus on identity would increase the friction for installing CRWD. One of the things that I really liked about this investment was how easy it is for a company to adopt CRWD’s products. Identity and permissions/credentials are hard but the beauty of Preempt is they going into an environment where all that is already set up. Preempt only takes ONE HOUR to install and start getting useful information from it (some of the vulnerabilities in the apple case study would have been likely exposed in that hour) This is a match made in heaven for a technology standpoint as well as sales.
I can’t imagine that Preempt has much revenue. If you figure many of the security companies are going for 30x revenue that would put them only at 3ish million of revenue. I have a hard time imagining they had that little revenue though, The interwebs thinks they have somewhere between 7 million and 49 million of revenue. My guess is much closer to 7 million. Maybe Preempt had run into some bumps in the road so CRWD got a company that had good technology but was having business issues so they needed to sell. Preempt had raised 17 million dollars back in 2018, and a total of 27.5 million dollars since 2014. Back in February they said they were growing ARR 140% which doesn’t seem all that impressive to me from such a small base.
All in all, I think this is a very strong acquisition. Remains to be seen how they integrate it from a business standpoint.
I glossed over a lot of the technical stuff, inferred stuff from marketing material and generally made some guess. I’m fairly sure the overall gist is correct but I’m sure there are some minor errors. I welcome any feedback, corrections, or thoughts.
-e