See the forest from the trees

Yay - another industry review has come out for Endpoint security capabilities. I like diving into these reports, as it covers one area of cybersecurity that I don’t have much view into - the competitive landscape and how these products compare. It is always a very interesting read on the competitive state of Endpoint Protection cybersecurity.

If you don’t remember what EDR is vs EPP … here are the blurbs from my Flavors of Security writeup.

  • Endpoint Protection Platform (EPP) = Service deployed on all endpoints for the monitoring and detection of malicious activity. EPP is about protecting the device itself, not the traffic to and from it. That includes NGAV, to help prevent malware and virus attacks, and may include device mgmt and endpoint detection (EDR) capabilities. Remember, endpoint includes any system on a company’s network – each and every server, storage device, workstation, desktop, printer, laptop, mobile device, IoT device, camera, POS systems, etc.

  • Endpoint Detection & Response (EDR) = Continuous monitoring of endpoint usage to analyze, investigate and respond to advanced threats and broader attacks across many endpoints. Likely integrated with Endpoint Protection (EPP) features. Likely utilizes NTA and UEBA ML/AI algorithms.

Shorter version: EPP is the on-device software app protecting the device, and EDR is the monitoring & management over all those devices, and finding common attack patterns across them. Most of these companies in this space cover both sides of Endpoint Protection, but this report is just about EDR platforms in particular.

Let’s dig in…

Forrester Wave report: Enterprise Detection & Response (EDR), Q1 2020…

TLDR: Crowdstrike is the top leader and is highest on “Strongest Strategy”. CarbonBlack is falling behind [not a surprise, did anyone think VMWare was going to kickstart growth again?]. Elastic Security gets some misguided comments. McAfee, Cylance and Palo Alto are a joke at this point.

As a reminder, Crowdstrike is top leader in prior Forrester’s EPP report too (in a much more crowded market):

Forrester Wave: Endpoint Security Suites, Q319…

Interesting tidbit in the report’s key takeways, which, you may find, is Crowdstrike’s biggest strength:

Security Analytics Is The Key Differentiator:

As the enterprise detection and response (EDR) space continues to evolve, security analytics will dictate which providers will lead the pack. Vendors that can differentiate with superior security analytics position themselves to successfully deliver detection, triage, and response capabilities to their customers.


Their overall thoughts:
CrowdStrike continues to lead on strategy and execution. It should come as no surprise that CrowdStrike Falcon is seldom purchased as a standalone product, since the company’s adjacent services, such as threat hunting and cyber intelligence, are often the benchmark other client references use when describing capabilities they wish were available in their selected products. CrowdStrike has accomplished this by building service offerings designed to collect and enrich threat intelligence and feeding it back into their product and OverWatch service to ensure they’re detecting even the most bleeding-edge attacks.

While clients rave about the detection capabilities CrowdStrike offers, it’s not uncommon to hear from references and prospective customers that the macOS and Linux capabilities aren’t quite on par. This is likely a state-of-the-market issue, as when clients leave, it’s because something else was comparable and cheaper, as opposed to hearing the product has fallen behind competitors. **Customers buy an EDR solution for its detection capabilities, and there simply are no other vendors in the space that have an intelligence organization of CrowdStrike’s scale to enable the development and services to deliver that capability.**Enterprises looking for strong detection capabilities, backed by threat intelligence and services, should consider CrowdStrike.

Clearly Forrester considers them #1 in the market, and having the best security analytical capabilities, the most important feature overall in their eyes. This is exactly what I was raving about in my Flavors of Security writeup for Crowdstrike – their cloud-native approach changed the entire strategy for analytics over cybersecurity, by “crowdsourcing” the detection of threats over ALL customers’ data at once, spotting trends and isolating coordinated attacks.

My take on their scores:

  • 3rd in “Current Offering”. I don’t worry about that. It was mostly due to lower scores in “Supported Systems” (some have had issues on Mac and Linux systems) & in the rather nebulous “Extended Capabilities” – which we can see in their numbers isn’t costing them any momentum in execution. Top competitor Microsoft in 2nd place is barely higher, but Crowdstrike wins overall on strategy; 1st was small upstart Cyberreason but they found their strategy lacking (and complained a bit about their UI, saying it was better for non-technical mgrs).

  • One “Current Offering” score that I want to see Crowdstrike get better at was “Response capabilities”, where they only scored 3.0. Many competitors (Bitdefender, Cyberreason, and Microsoft) all got 5.0s. So their 3.0 score stands out as quite low for a company that has such a wealth of knowledge and talent in their extensive on-demand Incident Response services a customer can engage. Automation of response handling seems like the sticking point, so is an area they need to improve. (Something they can likely solve by improving API capabilities and building more integrations with response tools.

  • Highest in “Strategy” scoring. Officially they tied with SentinalOne, but the only low score for them was in “Planned Enhancements”, so they feel they aren’t signaling their upcoming features enough. One might say it might not be a negative if they are keeping their cards close to their chest in a highly competitive market… so I complete discount that and consider Crowdstrike the clear #1 in strategy & innovation.

  • Highest in “Market Presence” along w/ Microsoft. Yeah - we knew that. One does not grow customers 116% YoY and revenue 89% YoY on pipe dreams. Customers likely ramping up heavily from here, too, in the “everyone is remote” world we live in currently.

All in all - extremely impressive showing by Crowdstrike - and even more impressive that they are now TOP LEADER on both of latest EPP and EDR reports from Forrester. Forrester is not alone in ranking them #1 – Gartner EPP Magic Quadrant had Crowdstrike and Microsoft as top leaders back in Aug 2019 too.…


Their overall thoughts:

Elastic is poised to disrupt this market if their commercial model doesn’t kill them. The acquisition of Endgame by Elastic was exciting from a technology perspective due to the combination of an EDR with a security analytics platform. Unfortunately, by shifting its licensing to the much-maligned consumption model common in the enterprise SIM space, Elastic is creating downward pressure on adoption instead of encouraging people to broadly deploy its EDR solution. Endpoint products are long-term investments due to the difficulty of ripping and replacing them. This licensing model makes it difficult for enterprise buyers to buy into this licensing model and have a predictable budget.

Elastic is what happens when you get a bunch of hackers in a room together: You get good vision, what gets built is really interesting, but the total package feels less like a single product and more like a collection of really cool proof of concepts. Clients are extremely positive about the solution’s detection capabilities, with configurability of what’s being collected a frequently cited benefit. Elastic has a good solution for enterprises looking for mature endpoint capabilities with a strong vision for the future, if you can stomach the consumption model.

I DO NOT AGREE WITH THAT FIRST ENTIRE PARAGRAPH AT ALL. I do not understand their negative take on Elastic’s pricing model. If you recall my Flavors of Security writeup on them, I found the pricing for Elastic Security to be a huge selling point for using it. Compared to per-device pricing of every other EPP/EDR provider, it could provide HUGE cost savings for companies which maintain their own infrastructure and have a high number of devices to maintain – and even moreso if they were already using Elastic Stack or Cloud for monitoring or SIEM.

I think Forrester has bungled up their thought process here a bit, and has their views on pricing completely backwards. They are really hung up on consumption in particular, like it is a bad thing.

Their first mistake is that they are intermingling Elastic Cloud costs (consumption-based) vs the costs for using Endpoint Security in particular (requires you use Elastic Cloud, or have an “Enterprise” license for self-hosted clusters). Elastic Cloud is the part with consumption based charges, not the Endpoint Security portion of that. And if you were maintaining your own Elastic Stack cluster, your licensing pricing is PER NODE of Elastic Stack nodes used in the cluster, not consumption based – which amounts to a fixed price for the entire cluster.

They are conflating the fact that Elastic Cloud likely drives a lot of Elastic Security deployments, translating into “it’s the same thing” (by ignoring all the Enterprise license customers) so ipso-facto wham-bam, Endpoint Security is priced on consumption. Nope.

And, problem two – even after conflating them as the same thing… they are getting really hung up on consumption. With a base overhead to maintain Elatic plus the consumption-based pricing, Elastic will be a really attractive option in many scenarios. Consumption-based pricing is going to eventually beat out per-device pricing SOMEWHERE on the cost-curve as the number of devices managed grows. For smaller pool of devices, the overhead of maintaining Elastic will not be worth it (if you were not already using Elastic). But let’s jump to the other extreme - what about hundreds of thousands of devices being managed? Per-device costs would be astronomical at $16-19 per for Crowdstrike’s upper packages. Elastic’s “overhead+consumption” price would absolutely be significantly less.

At some point the cost-curve has to cross between these pricing models. But, alas, price isn’t the only factor. As I have said many a time, I still see the big problem with Elastic’s EDR solution being that their stack keeps the customer as their own island of data. They certainly have a strong analytic capabilities within Elastic Stack - but THE DATA being analyzed will never be as good as the “crowdsourced” cloud providers like Crowdstrike that are analyzing over EVERY customer at once instead of just ONE. But, sure, at some point, the cost-savings has to make “good enough analytics” enough for the especially cost-conscious customers that don’t want to pay $16-19 per device, especially since Elastic’s solution at high number of devices could easily make that under a dollar.

For all their bluster on the pricing model, their later point about it seeming like a group of products rather than a cohesive whole stings a bit. You cannot ignore the fact this was bolted on by acquiring a flailing EPP provider. However, they paired it with the extremely high-value use case of Elastic Stack as a SIEM tool for security & network monitoring, so this platform does have value. Ultimately, I think they can compete a LOT on price, especially for larger device pools and DIY tech companies. But know that it will always have inferior analytics due to being an “island” (running on a much smaller data set than the crowdsourced one, only looking over a single company’s network of devices, not the ‘big picture’ across the globe).

long CRWD


Nice, write up on the report Muji.

First, wow Crowdstrike is really dominate in the market.

I also took umbrage at their analysis of the Elastic business model including how they were misreading consumption model vs resource based pricing. Consumption model is how Splunk worked with charging based on GB transferred into the system compared to resource based pricing with Elastic where you can transfer in as much data (like from 1,000s of endpoints)as you like until you fill your allotted resource up. You then have to transfer to storage or remove old data or add another node. So I think they are misrepresenting the business model quite substantially actually.

But I do find their first sentence quite interesting. Elastic is poised to disrupt this market if their commercial model doesn’t kill them.

You don’t see that kind of statement very often. So if they are mostly wrong on the second half of the statement, that could be very positive for Elastic.


1 Like

At some point the cost-curve has to cross between these pricing models. But, alas, price isn’t the only factor. As I have said many a time, I still see the big problem with Elastic’s EDR solution being that their stack keeps the customer as their own island of data. They certainly have a strong analytic capabilities within Elastic Stack - but THE DATA being analyzed will never be as good as the “crowdsourced” cloud providers like Crowdstrike that are analyzing over EVERY customer at once instead of just ONE. But, sure, at some point, the cost-savings has to make “good enough analytics” enough for the especially cost-conscious customers that don’t want to pay $16-19 per device, especially since Elastic’s solution at high number of devices could easily make that under a dollar.</.>


On this board at least, CRWD is a preferred investment. ESTC has had a significant number of detractors.
With reference to the quoted paragraph my question an is does this support making an
investment in ESTC or does it make more sense to add to CRWD .

DrAJ log CRWD (12)

Elastic Security (Endgame) is not really an “island” with no crowd sourcing. Elastic continuously (they are one of the fastest iterating software companies out there) pushes out hundreds of machine learning anomaly detection capabilities to the platform.

The crowd sourcing used for the development of the machine learning algorithms is crowd sourced from the MITRE ATT&CK knowledge base. I don’t know enough to go into the weeds on it but here’s what that is.

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

Virtually every cyber security process that occurs contributes to the knowledge base and the experts release a framework for the experts to fight threats as they pop up. I’m not sure how fast this crowd sourcing is.

I’m not suggesting that Crowd doesn’t have an advantage in the way their system works. And crowd uses/contribute to MITTE ATT&CK as well but it’s a little too far to call Elastic’s system as putting its customers on an “island”.



Great thread and comments from muji and darth.

Lost amid the constant Zoom posts

Elastic continues to plug away:…
With Elastic, Ingram Micro’s ecommerce conversion rate improved by 50%, relevance of search went up by 35%, and null search results went down by 30%.…
Google Cloud PoY for data management


long ESTC



Elastic Security (Endgame) is not really an “island” with no crowd sourcing. Elastic continuously (they are one of the fastest iterating software companies out there) pushes out hundreds of machine learning anomaly detection capabilities to the platform.

I don’t think you quite understand what I mean by “island”.

This is not in reference to Elastic’s algorithms, nor the complete lack of it being able to leverage crowdsourced knowledge about how to apply those algorithms for attack detection. Yes, MITRE ATT&CK is a crowdsourced knowledge base – everyone in the cybersecurity business benefits from it. Elastic can continually improve its algorithms in subsequent releases of its software (which typically come out about once a month) as the best practices for identifying and responding to attacks continues to adapt.

What I am referring to by island is the island of data that those algorithms sit over.

Crowdstrike has a global view over all of its customers at once. Coordinated attacks that are striking numerous customers can be detected. An attack spotted on one customer, can be then be identified and stopped across all customers. They refer to this as the Falcon platform having “crowdsourced data”. The entirety of their customer data can be searched by its algorithms.

Elastic Stack can only view the data within its cluster. Its algorithms can only analyze the data coming in from Endpoint Security that is being stored within it, from only that customer’s devices. This is the “island” – an individual customer only can analyze only what it can directly observe from its own endpoints. They gain NO benefit from the others using Endpoint Security and that may be seeing the same suspicious events. It cannot analyze any other customer of Elastic, only their own device data. If one customer identifies a threat, no other customers get that same knowledge (until it gets into ATT&CK). Beyond that, the platform cannot adapt its algorithms in real-time like a cloud provider can, either – it needs to be updated in the next release of Elastic Stack.

These are very, very different security postures. Crowdstrike clearly wins here as ultimately being more secure, just by the very nature of having crowdsourced data over its entire customer base. Every customer is contributing to the security communally. Being cloud-based, it can be a lot more nimble in sharing insights across all customers at once, as it’s algorithms are able to see every action across its entire network of customers, and can globally take action across all customers at once.

As an example of a threat detection scenario: Crowdstrike starts seeing specific attacks on particular versions of Android phones, all of which happen to be on a particular cellular network. It could be affecting 80k devices across 500 different customers. If they spot and identify it, it goes into a global blacklist and every one of those 500 customers immediately</> benefit and begin to block that attack.

Elastic on the other hand would only spot this on an individual customer’s particular devices only. The customer would see something going on only the 500 devices that are theirs only. Because of that, they may not have the same picture or analytical outcomes that Crowdstrike would have, as it is looking at only <1% of the data that Crowdstrike would have in its global view. The data being analyzed is ONLY THEIRS (an “island”). The analysis results are ONLY THEIRS (an “island”).

Of course, Elastic can eventually learn to identify this particular attack in subsequent releases as it improves its algorithms, once it gets identified and is available in MITRE ATT&CK or another cyber knowledge base. And the next release of the Elastic Stack software over the next month or two could then help every customer with that same attack.

To be clear – this shortcoming of Elastic’s is SOLELY for the Endpoint Security product. In every other aspect of their platform (APM, logging, monitoring), having the customer being their own island is NOT a shortcoming. It is just with its cybersecurity product, where the communal knowledge AND the communal data ultimately makes its competitors more nimble.

It’s not all bad for Elastic. While Endpoint Security keeps the customer their own island … it can exploit a different benefit. It can have analytics over endpoint data from Endpoint Security, but could also be including any other observed data it is collecting as well (network traffic, SIEM, ARM, log data) as a factor in its analysis. That perhaps gives Elastic users a better ‘big picture’ over their entire network of infrastructure, beyond just devices.

But, as far as device security goes, Crowdstrike will always be more nimble, and ultimately, better at protecting.

long CRWD


CRWD’s knowledge base and ML modules will offer a birds eye view of the latest new attacks, minute by minute. To get this level of detection fidelity, you are going to pay for it. All Global 2000 finance, health, and military customers all have a Cadillac detection service from somebody and probably more than one vendor’s fig leaf over their you know what. They are going to pay for whatever it takes to whomever. ESTC Cloud will not likely do well in this market segment unless it is packaged and augmented by a major security vendor.

When you drop down below these advanced security mature customers, you start to run into real budgets. These budget constrained customers are going to buy what is good enough for what they can afford. And their eyes will glass over at the technical efficacy details of each security vendor’ offerings. A full service like CRWD will be competitive if the price is right. But this is also where the opportunity is for ESTC.

Running an Elastic Cloud SIEM must be very affordable especially for data store. The Endgame endpoint EPP will provide endpoint protection and provide a heavy data feed to the Elastic SIEM for hunting and analysis. Consumption pricing for Elastic needs to be competitive. For example I know security customers that love Splunk to receive their endpoint logs and events from free tools such as BRO. But the Splunk data consumption charges are so high, customers may only be able to keep a couple weeks of data before they sluff it off. This data is very valuable to identify new events and behaviors against expected historical data. You really need to keep a years worth of data.

A last comment about the birds eye view of the latest attacks. There are better public feeds besides Mitre (which is very slow to identify new attacks), you can get free and paid for feeds from many established vendors that are very up to date and accurate for such things as network traffic drive by’s, email phishing, endpoint malware, etc. Of course this requires an investment from the company to maintain and harvest these feeds. University and foreign companies with cheap labor and limited budgets will jump in this direction and ESTC should do well. Many are already have ELK deployments.

still do not like CRWD
may get back into ESTC at some point…keeping some powder dry right now.