“When we think about Humio, it’s not just about stopping breaches, right? It’s about having companies run better, their IT systems performing better, having better customer interactions, because customers are delighted by the performance of the systems.” — George Kurtz, CEO & Co-Founder, CrowdStrike
The Falcon Platform + Humio: The future of XDR
Q: As part of the announcement that was recently made, the community also learned that they can see sample CrowdStrike, Falcon Data Replicator data (FDR data) and that FDR data can be ported into Humio. Can you tell us a bit more about the value that that will bring to customers?
A: Well, it’s really about data, you know, and data gravity, right? We have a tremendous amount of data that we generate from Falcon. Our EDR technology probably has the most event data of any technology and industry by far, by order of magnitude. And that information is incredibly valuable. You know, some of it we obviously use for current detections and figuring out what’s happening. Some of it may just be off-the-shelf information that you want to store, like the performance of, you know, the end points, or if things are running out of this space or, you know, a year from today, someone may want to say, “What was George’s IP address and what was his machine name?” Well that may have changed five times in a year, where the machine’s IP address was changed almost on a daily basis. So having all that information, being able to go back in Falcon Data Replicator and never throw it away, I think is going to be really impactful and just create tremendous interest in our customer base to store logs, query it and archive all that information.
Q: So let’s talk a bit more about the news on XDR. So the industry has responded favorably to the news of Falcon XDR and we know Humio is a foundational architecture to this distinct module that is extending CrowdStrike’s industry-leading EDR capabilities. But can you tell us a bit more about Humio’s role in Falcon XDR and the benefits it brings to customers?
A: Well, it starts with the best EDR in the industry, which is a Falcon. The second piece, then, is how do you extend that core EDR capability out to XDR and you have to be able to plug it into other relevant technologies, firewalls, and gateways, and cloud APIs. Humio gives us the ability to take unstructured data that isn’t part of our Threat Graph™, right? Our Threat Graph, our agent creates data. It then goes into our Threat Graph. It’s all organized appropriately. So we know it’s very clean data and it’s organized well in the Threat Graph. But when we pull in data from other sources, it becomes really difficult to rationalize all that because everybody has a different view of data. So Humio allows us to do that and really combine unstructured and structured data to get an advanced threat detection outcome, as well as to decorate the attack narrative of what happened across attack before the end point ever sees the attack, right before the end point. We happened to be the last person standing to prevent these, but you know, it went through a gateway. It went through email; it went over the network, and you want that level of visibility to not only identify advanced threats, but also to tell the story about what happened.
In cybersecurity, it’s all about speed
Q: You’ve also discussed ransomware quite a bit recently. I’d love if we could talk a bit about how Humio plays in this space. Customers are often surprised by Humio’s speed of ingestion and ability to query data in real time, which, particularly for security teams, are seen as critical given the rise of malicious cyber activity, like ransomware targeting all verticals and sectors. Share with us, please, what you’re hearing from customers around this.
A: When you look at ransomware today, it’s really about big game hunting. It’s no longer about getting an email that has a bad attachment and you get infected. And that’s a one-off. What we’re seeing is with big game hunting, these e-crime groups are targeting specific industries, specific companies. Once they’re getting in, they look a lot like nation state actors. They are getting into an organization, a lot of times using the existing tools like Microsoft’s own distribution tools to actually plant the malware across the entire fleet of endpoints and servers and then activating it. So obviously, CrowdStrike plays a valuable role. Falcon technology and end point technology play a valuable role to identify and detect and prevent against that. But there’s a lot of other telltale signs and signals that are out there that can be used.
So, you know, someone gets through a firewall or someone connects to a remote desktop, there’s nothing to prevent that. That’s a legitimate activity. It’s not until they start going through the process of exploiting systems and moving laterally and things of that nature that you begin to see it. So by combining the signals together, you know, with XDR or with Humio as a standalone product, it gives you greater ability to understand these attacks very early on in the kill chain before they hopefully ever hit the end point. Because a lot of times they will; they will kind of exploit things, you know, maybe outside the firewall or an RDP session that’s left open. If you can look at these early on before the activity even takes place and look for these anomalies, that can be super helpful.
Q: It sounds like speed is really the only currency that organizations have in these situations.
A: Speed is a critical element. And we talk about breakout time and how long it takes to exploit these machines. And it’s probably about an hour and thirty this year versus four hours last year. So somebody gets on a machine, you don’t have a lot of time to be able to identify and prevent that. And again, I think we do a great job with our ransomware prevention and detection on the end point itself, but you want to have full visibility across other systems that are not just standpoints.
Using Humio to break down silos
Q: We see some customers struggling with silos between DevOps, ITOps, and SecOps. And some organizations have adopted a DevSecOps or SecDevOps focus. What new requirements or technologies could help customers break down these silos and reach their goals?
A: I think Humio plays a key role in being able to really unite the Ops team with SecOps or DevSecOps. So you have the operations team; you’ve got obviously DevSecOps; you’ve got developers that are operating things. Then you’ve got security, which is real-time security, as well as part of the whole process. And if you can have a technology that actually meets the needs of, of all these various groups that are out there, that’s a winning proposition, right? So it’s not just, hey, another security tool that the security folks want us to implement. That’s slow and cumbersome and gets in our way, but, you know, they would view it as a tool that can make them more productive, right? How’s the performance of the system? What’s the availability of the system and what’s the user experience and how do you combine that with security? That’s a critical element. You know, you can’t have robust systems without them being secure. So if you can solve a need of all these various groups, we think that’s a home run.
Switching solutions is worth the effort
Q: Log management isn’t new, and there are a lot of enterprises that use traditional tools. Understandably enterprise IT managers have legitimate concerns around the thought of adopting another log management solution. How do you encourage them to replace or augment their existing solution with one that provides the two most powerful elements that allow enterprises to log everything and an unlimited plan with scalable performance capable of supporting the largest and most challenging log collection environments?
A: Well, certainly the prospect of ripping out or replacing log management can be daunting, even with all the benefits that Humio has. But there are a lot of customers that have replaced traditional log management platforms. A lot of the players that are out there with Humio, and as the applications begin exploding and you’re connecting to the cloud, what we found is that, a more modern architecture, a cloud-based architecture that can deal with the data volumes is super important. And the other piece that we’ve seen is we’ve been able to run side by side, if you will, with other technologies and actually take the load off other technologies that have become really expensive to ingest or a lot more cost-effective there. And then, you know, over time, we can replace those technologies.
We certainly can do it day one, but it’s a bit of a hybrid approach. The other piece is the language that Humio uses is actually really familiar to folks that are using it. So the cut-over is pretty quick. Once you get the queries cut over, if you will, and kind of rewritten, it doesn’t take a whole bunch of effort. So you know, there’s various ways to do it, but we’ve had a lot of big companies who had well-established architectures in those areas being able to cut over and not look back.
Celebrating a decade & looking ahead
Q: We just celebrated CrowdStike’s ten-year anniversary. First of all, congratulations to you and all of CrowdStrike. Secondly, if you could go back in time to the fall of 2011, what advice would you give yourself?
A: I would say it’s going to be a great journey, and you know, it’s not about the destination; it’s really about the journey, enjoy it. And I would also just reinforce: Stay the course. We talked a little bit about conviction and cloud-first, and the challenges that we’ve seen with these models of companies starting, many of our competitors starting with on-prem, trying to stick it in the cloud and calling a cloud not really cloud-native architectures and, you know, having the discipline to be able to do that. So yeah. I think, you know, we’ve been able to do that, which is good. I’d probably just reinforce it and make sure that you enjoy the journey as you get through these various stages of growing a company from 25 slides to IPO, selling it, or rapidly acquiring new customers and then going out and acquiring great companies like Humio and great people that come along with it.
Q: I often find that great companies are built on great customer-led stories and great stories are completely transparent and honest with the addition of Preempt Humio and now SecureCircle and the recent large announcements of Falcon XDR the XDR Alliance. How is CrowdStrike’s story evolving?
A: It’s evolving in a way that’s very similar, I guess, to some of these original slides, right? It’s really about the platform and demonstrating to people that this is not a point product. This is not just about, you know, a better AB product. That’s one of 21 things that we do today. It’s really about a foundational platform that has the ability to consolidate lots of technologies, drive down costs, reduce complexity and get better outcomes, which is stopping breaches. But beyond that, when we think about Humio, it’s not just about stopping breaches, right? It’s about having companies run better, their IT systems performing better, having better customer interactions, because customers are delighted by the performance of the systems. So when we look at where we are today, it really is that end point and workload company that, certainly its core is at security, but being able to expand out into adjacencies that are related and make sense but go beyond security. And that’s, I think, what we’ve done with some of these acquisitions, including Humio.
Q: We really appreciate everything you’ve shared. To finish up, what is one question you wish I’d asked and how would you have answered?
A: I’ll give you the fun one, which is, we know racing as part of CrowdStrike. Why is that? What does all that mean? It’s a couple of things. One, it’s part of CrowdStrike. Many have probably seen us. If they’ve watched Formula One or Netflix, we’re big sponsors there and we’re pretty active in the US as well. And I think it’s been a great platform for us to gather like-minded customers together to spend some time talking about security in the industry and also understanding that, to your original comment, speed is critical for security. Speed is critical in racing as well. And if you could combine great technology like Formula One and CrowdStrike and speed together, that’s a winning proposition and the details matter, right? If you take care of the details, the little stuff takes care of the big stuff. And that’s just part of our DNA. I think it’s [speed] has served us really well.
- Listen to the full interview in episode 55 of The Hoot podcast
- Read about maximizing the value of your Falcon Data Replicator (FDR) data with Humio
- Try Humio’s log management solution at no cost and with ongoing access
- Connect with peers in log management & observability at The Nest
- Request a demo of Humio’s streaming log management solution
Customers, Conviction, Speed: A Conversation With George Kurtz, CEO and Co-Founder at CrowdStrike is written by Cinthia Portugal for www.crowdstrike.com