Interview: George Kurtz, CrowdStrike

Written by

This year marks six years since Intel acquired security vendor McAfee, putting the IT giant into the security space and creating the brand Intel Security.

The CTO of McAfee at the time was George Kurtz, who left a year later to pursue his own venture, CrowdStrike. That company is now five years old and recently opened its first office in the EMEA region after strong growth in the region with the addition of customers, deployments and staff in the region.

I first saw Kurtz presenting in the capacity of Crowdstrike at the 2013 RSA Conference in San Francisco, where the message was on proactive defence and “looking at ways and methods to make it harder for the adversary and be more hostile in the network.”

Since then, the company has pivoted to what he described as "next-generation endpoint technology", which Kurtz said was about focusing on disrupting the whole endpoint market in the way that Palo Alto Networks did with the firewall space. “That was the original premise for how I got the funding to start the company,” he said. “Given my time at McAfee, I had a pretty good understanding of what worked and did not work.”

The CrowdStrike cloud-based Falcon platform is intended to move endpoint into 2016, from what Kurtz deemed to be 1985’s signature base. “Really we are the first and only guys to deliver everything from the cloud to the endpoint, it runs locally as a small agent and no hardware device, and when you break down the areas of focus there is only three key areas: first is next-generation anti-virus where we combine multiple elements from the cloud to identify not only known malware, but also unknown malware and identify activity that does not rely on malware.

“What I mean by that is attackers have moved from using malware to using stolen credentials and I call it 'the FireEye effect', as a lot of the adversaries have moved to a strategy of minimizing malware and sandboxing technologies have become less and less effective.

“We also do endpoint detection and response (EDR), and then a managed hunting piece which is people looking for breach indicators.”

The term “next-generation” is used a lot, and comes with no real determination on what the old generation was, or what is new to make it “next-generation”. Kurtz said they see the determination as the cloud aspect, as the impact is limited upon the machine, including the indicators, exploit mitigation technology, and behavioral technology – in particular what the indicators of attack are.

“Reputation-based is flawed as you have to ‘age’ the reputation as one day it is good and the next it is bad,” he said. “If you look at a sequence of events, we do it with our Threat Graph which tracks every process that has ever executed on that system and puts it into a massive graph format. We can look at what happens before an event takes place. The new school is you can track it over time with the cloud model, as you know what happened before – we are looking at the process and extent of that process and also have contextual awareness on how that process got started.”

Kurtz called Threat Graph “the brains of the operation” as it holds the data, and put together with the endpoint technology it works.

So is this another nail in the coffin of signature-based endpoint protection? Kurtz said that someone somewhere is using signature-based systems as some element sits somewhere, but the rise of next-generation is being fuelled by people trying to do it on the network, and it fails.

The other area that the company has focused on is visibility for the endpoint, where it can roll back and get an answer on a question about a threat. “Some of the other solutions that we compete with, you have to know what to ask and when to ask it, ours drives itself as it has the DVR and if it has something there and is gone, there are systems that you never know but with our technology you know what is there.”

Discussing the concept of machine hunting, Kurtz made the bold claim that “we stop breaches”. “Even if you stopped 100% of the malware which is impossible, you would not necessarily stop the breach,” he said. “We cover the full range of protection, detection and response for malware-related attacks with the end goal of allowing organizations to stop the breach.”

Is that easy to do? He said that if you lose an encrypted device, you don’t worry. If it is lost and accessed, then it could be contained by CrowdStrike, but he claimed that breaches mostly happen because of someone getting in and laterally moving about.

“It is looking across the whole kill chain with enough visibility and how fast our technology works, you do minimise the chance of a mega-breach,” he said. Kurtz claimed that it is able to stop around 200 breaches a week, with blocking and looking for breach indicators, and machine learning and Falcon Overwatch analyst team looking for anomalous activity.

I concluded by asking Kurtz about his views on network security, and advancements being satisfactory to the point where endpoint needed the focus? He said at McAfee there was the IPS and he saw the limitations with attackers simply encrypting traffic and bypassing it, and now it is about keeping up with sandboxing.

“I saw this and realised that all of the activity is on the endpoint, and the breach happens at the endpoint so why not provide protection, visibility and response which is where everything is broken into,” he said.

Kurtz said he believed that CrowdStrike were there at the right place and time, and last year raised $100M in funding in Google, and that is why endpoint is the right space.

What’s hot on Infosecurity Magazine?