CrowdStrike CEO George Kurtz has Microsoft squarely in his sights – Protocol

CrowdStrike CEO George Kurtz has Microsoft squarely in his sights – Protocol

CrowdStrike CEO George Kurtz has Microsoft squarely in his sights – Protocol 0 0 Alan Dickson

In an interview with Protocol, Kurtz said that while “everyone wants to make sure customers are protected,” Microsoft should place a higher priority on “creating secure software.”
George Kurtz, CEO of CrowdStrike, spoke with Protocol about secure software.
The continuance of large numbers of security vulnerabilities in Microsoft software and architectural weaknesses in some of its systems, such as the Active Directory identity service, should be troubling to any customer, CrowdStrike co-founder and CEO George Kurtz told Protocol.
“Customers are asking the question, ‘Do I really want to put all my eggs in one basket, with a company that has a long history of not creating secure software?'” Kurtz said in a recent interview.
“Some will. Some are going to do it,” he said. “But there are a lot of companies that are saying, ‘This can be a real risk to the company, using both Microsoft for security as well as applications, cloud, and everything else.'”
Kurtz, of course, is far from unbiased, given the fierce competition between his company’s Falcon endpoint detection and response product and Microsoft’s EDR, Defender. IDC figures have shown CrowdStrike in the lead on endpoint security market share, with 12.6% of the market in 2021, compared to 11.2% for Microsoft. However, CrowdStrike’s growth of 68% in the market last year was surpassed by Microsoft’s growth of nearly 82%, according to the IDC figures.

Speaking with Protocol, Kurtz discussed Microsoft’s strategy of bundling Defender into its higher-tier Office 365 productivity suite, known as E5, as well as Microsoft’s efforts to keep vulnerabilities out of its software. He also spoke about upcoming product categories that CrowdStrike plans to add as new modules on the company’s platform and the company’s acquisition strategy.
This interview has been lightly edited for clarity and brevity.
Is it safe to assume that external attack surface management is going to be your next module?
It is. We’re really excited about that. [Reposify is] a really cool company out of Israel, great technology. What they’re focused on is really automating the understanding of internet-exposed infrastructure or cloud infrastructure, where things might be misconfigured or exposed — which is a huge problem.
Can you give any sense on what modules you might look at adding after that?
We can’t really can’t comment on the future [modules]. But I think if you look at the areas that we’ve been focused on, I’ll maybe start there.
Obviously, people know us for endpoint and for cloud workload protection and visibility. We got into the identity space with Preempt — that’s not an Okta competitor, it’s more identity threat detection and prevention. And then we did an acquisition of SecureCircle in the data space because we do think that [data loss prevention] is a market that can be disrupted. It’s kind of like the legacy [antivirus] market: [There are] not a lot of people happy with it, [it] doesn’t work so great.
So it’s really about putting those together and filling out more capabilities in each one of those three buckets. Obviously, we’ve got great capabilities, but there’s always more than we can do, there’s always additional companies out there [that could fit as] a module.
Do you think you would potentially do a larger acquisition at some point?

I think we evaluate deals as they come in, on a case-by-case basis. But our focus really has been smaller deals, good teams, and good technology.
In terms of the competitive landscape, I get the impression that Microsoft’s E5 bundling of Defender can be pretty tempting for some customers. What are you doing to win EDR customers in light of that strategy by Microsoft?
Well I think you’ve got to start at the top, which is: There’s really a crisis in trust with Microsoft for a lot of [customers]. I mean, every Tuesday is another zero-day Tuesday. So do you want your security architecture to be built by the same people who have more CVEs to their name than anyone else in the industry? Many don’t.
The simple answer is, don’t put all the eggs in one basket. And they want dedicated technology that is more advanced than signature-based AV. Defender, in part, is a signature-based AV product, with some other things bolted on top of it. So it starts there.
We’ve had many enterprise customers that looked at Microsoft, and when they looked at it, they’re like, “We need five or six different consoles.” They’ve come back and said, “We need many, many more people to run the Microsoft suite that we can’t hire, and it would cost us more money than having the E5 license already in use.” [CrowdStrike offers] immediate time to value, a better outcome, and lower costs. And that’s what wins deals.
So the cost savings from E5 licensing is not the full story, then?
Who’s going to run it? Who’s going to administer it? How many consoles are you going to have? How much people-power does it take to actually run? Just do the math. Our customers have done the math, and we help them as well. We are significantly cheaper to operationalize than Microsoft. And we’re going to have a better outcome.
What makes CrowdStrike so much less people-intensive?
Because we’ve got one console. We’ve got a single-agent architecture. Because of the architecture and the modular format, all built in the cloud, it doesn’t require [as many people]. If you have a whole mishmash of different technologies that you bought and put together with five consoles, it’s going to take a lot more effort to manage and operationalize it. We’re built in the cloud. Microsoft started [as an] AV product. [CrowdStrike] is just a different architecture that is easier to use and requires less users to use it.

On at least one occasion in the past, a Microsoft executive suggested that security vendors shouldn’t criticize each other because they should be working together on behalf of customers. What do you think about that idea?
Everyone wants to make sure customers are protected. But I think they should start with creating secure software. And when you look at some of these vulnerabilities, and some of the patches that have to be re-patched, and you look at just architecturally some of the decisions they’ve made, like with Active Directory, it’s terrible. How is it that Microsoft technology is one of the only technologies that you can actually steal a password and reuse it without ever cracking it? It’s just that the architecture is bad, and they have a lot of legacy decisions that still haunt customers today. That’s Microsoft’s fault.
Is there anything that you’d give Microsoft credit for in terms of security, or that you think was a good move on security by them?
They’ve done some decent acquisitions, for sure. And they’ve hired some good people there. But you can’t just market your way out of it. You can’t blame other people. And you’ve got to look inside and start fixing some of your own issues.
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.
The Biden administration rolled out new, wide-ranging export controls on the chips and equipment U.S. companies are able to sell to China.
The Biden administration’s new controls on chip exports represent a significant shift in U.S. policy related to China.
Max A. Cherney is a senior reporter at Protocol covering the semiconductor industry. He has worked for Barron’s magazine as a Technology Reporter, and its sister site MarketWatch. He is based in San Francisco.
The U.S. unveiled a set of new regulations Friday that aim to choke off China’s access to advanced chips, the tools necessary to manufacture years-old designs, and the service and support mechanisms needed to keep chip fabrication systems running smoothly.
On a briefing call with reporters Thursday, administration officials said the goal is to block the People’s Liberation Army and China’s domestic surveillance apparatus from gaining access to advanced computing capabilities that require the use of advanced semiconductors. The chips, tools, and software are helping China’s military, including aiding the development of weapons of mass destruction, according to the officials, who asked to remain anonymous to discuss the administration’s policies freely.
The new rules are comprehensive, and cover a range of advanced semiconductor technology, from chips produced by the likes of AMD and Nvidia to the expensive, complex equipment needed to make those chips. Much of highest-quality chip manufacturing equipment is made by three U.S. companies: KLA, Applied Materials, and Lam Research, and cutting off China’s access to their tools has the potential to damage the country’s ambitions to become a chipmaking powerhouse.

“I think the whole policy of the administration can be justified by the fact that if you sell an AI chip to any entity in China for cloud server activities and that’s the alleged end use, it can also be used elsewhere and there’s no way around that problem,” said Mathieu Duchâtel, director of the Asia Program at the Institut Montaigne. Years ago, China adopted a civil-military fusion doctrine that effectively enables the transfer of just about any tech in China to military uses.
The Biden administration’s new controls on chip exports represent a significant shift in U.S. policy related to China. For decades, the U.S. has attempted to keep China two generations of tech behind, typically by denying China access to the tools necessary to make advanced chips, or other technology, themselves. Now, the goal looks to be to cripple China’s ability to produce chips with technology that is nearly a decade old, several generations behind the state-of-the-art capabilities.
I think the whole policy of the administration can be justified by the fact that if you sell an AI chip to any entity in China for cloud server activities and that’s the alleged end use, it can also be used elsewhere and there’s no way around that problem.
“Basically they’re changing the policy we’ve been pursuing for the last 25 years and they are going to overtly try to degrade China’s military capabilities,” William Reinsch, senior adviser and Scholl Chair in International Business at the Center for Strategic and International Studies, told Protocol earlier this week.
“I think what you will hear is companies saying this is going to make it much more difficult for us to sell to China, and that’s going to affect our revenue, and it’s going to affect our future investments negatively, and make us less competitive. Maybe we’ll have a debate about that,” Reinsch said.
The new restrictions on chip exports set to go into effect Oct. 21 are:

Semiconductor manufacturing equipment rules that will go into effect Friday include:
The Commerce Department is also enacting several additional measures:
Officials said that the Commerce Department had made a significant effort to minimize the damage to U.S. companies, and that the policy was carefully tailored. The chip industry has 60 days to submit written comments about the new regulations, and officials said they would adjust the measures if it was appropriate based on the feedback.
The export restrictions are unilateral, and administration officials acknowledge that they will become less effective over time if other countries do not follow suit and enact similar controls.
To most corners of the chip industry, Friday’s tightened export controls were largely anticipated. For months, chip company executives in Washington, D.C., have briefed and lobbied administration officials in order to protect their businesses but also — in some cases — to use the export controls to damage or gain an advantage over rivals.
In recent months, semiconductor equipment makers such as Applied Materials, Lam Research, and KLA began to disclose that they had received notification letters from the Commerce Department over the summer. Those letters blocked the sale of tools capable of making chips with FinFETs, and prevented Nvidia and AMD from selling advanced AI chips to Chinese customers, among other measures.
The White House previewed new details about its approach last month in a speech by National Security adviser Jake Sullivan.
“We previously maintained a ‘sliding scale’ approach that said we need to stay only a couple of generations ahead,” Sullivan said. “That is not the strategic environment we are in today. Given the foundational nature of certain technologies, such as advanced logic and memory chips, we must maintain as large of a lead as possible.”
Max A. Cherney is a senior reporter at Protocol covering the semiconductor industry. He has worked for Barron’s magazine as a Technology Reporter, and its sister site MarketWatch. He is based in San Francisco.
Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America’s technology leadership.
Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.
From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: “intellectual property protection is vital for American innovation and entrepreneurship.”
Patents are the primary means of protecting IP — trademarks, copyrights, and trade secrets offer additional IP protection — and represent a rule-of-law guarantee akin to a deed’s role in protecting land ownership. The founders of the United States wrote patent protection into the Constitution to “promote the progress of science and the useful arts.” Abraham Lincoln revered patents for adding “the fuel of interest to the fire of genius.”

A fireside chat with Qualcomm youtu.be
In today’s knowledge-based economy, IP rights play a foundational role. “Core R&D is the first step in getting good products into people’s hands,” said John Smee, senior VP of engineering and global head of wireless research at Qualcomm.Everything from smartphones to the Internet of Things, automotive and industrial innovation begins as a breakthrough within our research labs.” At Qualcomm, Smee said, strong IP laws help the company confidently conduct cutting-edge 5G and 6G wireless research that will make its way into products ranging from everyday consumer goods to the factory floor.
Semiconductor companies, in particular, are fiercely protective of their IP because it’s their primary competitive advantage. Chip companies go to extraordinary lengths to protect their IP by maintaining black boxes only accessible to one person per fab, choosing highly secure operating locations, and keeping R&D teams separate from fab operations teams.
On the legal side, America’s Semiconductor Chip Protection Act of 1984 bestows legal protection of chip topography and design layout IP while the EU’s Legal Protection of Topographies of Semiconductor Products of 1986 protects IC design. These regulations “have encouraged firms to continue to innovate,” according to the findings of Qualcomm’s and Accenture’s report, Harnessing the power of the semiconductor value chain.Having a high-quality patent portfolio also helps companies build out their ecosystem, should they choose to license, through advising, training, support for launches, assistance in expanding to new markets, and much more.
Licensing democratizes innovation and invention— it makes the cutting-edge IP developed by one firm accessible to a broad range of others. As such, it allows other companies to skip the R&D step and jump right into building on the innovator’s foundation. This lowers the barrier to entry for upstart companies while providing a steady return on investments for the companies who have the resources to dedicate to heavy R&D.

An outsize economic impact
IP protection also has an outsized impact on the US economy and helps create good higher-paying jobs. A report from The United States Patent and Trademark Office (USPTO) found that in 2019 industries that intensively use IP protection account for over 41% of U.S. gross domestic product (or about $7.8 trillion) and employ one-third of the total workforce — that’s 47.2 million jobs. In 2019, the average weekly earnings of $1,517 for workers across all IP-intensive industries was 60% higher than weekly earnings for workers in other industries.

Workers in IP-intensive industries were more likely to earn higher wages as well as participate in employer-sponsored health insurance and retirement plans, the USPTO report found.
But patent laws are often subject to much debate — one person’s idea of protection is another’s view of monopoly. That’s where organizations like LeadershIP come into play. The group brings together experts on IP and innovation to debate issues at the intersection of research, policy, and industry.
In addition, several efforts are underway to help inventors get their ideas into the marketplace. The Inventors Patent Academy (TIPA), for instance, is an online learning platform aimed at guiding inventors through the benefits of patenting and the process of obtaining a patent. TIPA has designed its program to make patenting more accessible and understandable for groups historically underrepresented in the patent-heavy science and engineering fields, including women, people of color, people who identify as LGBTQIA, lower-income communities, and people with disabilities.
Closing these gaps would promote U.S. job creation, entrepreneurial activity, economic growth, and global leadership in innovation. Estimates suggest that increasing participation by underrepresented groups in invention and patenting would quadruple the number of American inventors and increase the annual U.S. gross domestic product by nearly $1 trillion.
If we want our nation’s rich history of innovation to continue, experts say, we must create an IP protection ecosystem that helps ensure that tech innovation will thrive.
“With the protection of patents,” Smee said, “there is no limit to where our creativity can take us.”

The company, which grew from $1 billion in annual recurring revenue to $2 billion in just 18 months, is expanding deeper within the cybersecurity market and into the wider IT space as well.
CrowdStrike is well positioned at a time when CISOs are fed up with going to dozens of different vendors to meet their security needs.
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.
CrowdStrike is finding massive traction in areas outside its core endpoint security products, setting up the company to become a major player in other key security segments such as identity protection as well as in IT categories beyond cybersecurity.
Already one of the biggest names in cybersecurity for the past decade, CrowdStrike now aspires to become a more important player in areas within the wider IT landscape such as data observability and IT operations, CrowdStrike co-founder and CEO George Kurtz told Protocol in a recent interview.
“I would say down the road, we will be known for more than just security. And we’re starting to see that today,” Kurtz said.
CrowdStrike brings plenty of credibility from its work in cybersecurity to its effort to penetrate the broader IT space, according to equity research analysts who spoke with Protocol. The company recently disclosed surpassing $2 billion in annual recurring revenue, just 18 months after reaching $1 billion. And even with CrowdStrike’s scale, it’s continued to generate revenue growth in the vicinity of 60% year-over-year in recent quarters.

In a highly fragmented market like cybersecurity, this type of traction for a vendor is unique, said Joshua Tilton, senior vice president for equity research at Wolfe Research. “They’re sustaining [rapid] growth and profitability, which is very rare in this space.”
At the root of CrowdStrike’s surge in adoption is its cloud-native software platform, which allows security teams to easily introduce new capabilities without needing to install another piece of software on user devices or operate an additional product with a separate interface. Instead, CrowdStrike provides a single interface for all of its services and requires just one software agent to be installed on end-user devices.
As a result, CrowdStrike can tell existing customers who are considering a new capability, “‘You already have our agent — turn it on, try it out,’” Kurtz said. “‘And if you like it, keep it on.’ It’s that easy.”
For years, Kurtz has touted the potential for CrowdStrike to serve as the “Salesforce of security” thanks to this cloud-based platform strategy. But at a time when cybersecurity teams are looking to consolidate on fewer vendors and are short on the staff needed to operate tools, CrowdStrike’s approach is increasingly resonating with customers, analysts told Protocol.
The company has now expanded well beyond endpoint detection and response, a category it pioneered to improve detection of malicious activity and attacks (such as ransomware and other malware) on devices such as PCs. Along with endpoint protection, CrowdStrike now offers security across cloud workloads, identity credentials, and security and IT operations.
The cloud-native platform concept is still early on for cybersecurity, but if CrowdStrike’s momentum continues, it’s poised to potentially become the first “fully integrated, software-based platform” in the security industry, Tilton said. That’s in contrast to other platform security vendors that are hampered by architectures that predated the cloud, or that rely on hardware for some of their functionality.
“CrowdStrike’s DNA is that they’ve come as a cloud-native company with a focus on security from day one,” said Shaul Eyal, managing director at Cowen. “It does provide them with an edge.”

Even with CrowdStrike’s advantages, there are no guarantees it will maintain a leading position in a market as large and competitive as endpoint security. There, the company faces a fierce challenge from Microsoft and its Defender product. It’s a topic that Kurtz is outspoken as ever about.
In regards to Microsoft, “if you are coming out with zero-day vulnerabilities on a weekly basis, which are being exploited, that doesn’t build trust with customers,” Kurtz said.
“I’m not saying they’re not going to win deals. Because they’re Microsoft, sure, they’re going to win some deals,” he said. “But we do see deals boomerang back our way when someone has an issue. Many of the breaches that we actually respond to [are for customers with] Microsoft endpoint technologies in use.”
Even so, Microsoft brings plenty of advantages of its own in terms of its security approach, analysts told Protocol. Much of the business world counts itself as part of the Microsoft customer base already, and the company has seen major success in bundling its Defender security product into its higher-tier Office 365 productivity suite, known as E5. As of Microsoft’s quarter that ended June 30, seats in Office 365 E5 climbed 60% year-over-year, the company reported.
And for every CISO who thinks it doesn’t make sense to trust Microsoft on security due to vulnerabilities in its software products, there is another CISO who thinks Microsoft’s ubiquity in IT is exactly why the tech giant is worth leveraging for security, Tilton said.
Beyond the successful bundling strategy, Microsoft has overall done “an exceptional job of elevating security within their product portfolio,” said Gregg Moskowitz, managing director and senior enterprise software analyst at Mizuho Securities USA.
Still, “we do typically hear that Microsoft has limitations when it comes to what an enterprise’s requirements are across some of these cybersecurity areas,” including on endpoint, Moskowitz said. At the same time, “we do believe Microsoft’s going to get a lot stronger over time,” he said.
IDC figures have shown CrowdStrike in the lead on endpoint security market share, with 12.6% of the market in 2021, compared to 11.2% for Microsoft. CrowdStrike’s growth of 68% in the market last year, however, was surpassed by Microsoft’s growth of nearly 82%, according to the IDC figures.

Still, Kurtz argued that CrowdStrike has the leg up in endpoint for plenty of other reasons beyond the lack of the same security baggage via vulnerability issues at Microsoft.
The chief advantage goes back to CrowdStrike’s single-agent architecture, which he said requires fewer staff to operate and has a lower impact on user devices. That translates to better performance and less use of memory because the product does not rely on analyzing digital patterns, known as signatures, for signs of an attack.
I would say down the road, we will be known for more than just security. And we’re starting to see that today.
All of these factors need to be considered when doing the math around how much it will cost to implement an endpoint security product into an operation, Kurtz said. Based on that math, “we are significantly cheaper to operationalize than Microsoft,” he said.
CrowdStrike has particularly stood out with customers when it comes to the lower performance impact from its Falcon product line, said John Aplin, an executive security adviser at IT services provider World Wide Technology.
The company recently worked with one of the largest U.S. banks to select a new endpoint security product, and the choice came down to CrowdStrike or Microsoft Defender, he said. While the bank was initially tempted to utilize its E5 licensing and go with Defender, Aplin said, extensive testing revealed Falcon’s comparatively lighter-weight impact on devices, prompting the customer to pick CrowdStrike.
Performance impact is not a trivial thing when customers are often running 40 to 70 different security tools, he said. So while being able to provide reliable security is obviously important, the “operational effectiveness” in areas such as performance impact on devices is “where CrowdStrike always wins,” he said.
The reputation for trustworthy security that CrowdStrike has built since its founding in 2011 shouldn’t be minimized as a factor either, according to Wolfe Research’s Tilton.

By and large, CISOs make purchasing decisions “based on the amount of minutes of sleep at night” they expect to get from a product, he said. CrowdStrike’s “first-mover” advantage in endpoint detection and response is a huge one, and its brand awareness is virtually unmatched in security, probably on par only with that of Palo Alto Networks, Tilton said.
While some smaller challengers, chiefly SentinelOne, have made headway in the endpoint security space, they have an uphill battle, he said. In endpoint security, “the CISO has to have a good reason to not buy CrowdStrike.”
In categories outside of endpoint security, CrowdStrike doesn’t yet enjoy the same stature. But in some areas, such as identity security, it’s on track to get there quickly.
Misuse of credentials has emerged as the biggest source of breaches by far as workers have moved outside of the protections of the office firewall, according to Verizon. While CrowdStrike isn’t trying to compete with identity management vendors such as Okta or Ping Identity, the company does believe it’s found a sweet spot in helping customers to counter identity-based threats, Kurtz said.
Following its fall 2020 acquisition of identity security vendor Preempt Security, CrowdStrike has added identity protection and detection capabilities to its platform, and customer adoption has been “like a rocket ship,” Kurtz said. During CrowdStrike’s fiscal second quarter, ended July 31, customer subscriptions to the company’s identity protection module doubled from the previous quarter.
That’s a “stunning level of adoption from customers,” Mizuho’s Moskowitz said. Given that CrowdStrike paid $96 million for Preempt, “that’s clearly one of the best small to midsize acquisitions that we’ve seen in software in recent years,” he said.
CrowdStrike refers to its various add-on security capabilities as modules, and currently has 22 in total, up from 11 in late 2019. A forthcoming module based on the company’s planned acquisition of startup Reposify will be aimed at spotting exposed internet assets for customers, bringing CrowdStrike into the very buzzy market for “external attack surface management.”
Besides identity protection, the company’s other fastest-growing module at the moment is data observability, based on its early 2021 acquisition of Humio, which was recently rebranded to Falcon LogScale. And while highly applicable to security, observability focuses on tracking and assessing many types of IT data. Observability enables customers to “do things that are not just security-related,” Kurtz said, such as deploying software patches and taking other actions to improve IT hygiene.

George Kurtz, chief executive officer of Crowdstrike Inc., stands for a photograph following a Bloomberg Technology television interview in San Francisco, California, U.S., on Wednesday, Sept. 25, 2019. Kurtz reacted to President Donald Trump's cryptic remark about the company in a call to Ukraine's president. Photographer: Michael Short/Bloomberg via Getty Images George Kurtz, CEO of CrowdStrike. Photo: Michael Short/Bloomberg via Getty Images
In total, CrowdStrike reported that it was generating $2.14 billion in annual recurring revenue as of its latest quarter, with its “emerging products” category contributing $219 million. ARR for those emerging products — which include identity protection and observability, but not more-established areas for CrowdStrike, such as workload protection — surged 129% from the same period a year before.
Looking ahead, “we’ll continue to solve problems that are outside of core endpoint protection and workload protection, but are related, in the IT world,” Kurtz said.
Even within cybersecurity itself, CrowdStrike’s emphasis on observability “shows that the industry is starting to recognize that cybersecurity is a data problem,” said Deepak Jeevankumar, a managing director at Dell Technologies Capital, who had led an investment by the firm into Humio.
CrowdStrike has no ambitions to get into areas such as network or email security, Kurtz noted. But if a certain business challenge involves collecting and evaluating data from endpoints or workloads, whether that’s IT or security data, “we can do that,” he said.
Application security is another future area of interest, Kurtz said. Given the criticality of many business applications, “understanding their security, who’s using them, how they’re being used — that’s important for organizations of many sizes to have that level of visibility and protection.”
Within security, CrowdStrike is also notably embracing an approach that’s come to be known as extended detection and response, or XDR, for correlating data feeds from a variety of different security tools. CrowdStrike’s XDR approach taps into data both from its own products and from third-party tools, including vendors in its CrowdXDR Alliance that have technical integrations with CrowdStrike.

While XDR is no doubt an industry buzzword, it’s the most effective way yet to put the pieces together and understand how a cyberattack occurred, Kurtz said. “Before XDR, we were sort of blind to how [an attacker] got to the endpoint,” he said. “Now we’re able to tell the whole story.”
CrowdStrike offers a number of managed security services as well, which the vendor was quick to recognize as an important option amid the cybersecurity talent shortage, according to Peter Firstbrook, vice president and analyst at Gartner.
“CrowdStrike actually perfected this,” Firstbrook said. “They ran into this roadblock early. Customers said, ‘Look, this [technology] is really cool. But we don’t have anybody that can manage it.’”
Ultimately, CrowdStrike is well positioned at a time when CISOs are fed up with going to dozens of different vendors to meet their security needs, Cowen’s Eyal said. The current refrain from CISOs is, “‘We want to deal with the Costco or the Walmart, the big supermarket, for all of our security needs,'” he said. In that respect, “the platform approach is absolutely going to be benefiting [vendors] like CrowdStrike.”
Over the years, Kurtz said he hasn’t backed away from comparing CrowdStrike with Salesforce for a good reason: It’s a meaningful comparison, which has only gotten more so as time has gone on.
“I’ve said this since I started the company, that we wanted to be that ‘Salesforce of security’ — to have a true cloud platform that would allow customers to do more things with a single-agent architecture,” he said. “We haven’t really deviated from that.”
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.
Kalshi has big-name backing for its plan to offer futures contracts tied to election results. Will that win over a long-skeptical regulator?
Whether Kalshi’s election contracts could be considered gaming or whether they serve a true risk-hedging purpose is one of the top questions the CFTC is weighing in its review.
Crypto isn’t the only emerging issue on the CFTC’s plate. The futures regulator is also weighing a fintech sector that has similarly tricky political implications: election bets.
The Commodity Futures Trading Commission has set Oct. 28 as a date by which it hopes to decide whether the New York-based startup Kalshi can offer a form of wagering up to $25,000 on which party will control the House of Representatives and Senate after the midterms. PredictIt, another online market for election trading, has also sued the regulator over its decision to cancel a no-action letter.
The recently closed public comment period on Kalshi’s proposal brought letters from a range of big names in tech, finance, and academia, debating how so-called prediction markets could affect elections, for better or worse.
Gambling on elections in the U.S. is generally outlawed — though it wasn’t always that way and is allowed in other countries, including the U.K. Kalshi describes its proposal not as Las Vegas-style gambling but as a prediction market where users buy and sell contracts on events based on their perceived probability.

Kalshi in late 2020 registered with the CFTC as a designated contract market, describing itself as the first regulated events-focused futures market. On its service, users can trade contracts on everything from the size of the Fed’s next rate hike to the high temperature in Chicago to the next Moon landing. Contracts pay out $1 if the underlying event occurs as predicted and are priced to correlate with that perceived likelihood, so a 40 cent price could be read as a 40% chance.
A few months after getting the nod from regulators, the company raised $30 million from a list of investors that included Sequoia Capital, Charles Schwab (the chairman of the financial services company), and Henry Kravis of KKR. The mix of Silicon Valley money and traditional finance speaks to Kalshi’s broad ambitions.
“We want to build an ecosystem that can rival the New York Stock Exchange or CME down the line,” CEO and co-founder Tarek Mansour told Protocol.
That ecosystem has not included election-focused markets to this point. But in July, Kalshi asked for permission to change that and launch two events contracts on the outcome of this fall’s midterms. Such contracts, Mansour said, can help people hedge against election risk and paint a more accurate picture of the race.
The CFTC has in the past denied similar applications, ruling that election prediction markets are gaming and do not serve the public interest. It has also taken action against international companies that allow Americans access to election trading. It has only allowed election contract trading on a smaller scale through limited approvals for PredictIt and Iowa Electronic Markets, which are both affiliated with universities.
Kalshi has a mix of tech industry heavyweights and academics backing its regulatory proposal.
Former top Obama economic adviser and Harvard professor Jason Furman wrote in to note that the White House regularly used prediction markets to understand the potential real-world impact of decisions.

“Elections are not games, and the outcome of political control of Congress has enormous public interest ramifications,” Furman said. “Election-focused prediction markets combine the economic significance of a powerful risk reduction tool for small businesses with the social significance of a powerful forecasting tool for researchers and policymakers.”
Elections are not games, and the outcome of political control of Congress has enormous public interest ramifications”
Dustin Moskovitz, the Facebook and Asana co-founder, wrote that the $25,000 bets allowed by Kalshi would be too small to have any influence over the “multi-billion dollar affairs” that are U.S. elections. (He’s been a major Democratic donor himself.) But the prediction market could, in his view, help people better understand elections.
“Rather than listen to pundits with a less-than-ideal track record and perceived partisan biases, the broader public can be informed by the unbiased market,” he wrote.
But many of the same concerns remain a decade after the last proposal, from Nadex, was declined by the CFTC in 2012.
“When we think about what happened in 2020, do we really want another excuse for the American people to question the integrity of our elections?” former CFTC Commissioner Jill Sommers told POLITICO.
Dennis Kelleher, chief executive of the nonprofit Better Markets, said in an interview that the important role of commodity markets is “getting lost in the discussion” of the proposal. He wrote out a detailed argument against the proposal in a letter to the CFTC.
“The futures markets were not established as a new type of casino but to facilitate the provision of essential goods to Americans by enabling commercial entities to manage the price risk associated with their productive commercial activities,” Kelleher wrote.
Whether Kalshi’s election contracts could be considered gaming or whether they serve a true risk-hedging purpose is one of the top questions the CFTC said it is weighing in its review.
Mansour started his career on Wall Street and said he saw there how institutional investors were able to structure trades that essentially hedged against election risks to their business, such as for Brexit. There are speculators in every market, but Mansour argued that the differing risks Americans face with each election gives prediction markets a different value and purpose than gaming.

“When you roll a dice or do a roulette spin, you are creating a risk that doesn’t need to be there,” Mansour said. “In financial markets like grain futures or insurance or election markets, that risk is already there.”
As the CFTC reviews the proposal, it is facing a lawsuit over its decision to revoke the no-action letter that another operator, PredictIt, has used to offer political event contracts in the U.S. since 2014. The CFTC in August ordered PredictIt, which is run by a university in New Zealand, to wind down by February. A group of academics, users, and the market’s technology provider have filed for a preliminary injunction against that decision, seeking to allow the exchange to continue through 2024.
When you roll a dice or do a roulette spin, you are creating a risk that doesn’t need to be there. In financial markets like grain futures or insurance or election markets, that risk is already there.”
The CFTC’s next moves will be closely watched. Kalshi is not the only firm building an events-contract marketplace. Polymarket, for instance, offers blockchain-based event-contracts trading, but only to users outside the U.S. The firm was ordered to close to Americans following a CFTC fine earlier this year.
One of its contracts asks whether the CFTC will approve Kalshi’s proposal. So far, its users are leaning toward no.
Update: The description of the CFTC deadline has been clarified.
The conviction of Uber’s former chief security officer, Joe Sullivan, seems likely to change some minds in the debate over proposed cyber incident reporting regulations.
Executives and boards will now be “a whole lot less likely to cover things up,” said one information security veteran.
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.
If nothing else, the guilty verdict delivered Wednesday in a case involving Uber’s former security head will have this effect on how breaches are handled in the future: Executives and boards, according to information security veteran Michael Hamilton, will be “a whole lot less likely to cover things up.”
Following the conviction of former Uber chief security officer Joe Sullivan, “we likely will get better voluntary reporting” of cyber incidents, said Hamilton, formerly the chief information security officer of the City of Seattle, and currently the founder and CISO at cybersecurity vendor Critical Insight.
The 2016 Uber breach involved the theft of data on 57 million Uber users as well as 600,000 driver’s license numbers. Prosecutors say Sullivan took a number of steps to hide the incident from regulators, including paying the attacker $100,000 under the auspices of Uber’s bug bounty program to keep quiet about the incident. Sullivan was convicted by a federal jury of “obstruction of proceedings” of the FTC, which was investigating Uber at the time, and of failure to report a felony.

Reducing the incentives for cover-ups is not a bad thing, of course. But the fact that a CSO may be sent to prison in the wake of a breach, regardless of the circumstances, has sent shockwaves through the world of information security professionals.
“This case has set a terrible precedent that creates confusion around who should take liability for decisions during an incident response event,” said Sounil Yu, CISO at cybersecurity vendor JupiterOne.
In essence, it reinforces the unfair but long-running practice of blaming the CISO when things go wrong on security, when oftentimes it’s a result of lack of investment by the very same people doling out the blame.
The verdict’s effect on top executives, however, may still end up being the same: It’s clear now that execs can be punished with something as severe as a prison sentence for how they respond to a breach.
“I think this is a shot over the bow of getting executives to wake up and realize [regulators] are serious about this,” Hamilton said.
The DOJ news release announcing Sullivan’s conviction says as much: “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” U.S. Attorney Stephanie Hinds said in the release.
But again, it’s not just any executive who is being held personally liable for the handling of this breach.
Certainly, Sullivan had a choice about whether to cover up a massive breach. But when a breach occurs, many people in the security community believe that it no longer makes sense — given the intensification of cyberthreats — for the responsibility to fall totally on the shoulders of the CISO. Especially not if potential jail time is now on the table.
Debates over cyber incident reporting have already been a major feature of 2022 for the security community and, more broadly, the private sector as a whole. A number of federal proposals that would mandate reporting of major cyberattacks have been brought forward this year, most prominently, a proposed SEC rule for publicly traded companies and a Congress-led initiative, now in the hands of CISA, to require incident reporting by critical infrastructure providers.

The SEC proposal has been widely criticized by industry, while the critical infrastructure proposal, which still has a lot of specifics to be ironed out, has received less debate so far. What the two proposals have in common is that they would normalize reporting of major cyberattacks to a greater degree than we’ve had so far.
Part of the problem in the Uber breach response was that Sullivan and the other individuals involved thought they had a choice in the matter: They believed they could choose to not report it, and that if they were sneaky enough, then they wouldn’t get caught.
The current cyber incident reporting proposals from the federal regulators — especially the proposed SEC rules, which would make incident disclosures public — would seem aimed at wiping out this mentality that no doubt still persists at many companies.
The other thing these regulations might remove, in theory, is the idea that all of the responsibility and liability for a breach is on the CISO.
“National breach notification requirements could allay some of these concerns,” said Rick Holland, CISO and vice president of strategy at cybersecurity vendor Digital Shadows. “However, CISOs could still be at risk for perceptions around the security program that led to the breach itself.”
Still, if cyber incident reporting becomes mandatory, every organization covered by the rules will know exactly what is on the line if they fail to report an incident, and that the consequences will affect the whole organization.
“It’s a formal, legal way of saying, ‘This isn’t all on the CISO,'” said Padraic O’Reilly, co-founder and chief product officer at cybersecurity vendor CyberSaint. The regulations make clear that a company’s board and C-suite “can’t isolate itself from this aspect of running the business,” O’Reilly said.
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.
To give you the best possible experience, this site uses cookies. If you continue browsing. you accept our use of cookies. You can review our privacy policy to find out more about the cookies we use.

source

    Would you like to receive notifications on latest updates? No Yes