Q: Gartner recently categorized CrowdStrike as a Visionary in its 2017 Magic Quadrant for Endpoint Protection. Why does that matter for enterprises? What is it about CrowdStrike's technology that you believe sets it apart from the competition?
Mike Sentonas: We were thrilled to announce that Gartner named CrowdStrike a Visionary in the 2017 Magic Quadrant for Endpoint Protection Platforms. This was our first time in the Magic Quadrant and being positioned in the Visionary quadrant greatly matters to forward thinking organizations. Visionaries align with Gartner's view of how a market will evolve and recognizes companies that invest in leading-edge features that will be significant in the next-generation of products and give buyers early access to improved security and management.
This year's Magic Quadrant was interesting [because] 23 endpoint protection vendors were evaluated for their "Ability to Execute" as well as their "Completeness of Vision." Out of the 23 vendors evaluated, seven were new entrants which suggest a shift in the endpoint protection market, that is, a shift away from the "old guard" companies that have dominated this category for so many years.
Specific to CrowdStrike, out of the new entrants, we were positioned furthest to the right for our Completeness of Vision, CrowdStrike's Falcon is the first cloud-native endpoint protection solution that unifies next-generation AV, endpoint detection and response, and managed hunting all delivered via a single lightweight agent. Customers benefit from robust threat prevention leveraging artificial intelligence (AI) and machine learning (ML), advanced detection, response and activity recording, as well as forensics capabilities — all through a highly intuitive management console. We are also the only tested next-generation endpoint protection solution recognized as capable of fully replacing legacy AV — and a growing number of our customers are doing just that.
Q: Threat actors are increasingly choosing not to use any malware at all in their attacks and are instead leveraging trusted tools and processes to compromise enterprise systems and networks. What does the trend mean from an endpoint protection standpoint?
Sentonas: More and more we continue to see attacks relying less on malware and more on other techniques giving the attacker a clear advantage with existing security tools that are simply not designed to detect these sorts of attacks. Adversaries are increasingly "living off the land" to bypass traditional security controls and move beyond malware to compromise organizations.
Malware-less intrusions are where attackers with (stolen) credentials are using common tools such as PowerShell and Windows Management Instrumentation to carry out their attacks. This means you can pretty much do whatever you want on the system and not bother using malware. Another challenge when attackers are using legitimate tools, means they can easily cover their tracks given they are not leaving typical malware artifacts behind and it is easy for them to manipulate logs. This becomes very hard for security teams to understand how the attacker entered the network and what they did. You could say security defenders are typically not good at detecting what they can't see.
This challenge means you need to think beyond malware, you need to look at security from the viewpoint of the attacker and detect the techniques that do not leverage malware. This means you need the ability to proactively hunt for these techniques and then take action.
Q: What do you want attendees at Black Hat Asia to know about your recent expansion in the Asia Pacific region?
Sentonas: CrowdStrike established a presence in Asia Pacific last year with the opening of our regional headquarters in Sydney. We could not be more excited after experiencing significant momentum across the region. This incredible demand is driven by adoption of CrowdStrike's endpoint protection platform, Falcon, along with our intelligence offerings and proactive and incident response services. We will continue to grow and expand the business in Asia, focusing this year in regions and countries such as Singapore, India, the Philippines and Hong Kong.
Q: How exactly does the use of artificial intelligence, algorithmic science and machine learning help improve the endpoint threat detection process?
Greg Singh: Cylance's artificial intelligence and machine learning based products provide an embeddable malware detection technology that uses predictive models to classify files as good or bad by correlating them with the features found in millions of good and bad samples. This enables our models to detect even zero-day and previously unknown malware before they have a chance to infect enterprise systems and cause damage to the business.
Legacy antivirus products only evaluate a specific file against a finite list of signatures created through manual human analysis. Even if they use some automated techniques, these solutions are limited to signatures based on specific parts of files that were previously identified as known malware by a human.
Instead of using manually created signatures, our technology computes a ‘confidence score' for every sample it processes. By using our algorithms to classify files as good or bad before they execute based on this confidence score, our technology stops the threats that legacy technology simply can't.
Q: Cylance reported growth in excess of 600 percent in 2016 and over 300 percent in 2015. What's driving enterprise interest in technologies such as yours? Where do you see the biggest opportunities for growth in this market over the next few years?
Singh: Enterprises are realizing that by relying on technology like artificial intelligence and machine learning, they are not only getting better catch rates, but are actually able to prevent attacks from occurring instead of only being able to respond to them after they have already occurred. This is allowing enterprises to devote precious resources to more business growth driven tasks instead of just responding to and remediating successful attacks.
While we have experienced amazing growth and are continuing to bring our product to enterprises all around the world at an increasing rate, we have really just scratched the tip of the iceberg in the market. Our technology is revolutionizing the industry. As more and more businesses and industry leaders realize this technology exists, word will spread, and we will see continued exponential growth.
Q: Why is being at Black Hat Asia important for Cylance? What are you hoping attendees will take away from your presence at the event?
Singh: Cylance has a long history with Black Hat and we have always felt it to be one of the best places to present our technology and reach enterprise customers that are not only tech savvy, but also highly concerned with cybersecurity. As Cylance expands our operations in Asia, we know this is the right venue to reach the enterprises that can benefit from our technology.
We are hoping the attendees that interact with Cylance and get a first-hand look at our technology will walk away with an understanding that they no longer have to rely on legacy antivirus and cybersecurity solutions that force them to first be victims of a successful attack before they can begin to fight back. We want them to know there are ways to prevent these attacks from ever occurring using technology that is readily available today at an equal, and sometimes even lower total cost than their existing solutions.
Tomer Weingarten
CEO & Co-founder
SentinelOne
Jeremiah Grossman
Chief of Security Strategy
SentinelOne
Q: Tomer, SentinelOne recently raised $70 million from investors, bringing the total your firm has raised so far to $110 million. Why are investors so bullish about your company and the market segment in general?
Tomer Weingarten: As more enterprises and organizations continue to migrate away from antiquated antivirus technology that is simply ill equipped at protecting against an increasingly complex threat landscape, investors are recognizing that endpoint protection is poised to grab a lion's share of the billions of dollars that had once belonged to the antivirus market. This is a segment of the security market that is ripe for investment. What makes SentinelOne unique and what made our investors seek a partnership with us is that we go beyond prevention-only strategies for the endpoint. We offer a truly multi-layered approach that combines machine-learning, dynamic behavior analysis and automation that has been tested and proven to stop even the most advanced cyber threats.
Q: Jeremiah, you have been a pretty vocal advocate on the need for cybersecurity companies to offer product guarantees. Why is that important for enterprises? Why aren't more vendors offering such guarantees?
Jeremiah Grossman: One of the reasons I started exploring the idea of cybersecurity guarantees a few years ago was that I saw an increase in companies purchasing cybersecurity insurance policies, almost at the same rate that they were adding ‘new' budget for cybersecurity products. If a company is just as willing to take out an insurance policy as they are to buy a product, to me this is a signal that we have a serious credibility issue in our industry, and we have to face it. The cybersecurity market is a $75 billion market, give or take yet most vendors are unwilling to stand behind the efficacy of their products. Every other commercial product industry – from televisions to automobiles – offers its customers some type of warranty; software and cybersecurity are the only industries that do not, and this has to change. Customers should have the assurance that the product that they are buying will work as advertised.
I think one of the reasons why vendors are hesitant to offer a warranty or guarantee in this industry is the belief that security can never be 100%. While this is true, it misses the point. Automobile manufacturers and other industries that offer warranties also know that their products will never be 100% all of the time, but they also know the defect rate and can offer a warranty based on that. Cybersecurity vendors can do the same thing – we have that same type of defect data in our industry. Not offering warranties is an accountability issue in our industry and that also needs to change. SentinelOne and several others are starting to shift this with the ultimate goal of security product warranty or guarantee being the rule rather than the exception.
Q: Tomer, why should enterprises care about technologies like your Deep File Inspection (DFI) engine? What does it allow them to do, that they were not able to do before?
Tomer Weingarten: Our new DFI engine identifies and prevents malware while it is in a static state - without a signature - before it has a chance to execute a malicious payload. This makes the SentinelOne Endpoint Protection Platform the only solution to combine advanced static prevention with dynamic behavior-based detection within a single platform, regardless of operating system – MacOS or Windows.
Q: Our new DFI engine identifies and prevents malware while it is in a static state - without a signature - before it has a chance to execute a malicious payload. This makes the SentinelOne Endpoint Protection Platform the only solution to combine advanced static prevention with dynamic behavior-based detection within a single platform, regardless of operating system – MacOS or Windows.
Jeremiah Grossman: One of the main reasons I go to Black Hat every year is to find out about the latest attack techniques that the bad guys are using – or will likely use in the near future. There really is no better place than a Black Hat event to get this information from many of the best security experts in the world.
In terms of endpoint protection technology, I think we are continuing to see malware that is memory-based which means there are no binaries to scan and no signatures that can be used to protect against the latest strains. This does not bode well for traditional antivirus technology as we know, but it also does not bode well for endpoint protection platforms that don't use behavioral modeling and machine learning. Endpoint protection that cannot do either of those will not last.
