(upbeat music) We're back with the CUBE at Fal.Con 2022. Dave Alante and Dave Nicholson. We're at the Aria. We do of course, a lot of events in Las Vegas. It's the place to do events. Dave, I think is my sixth or seventh time here this year, at least, I don't know I lose track. Jeff Swain is here. He's the vice president of global programs, store and tech alliances at CrowdStrike. Jeff, good to see you again. We saw each other at re:Invent in July in Boston. Yes, yeah it's great to see you again Dave, thank you very much. And we talked about making this happen so thrilled to be here at CrowdStrike Fal.Con. We're going to talk today about the CrowdStrike XDR Alliance partners. First of all, what's XDR? Well, I hope you were paying attention to George's keynote this morning I guess. You know, the one thing we know is that if you ask 10, five people, what XDR is you'll get 10 answers. I like this answer, a holistic approach to end point security. That was a good simple answer. That was a good one at Black Hat so. But tell us about the XDR Alliance partners program. Give us the update there. Yeah, so I mean, we spoke about it at Reinforced, you know the XDR program is really predicated on having a robust ecosystem of partners to help us share that telemetry across all of the different parts of our customers' environment. So we've done a lot of work over the last few weeks in trying to bolster that environment, specifically putting a lot of focus on firewall. You'll see that Cisco and Fortinet have both joined the XDR Alliance. So we're working on that right now. A lot of customer demand for firewall data, into the telemetry set. You know, obviously it's a very rich data environment. There's a lot of logs on firewalls. And so it drives a lot of information that we can we can leverage. So we're continuing to grow that. And what we're doing is building out different content packs that support different use cases. So firewall is one, CASB is another, email is another, and we're building out the partner set right across the board. So it's been a great set of activity. So it's partners that have data. Yep. There's probably some, you know Joe Tuchi your old boss used to say that overlap is better than gaps. So there's, >> Right. sometimes there's competition. Yep. >> But that's from a customer standpoint, overlap is better than gaps. So as you mentioned, Cisco, Fortinet, and there are a number of others. They've got data, Yes. and they're going to pump it into your system. Our platform. And you've got the, your platform. You've got the ability to ingest, you've got the cloud native architecture, you've got the analytics, and you've got the near real time analysis capability right? Augmented by people as well, which is a really important part of our value proposition. You know, it's not just relying purely on AI, but we have a human aspect to it as well, to make sure we're getting extremely accurate responses. And then it's the final phase, is the response phase. So being able to take action on a CASB for example, when we have a known bad actor operating in the cloud, is a really important, easy action for our customer to take, That's highly valuable. You're talking about your threat hunting capability, right? So it's threat hunting and our intel capability as well. We use all of that information, as well as the telemetry to make sure we're making good, actionable decisions. Intel being machine intelligence or human and machine? Human and machine intelligence that we have a whole business that's out there gathering intel. I believe you think to Adam Myers who runs that business, and you know that intel is critical to making good decisions for our customers. So the X and XDR is extended. Correct Extending to things like firewalls. That's pretty obvious in the security space. Are there some less obvious data sources that you look to extend to at some point? Yeah, I think we're going to continually go with where the customer demand is, and firewalls is one of the first, and email is very significant other one. You'll see that we're announcing support for Microsoft 365 as well as part of this announcement. But then we'll still grow out into the other areas. NDR is you know a specific area, where we've already got a number of partners in that space. And we'll grow that as we go. I think one of the really exciting additional elements is the OCSF announcement that we made at Reinforce. Which also is a shared data scheme across a number of vendors as well. So talking to Mike's point, Micheal Santonis' point, this morning in his keynote. It's really about the industry getting together to do better job for our customers, and XDR is the platform to do that. And CrowdStrike's way of doing it, is the only really true visible way for a customer to get their hands on all that information, make the decision, see the good from the bad, and take the action. So I feel like we're really well placed to help our customers in that space. Well, Kevin Mandia referenced this too today, basically saying the industry's doing a better job of collaborations. I mean sometimes I'm skeptical because, we've certainly seen people try to you know, commercialize private information, private reports. Yeah But you're talking about you know, some of your quasi-competitors cooperatives, you know actually partnering with you now. So that's a good indicator. >> Yeah I want to step back a little bit, talk about the macro. The big conversation on Wall Street. Everybody wants to talk about the macro of course, for obvious reasons. >> Mhm. We just published our breaking analysis, talking about you guys potentially being a generational company, and sort of digging into that a little bit. We've seen, you know cyber investments hold up a little bit better, both in terms of customer spending, and of course the stock market better than tech broadly. Yeah. >> So in that case it would suggest that cyber investments are somewhat non-discretionary. So, but that is my question. Are cyber investments non-discretionary, if so, how? You know, I think George calls that out directly in our analyst reports as well, that, you know we believe that cyber is a non-discretionary spend. But I actually think it's more than that. I think in this current macro or economic environment where CIOs and CSOs are being asked to sweat their assets for a significantly longer period of time, that actually creates vulnerabilities. Because they have older kit, that's running for a longer period, that they normally, you know, round out or churn out of their environment. They're not getting the investment to replace those laptops. They're not getting the investment to replace those servers. We have to sweat them for a little bit longer, which means they need to be on top of the security posture of those devices. So that means that we need the best possible telemetry that we can get to protect those in the best possible way. So I actually think not only is it, makes it non-discretionary, it actually increases the business case, for taking on a cyber project. And I buy that. I buy that the business case is better potentially for cyber. Business case and cyber is about risk reduction, right? It's about reducing expected loss. But at the same time CSOs don't have an open wallet. They have to compete with other P and L managers. Yep. >> I also think the advantage for CrowdStrike, I'm getting deeper into the architecture, and beginning to understand the power of a lightweight agent that can handle, I think you're up to 22 modules now? Correct, yes. >> I've got questions on how you keep that lightweight, but nonetheless if you can consolidate the point tools, which is, you know one of the biggest challenges that SecOps teams face, that strengthens the ROI as well. Absolutely, and if you look at what George was saying this morning in the keynote. The combination of being able to provide tools, not only to the SecOps team, but the IT-ops team as well. Being able to give the IT-ops team visibility, on how many assets they have. I mean, these are simple questions that we should be able to answer. But often when we ask, you know an operations leader. Can you answer it? Sometimes it's hard for them. We actually have a lot of that information. So we are able to bring that into the platform, we're able to show them, we're able to show them where the assets are, where the vulnerabilities are against those assets, and help IT-ops do a better job as well as SecOps. So the strength, the case strengths, as you said, the CSO can also be talking to the IT-ops budget. The edge is getting more real. We're certainly hearing a lot about it. Now we're seeing a lot more. And you kind of got the near edge. It's like the Home Depot and the Lowes, you know stores, okay. >> Yep. That I can get a better handle on, okay. How do I secure that? I've got some standards, but that's the far edge. It's the OT, >> Yes piece of it. That's sort of the brave new world. What are you seeing there? How do you protect those far-flung estates? I think this gets back to the question of what's new and what's coming and where do we see the next set of workloads that we have to tackle? You know, when we came along first instance, we were really doing a lot of the on-prem and known cloud infrastructure suites. Then we started really tackling the broader cloud market with tools and technology to give visibility and control of the overall cloud environment. OT represents that next big addressable market for us. Because there are so many questions around devices. Where they are, how old they are, what they're running. So visibility into the OT network is extremely, extremely important. And you know, the wall that has existed again between the CISO and the OT environments coming down, we're seeing that's closer, closer alignment between the security on both those worlds. So the announcement that we've made around extending our Falcon Discover product, to be able to receive and understand device information from the OT network, and bring it into the same console, as the IT and the OT in the same console, to give one cohesive picture of visibility of all of our devices, is a major step forward for our customers, and for the industry as well.

And we see that being able to get the visibility, will then lead us to a place of being able to build our AI models, build our response frameworks, so then we can go to a full EDR and then beyond that. There's, you know, all the other things that CrowdStrike do so well. But this is the first step to really, the first step on control is visibility. And the OT guys are engineers. So they're obviously conscious of this stuff. It's more, it's again, you're extending that culture, isn't it? Yeah, yeah, yeah. Now when you're looking at threats. Correct. >> You want to do things to protect against those threats. But how much of CrowdStrike's time is spent thinking about the friction that's involved in transactions. If I want to go to the grocery store, think of me as an end point. If I want to go to the grocery store, if I had to drive through three DUI checkpoints, or car safety inspections, every time I went to the grocery store, I wouldn't be happy. As an end point as an end user in this whole thing. Ideally, we'd be able just to be authenticated, and then not have to worry about anything moving forward. Do you see that as your role, reducing friction? 100%, that's again, one of the core tenants of why George founded the company. I mean, he tells the story of sitting on an airplane and seeing an executive who was also on the airplane trying to boot their machine up, and try and get an email out before the plane took off, And watching the scanning happen, you know, old school virus scanning happening on the laptop and that executive not making it because, and he was like in this day and age, how can we be holding people back with that much friction in their day to day life? So that's one of the again, founding principles of what we do at CrowdStrike, was the security itself needs to support business growth, support user growth, and actually get out of the way of how people do things. And we've seen progression along that lines. I think the zero trust work that we're doing right now really helps with that as well. Our integrations into other companies that play within the zero trust space, makes that a frictionless experience for the user.

Because yeah, we want to be there. We want to know everything that's happening. But we don't want to see where we always want control points, but that's the value of the telemetry we take. We're taking all the data so we can see everything. And then we pick what we want to review, rather than having to do the checkpoint approach, of stop here, now let me see your credentials. Stop here, let me see your credentials. Because we have a full field of knowledge and information on what the device is doing and what the user is doing. We're able to then do the trust with verify style approach. So coming back to the edge and IOT. You know bringing that zero trust concept to the edge, you've got IT and OT, okay, so that's a new constituency, but you're consolidating that view. Your job gets harder, doesn't it? So talk about how you resolve that. Do the concepts that you apply to traditional IT endpoints apply at the edge? So first things we have to do is gain the visibility. And so the way in which we're doing that is effectively drawing information out from the OT environment at, by having a collector that's sitting there and bringing that into our console. Which then will give us the ability to run our AI models and our other, you know indications of attack or our indicators of misconfiguration into the model. So we can see whether something's good or bad. Whilst we're doing that, obviously we're also working on building specific sensors that will then sit in OT devices down, you know one layer down from rather being collected and pulled and brought into the platform, being collected at the individual sensor level. When we have that completed, and that requires a whole different ecosystem for us. It means that we have to engage with organizations like Rockwell and Siemens and Schneider, because they're the people who own the equipment, right? Yeah. >> And we have to certify with them to make sure that when we put technology onto their equipment, we're not going to cause any kind of critical failure, that you know, that could have genuine real world physical disastrous consequences. So we have to be super careful with how we build that. Which we're in the process of doing. Are the IOA signatures indicative as a tax, so I don't have to throw a dollar in the jar? Are the IOA signatures substantially similar at the edge? I Think we'll learn as we go. You know first we have to gain the information and understand what good and bad looks like. What the kind of behaviors are there. But what we will see is that, you know as someone's trying to make, there's an actor. You know making an attack, you know, we'll be able to see how they're affecting each of those endpoints individually. Whether they're trying to take some form of control. Whether they're switching them on or off, in the edge and the far edge, it's a little bit more binary in terms of the kind of function of the device. It's is the valve open or is the valve closed? It's is the production line running, or is the production not running? So we need to be able to see that. It's more about protecting the outcomes there as well. But again, you know, it's about first we have to get the information. That's what this product will help us do. Get it into the platform, get our teams over the top of it, learn more about what's going on there, and then be able to take action. But the key point is the architecture will scale. One hundred percent. Yes. >> That's where the cloud native things comes into it. It'll scale, but to your point about, the lack of investment and infrastructure means older stuff. Means potentially wider gaps, bigger security holes, more opportunity for the security sector. Yep. >> I buy that. That makes sense. I think if it's a valid argument. when you, you know, we loosely talk about internet of things, edge, a lot of those things on the edge, there's probably a trillion dollars worth of a hundred year old garbage. And I'm only slightly exaggerating on the trillion and the hundred years old. A lot of those critical devices that need to be sensed, that are controlling our electrical grid for example, a lot of those things need to be updated. So, as you're pushing into that frontier, are you, you know, are you extending out developer kits and APIs to those people as they're developing those new things? 'Cause some of the old stuff will never work. And that's what we're seeing is that there is, a movement within the industrial control side of things to actually start, you know doing some simple things like, removing the air gap from certain systems. Because now we can build a system around it, that's trust able and supportable. So now we can get access there over a network, over the internet to kind of control a valve set that's down a pipeline or something like that. So there is, there is willingness within the ecosystem, the IOT provider ecosystem to give us access to some of those controls, which wasn't there. Which has led to some of some of these issues. Are we going to be able to get to all of them? No, we're going to have to make decisions based on customer demand, based on where the big rocks lie. And so we will continue to do that based on customer feedback on, again on what we see. And the legacy air gaps in the OT worlds were by design for security reasons? Or just sort of. Mostly because there was no way to do it before, right? So it was, was like. Lack of connectivity is yeah. So it was people felt more comfortable sending an engineer out into the field. Truck roll. >> Yeah, yeah, yeah. To do it rather. >> Expensive. And exactly that, again going back to our macro economic situation. You know, it's a very expensive way of managing and maintaining your fleet. If you have to send someone to it every time. So there is a lot of customer demand for change, and we're engaging in that change. And we want, we see a huge opportunity there. Coming back to the XDR Alliance, 'cause that's kind of where we started. Where do you want to see that go? What's your vision for that? So the alliance itself has been fundamental in terms of now where we go with the overall platform. We are always constantly looking for customer feedback on where we go next, on what additional elements to add. The alliance members have been this fantastic time and effort in terms of engaging with us so that we can build in responses to their platforms, into you know, into what we do. And they're seeing the value of it. I feel that over the next, you know, over the next two year period, we're going to see those, our XDR Alliance and other XDR alliances growing out to get to each other and they will they'll touch each other. We will have to do it like the SF project at AWS. And as that occurs, we're going to be able to focus on customer outcomes, which is, you know, again if you listen to George, you listen to Mike, protecting the customer is the mission of CrowdStrike.

So I think that's core to that story. What we will see now is it's a great vehicle for us to give a structured approach to partnership. So we'll continue to invest in that. We've got a pipeline of literally hundreds of partners who want to join. We just got to do that in a way that's consumable for us and consumable for the customer. Jeff Swain. Thanks so much for coming back in the CUBE. It's great to have you. Yeah, Thanks guys thank you. Okay and thank you for watching Dave Nicholson and Dave Alante. We'll be back, right after this short break. You're watching the Cube, from Fal.Con 22 in Las Vegas, be right back. (upbeat music)