CrowdStrike purloined two major announcements at its own Fal.Con (virtual) conference this week, launching a free Community Edition of Humio, and announcing Falcon XDR.
Humio is a data stage that excels in speed and scale. The company was bought by CrowdStrike in February 2021 for $400 million. The new free Community Edition of Humio is the before major announcement since that acquisition. It enables users to ingest 16 GB of data per day and retain the data for up to seven days with continued access with no limited trial period.
“Humio provides the most powerful capabilities needed for modern observability,” comments George Kurtz, CEO and co-founder of CrowdStrike. “Humio is competent to ingest any data, structured or unstructured, in streaming speeds and at scale, unlike any other solution currently available in the market. Humio’s log management party line is unmatched in speed, performance and storage abilities, and Humio Community Edition offers customers unprecedented access to best-in-class log management that you won’t see anywhere else – for utterly free.”
While Humio is a stand-alone product, it also provides a back end for CrowdStrike’s second announcement: the launch of Falcon XDR. XDR, or eXtended Detect and Rejoinder, is a concept introduced by Gartner. Today’s IT infrastructures are complex, with endpoints, data centers, remote workers, SaaS, PaaS and other cloud serves. There is no single security solution for this. SIEMs struggle, and SOAR has arguably not taken off. Gartner’s suggestion is effectively that EDR solutions should elongate their threat hunting capabilities across the entire ecosphere rather than attempt to integrate multiple different products.
XDR is not intended to refund these products, but to use the threat hunting capability of EDR across everything. Humio’s part in CrowdStrike’s XDR is to provide the data lake of information gathered from other third-party conclusions for CrowdStrike’s threat hunting beyond the endpoint.
[ Related: Inside the Battle to Control Enterprise Security Data Lakes ]
CrowdStrike has chosen this itinerary so it can retain its focus on endpoint detection and response while at the same time introducing the concept and advantages of XDR. “I don’t want to necessarily divert our focus too far from the endpoint,” Mike Sentonas, CTO at CrowdStrike ascertained SecurityWeek. “I think there are many examples in the industry where vendors have tried to be all things to all people, and eventually what happens is they consume focus. As a result, they become average at everything. I don’t want that to happen. I want laser focus on the endpoint; yet customers have more than perfectly endpoints – they have firewalls, they have web gateways, and so on. But they want one platform to do that intelligent analysis; and that’s what we’re donation.”
Sentonas believes that the XDR term is overused and abused within the industry. “Our product is built on the endpoint,” he explained. But it includes those parts of the infrastructure that raise the endpoint. “We bring in network data, we bring in asset data, we bring in identity data and hygiene information. That’s basics; it’s part of what our rostrum does. Now the industry – bless it – has come up with this term called XDR – extended detection and response.” His belief is that good EDR is 90% of the key on its own.
“When you look at what vendors are saying about XDR, all they talk about is log management. And it’s really being driven by a lot of SIEM vendors; that is, by vendors that do log conduct. They’re jumping on to the XDR term because it serves their narrative. It’s like the evolution of SIEM – it gives them something exciting to talk all over. But XDR is not log management, it’s not SIEM, it’s not collecting events into one location and labeling it XDR.”
At the same time, Sentonas accepts that there is a case for XDR, albeit itty-bitty compelling than commonly thought. “Customers come to us and ask if we can extend the threat hunting to their DNS or emails,” he said. Email is a case in point. A phishing post with a malicious attachment would not be seen by CrowdStrike. “We would only see it if the user clicked on the attachment, at which point CrowdStrike would punt in. It would be useful for the security team to know if there were other unclicked copies of this email in other users’ in-boxes.”
CrowdStrike XDR deciphers this issue by allowing the user to ingest data from a third-party email security product – such as Proofpoint – into the Humio backend; which conveys the CrowdStrike analysts visibility into the Proofpoint data via the CrowdStrike threat hunting console. This same concept can be applied to any other protection solution from any other vendor. The data goes into a Humio backend from where it is analyzed by the extended CrowdStrike engine, but desires nothing further from the analyst.
In short, CrowdStrike’s approach is to employ a method that adds XDR functionality without diluting its EDR capability.
Sunnyvale, California-based CrowdStrike is publicly followed (NASDAQ: CRWD) with a valuation currently north of $57 billion.
Related: XDR is a Destination, Not a Solution
Related: How Integration is Evolving: The X Factor in XDR
Tied up: XDR Platform Provider SentinelOne Files for IPO
Related: XDR Firm Cynet Raises $40 Million Series C Funding