CrowdStrike announced two important announcements this week at its own Fal.Con (virtual) conference: a free Community Edition of Humio and Falcon XDR.
Humio is a data platform that excels at scalability and speed. CrowdStrike purchased the company for $400 million in February 2021. Humio’s new Community Edition, which is available for free, is the company’s first big announcement after the acquisition. It allows users to ingest up to 16 GB of data each day and store it for up to seven days, with unlimited access and no trial period.
George Kurtz, CEO and co-founder of CrowdStrike, says, “Humio provides the most powerful features needed for current observability.” “Unlike any other solution currently on the market, Humio can ingest any data, structured or unstructured, at streaming speeds and at scale.” Humio’s log management technology is unrivalled in terms of speed, performance, and storage capacity, and the Humio Community Edition provides users with unrivalled access to best-in-class log management that you won’t find anywhere else – for free.”
While Humio is a standalone product, it also serves as the foundation for CrowdStrike’s second announcement: the launch of Falcon XDR. Gartner coined the term XDR, which stands for eXtended Detect and Response. Endpoints, data centres, remote workers, SaaS, PaaS, and other cloud services make today’s IT infrastructures complex. For this, there is no single security solution. SIEMs are in trouble, and SOAR hasn’t exactly taken off. Instead of attempting to combine many separate products, Gartner suggests that EDR solutions should expand their threat hunting capabilities over the entire ecosphere.
XDR isn’t meant to replace these products; rather, it’s meant to use EDR’s threat hunting capabilities across the board. For CrowdStrike’s threat hunting beyond the endpoint, Humio’s role in the XDR is to provide a data lake of information gathered from various third-party solutions.
CrowdStrike selected this path in order to maintain its focus on endpoint detection and response while also exposing the notion and benefits of XDR. Mike Sentonas, CrowdStrike’s CTO told, “I don’t want to necessarily redirect our focus too far away from the endpoint.” “I believe there are numerous examples in the market where vendors have attempted to be all things to all people, and as a result, they have lost focus.” As a result, individuals become ordinary in all aspects of their lives. That is something I do not want to happen. Customers have more than simply endpoints — they have firewalls, web gateways, and so on. I want laser focus on the endpoint. But they want a single platform to conduct this sophisticated analysis, which is exactly what we’re providing.”
The term XDR, according to Sentonas, is overused and abused in the industry. He explained, “Our product is built on the endpoint.” It does, however, include the portions of the infrastructure that interact with the endpoint. “We bring in network data, asset data, identification data, and hygiene data, among other things. That’s the fundamentals; it’s what our platform does. Thankfully, the industry has coined the term XDR, which stands for extended detection and response.” He believes that good EDR can solve 90% of problems on its own.
“When it comes to what suppliers have to say about XDR, it’s all about log management.” And it’s being driven by a number of SIEM businesses, specifically log management vendors. They’re using the XDR label because it fits with their storey. It’s similar to SIEM’s evolution in that it provides them something to talk about. But XDR isn’t log management, SIEM, or simply gathering events in one place and calling it XDR.”
Sentonas, on the other hand, acknowledges that there is a rationale for XDR, albeit one that is less convincing than widely assumed. “Customers ask us whether we can expand threat hunting to their DNS or emails,” he explained. A good example is email. CrowdStrike would not detect a phishing email with a malware attachment. “We’d only notice it if the user clicked on the attachment, which would trigger CrowdStrike. The security team would benefit from knowing if there were any more unclicked versions of this email in other users’ inboxes.”
CrowdStrike XDR addresses this problem by allowing users to ingest data from a third-party email security product, such as Proofpoint, into the Humio backend, giving CrowdStrike analysts access to the Proofpoint data through the CrowdStrike threat hunting console. Any other security solution from any other provider can be used in the same way. The data is sent to a Humio backend, where it is processed by the CrowdStrike engine, but the analyst is not required to do anything further.
In short, CrowdStrike’s strategy is to use a way that increases XDR functionality without compromising EDR.
CrowdStrike, situated in Sunnyvale, California, is a publicly traded company (NASDAQ: CRWD) with a market capitalization of more than $57 billion.
