The Cyber Jack Podcast: How the Complexity of the Stack Kills Security - CrowdStrike, Amol Kulkarni

In this episode of The Cyber Jack Podcast, we sat down with Amol Kulkarni, Chief Product Officer at CrowdStrike, to dive into the top challenges CISOs are facing, how complexity is killing effective security, and how new, innovative solutions -- like extended detection and response (XDR) -- can help simplify and harden cyber for organizations. Amol also shares his view on what top cyber challenges we could be faced with in the new year ahead.

Listen to more episodes of The Cyber Jack Podcast.


[automated transcript for accessibility and your reading leisure]


Jack 00:04


Today Amol Kulkarni, Chief Product Officer at CrowdStrike joins us to talk about the CISOs’ biggest challenges, the new XDR market, and the struggle of complexity in the stack. All this and more on The Cyber Jack Podcast.


Amol, thanks so much for joining us today. We always like to hear from top cyber leaders in the industry. Let's jump start the conversation with a bit about your background and what you're focused on in your role today.


Amol 00:39


Yeah, absolutely. It's great to be here, Jack. So, I'm currently working as the chief product and engineering officer at CrowdStrike. I run both product as well as engineering for the company across our portfolio. And in this role, I basically get to deliver define, first off the roadmap for the company across all of the different product areas that we work in. And then, of course, with my team deliver on that roadmap. So it's a it's a very exciting role, I would say, fundamentally, being able to direct and define the direction of where we want to go from a technology perspective. And from a background perspective, I've been here now at CrowdStrike, for close to seven years. So it's been it's been quite a ride. And before that, I spent quite a bit of time at Microsoft, about 14 years in a variety of different teams. My main background, I would say, is building products and platforms. That's what I do best. And doesn't matter which area. When I came to CrowdStrike, I was relatively new to security. But of course, security grows on you, as you very well know. So I feel it now as a little bit more of an insider than when I was before when I joined CrowdStrike.


Jack 01:55


Well, we're really excited to talk to someone that has such a deep expertise in solving it challenges with smart technology. And to set the landscape a bit, can you give us a recap on what the biggest most recent cyber challenges have been like for CISOs.


02:11


It's really the attacks and the breaches -- the number of attacks or the number of breaches has simply exploded. In recent time, especially from the time the pandemic hit, the volume of breaches that we detected and blocked, pretty much doubled between the pre pandemic time and the post pandemic. It's been crazy. And then recently, of course, it's it's been a huge amount of focuses is on ransomware. I mean in just in this year. So far, we've seen over 1800 big game hunting incidents, and every week we are seeing about 45/46 targeted ransomware events. So that I'd say from a threat perspective, the nation-state attackers is one thing, all of the big game hunting and ransomware attacks it has is really taken it to a very different level. I mean, the average ransom demand we are seeing nowadays is is in upwards of $6 million. So the amount of money being exchanged is completely crazy. They'll say ransomware is probably the biggest one, but all kinds of attacks. And essentially, attacks are far more sophisticated these days, exploiting a chain of vulnerabilities rather than one particular issue. Not relying on malware, abusing the architectural weaknesses in terms of your deployments in the identity architecture, and then basically starting to move laterally very, very quickly. So that that's kind of I'd say thematically what we are seeing in the field, and what our customers are thankfully very well protected because of the way we've built our products.


Jack 04:09


And switching gears a bit to dive further into some of the new cyber tools available to help combat those threats. There's a lot of industry talk about extended detection in response, or XDR for short. In some circles, it's been labeled the buzz term. Why do security teams want or need XDR and how is CrowdStrike thinking differently about XDR as a solution?


Amol 04:33


Great question. So XDR obviously is a term that is as you said, like very ill-defined, I would say or everyone comes up with their own definition, the way we think about it and what we've heard from our customers, the need for XDR comes up because while once our customers have very solid EDR products from us, they really don't have a similar mechanism in the rest of their areas or rest of the domains that they need to protect. And, and they are looking for a similar visibility first detection oriented OODA Loop-based approach that relies on behavioral techniques across all of their domains. So that's fundamentally that the problem that customers are facing. I think the second challenge which customers have, which has, I would say, is a bane of the security industry -- and it's a cliche, but it's it's absolutely true is -- it's just the complexity of the security stack. And because of that complexity, what really happens is the effective security, effective configuration of security products, correlation across these products becomes extremely difficult. So you may see a slice of something on an endpoint. But then outside of endpoint, what has happened is not visible there. You may see a slice of something in an email security product, but but how do you correlate across the two or across network and CASB and other other domains to make sure that it's all correlated, so you have a holistic view across the enterprise. And that's really what I believe customers are looking for. And they see XDR as being potentially a solution in that regard. So that's, to me from a customer challenge perspective, that's a core challenge.


For us, the way we look at it is, again, what customers have told us is, they believe they feel like 80% of the data of the telemetry that they have to deal with is from endpoints. And over the years, within our customer advisory boards, or technical advisory boards, a lot of our customers have come and told us, Hey, you, you guys already have bulk of the data that I care about in your security cloud. Let me add additional data from other third parties. And you use the core capabilities that you have around correlation around behavioral detection, applied across these third-party data sets that we bring to the table. So fundamentally, it is about extending EDR to cover other domains, that's the way we look at it. That's the X within XDR. The second part is the D – which is really about doing these detections, these real-time correlated detections, actionable alerts across all of these domains. Within if an attack is contained within a certain domain, let's say you get a malicious attachment in email. If it’s clear that this attachment is malicious, then email security products do a great job, right, they will flag it, they will filter it out, they will not let that attachment reach you reach your mailbox.


So that's great. Similarly, if an attack is self-contained within an endpoint, that's pretty straightforward. We do a great job of that. But what if, let's say an attachment is potentially malicious. But it would, if the email security product marks it as such, it would cause a lot of false positives, because then that the confidence level is much lower. So then the attachment passes through to the mailbox because it is not reaching the bar to be marked as malicious. And now on the endpoint that the end-user has, or double click the attachment and it's running some some malware, it is trying to connect to a C2. And let's say the EDR blocks it.


But how do you then trace it back to say where it came from, and enrich the email security product so that now you can actually mark it as malicious and remove it from any other mailboxes where that similar attack or similar attachments came through? So that’s the sort of an example of what we want to achieve by taking those weak signals across various different domains. And when those weak signals are connected together, you have a much stronger hypothesis for attack happening. So that's the D within XDR. And finally, it's our the R part – it’s also super critical. We've done a lot of work to make CrowdStrike Falcon be the best response product in the industry for from an EDR perspective. And now we recently launched foul confusion as a soar framework that's built into the Falcon platform. So we plan to basically extend Falcon future leverages deeply across all of the domains across all of the technologies to implement our index.


Jack 10:08


That's great. And final question, when you look ahead to the new year, what do you see next on the horizon for the cybersecurity industry in terms of challenges? And how is CrowdStrike innovating to stay ahead of the curve?


10:22


Yeah, I mean, I think I think to your point, related to the reduction of attack surface. I think to me, that's a primary challenge. Like even the that even with our products, where we have made it super simple and frictionless to implement, there's a lot of customers who either deploy the product to part of their environment, so that they can have other products as well as our they have our products, in addition to other products. And that complexity of the stat makes that effective security be very, very low and very brittle. So I think anything that we can do from a proactive attack, surface reduction perspective is crucial. How do we empower IT teams to really focus on the right vulnerabilities to mitigate. Because as you know, like every month, we have hundreds of vulnerabilities being patched by the operating system vendors by application vendors. I mean, I joke about this, but honestly, Microsoft Patch Tuesday has become a zero-day Tuesday. Because most of those vulnerabilities as soon as they are patched, the attackers can reverse them and create exploits. And then because they know like no one is going to be able to keep up with patching their systems very quickly.


So what we want to focus on expert AI, predictive rating for vulnerabilities. And what that is doing, it's a machine learning model to predict if a vulnerability is going to be exploited in the wild, like what's the probability of the vulnerability being exploited in the wild at any given point of time. So it's a dynamic rating, we believe that's going to change the game on how vulnerability management is done, enabling customers to prioritize which vulnerabilities to mitigate very quickly. But that's one step in the direction. That the other part really, I believe, where we are, we are going and moving -- is towards this broad alliance that we announced for cloud XDR, really taking the best of various platforms and connecting them together. So that you basically have integration done out of the box, rather than complexity being thrown at you and you having to do the hard work of integrating various different platforms or products together. And that's really our vision. So as we continue expanding the SDR vision as we continue expanding the alliance with a core common shared schema at its core, it will enable reducing that friction between products and integrating them deeply.


Jack 13:21


There it is. Thank you all for coming on the show. We look forward to seeing even more solution innovation from CrowdStrike. To all of our listeners, we'll see you next time.


###