CrowdStrike made two major announcements at its own Fal.Con (virtual) conference this week, launching a free Community Edition of Humio, and announcing Falcon XDR.
Humio is a data platform that excels in speed and scale. The company was bought by CrowdStrike in February 2021 for $400 million. The new free Community Edition of Humio is the first major announcement since that acquisition. It enables users to ingest 16 GB of data per day and retain the data for up to seven days with ongoing access with no limited trial period.
“Humio provides the most powerful capabilities needed for modern observability,” comments George Kurtz, CEO and co-founder of CrowdStrike. “Humio is able to ingest any data, structured or unstructured, in streaming speeds and at scale, unlike any other solution currently available in the market. Humio’s log management platform is unmatched in speed, performance and storage abilities, and Humio Community Edition offers customers unprecedented access to best-in-class log management that you won’t see anywhere else – for absolutely free.”
While Humio is a stand-alone product, it also provides a back end for CrowdStrike’s second announcement: the launch of Falcon XDR. XDR, or eXtended Detect and Response, is a concept introduced by Gartner. Today’s IT infrastructures are complex, with endpoints, data centers, remote workers, SaaS, PaaS and other cloud services. There is no single security solution for this. SIEMs struggle, and SOAR has arguably not taken off. Gartner’s suggestion is effectively that EDR solutions should extend their threat hunting capabilities across the entire ecosphere rather than attempt to integrate multiple different products.
XDR is not intended to replace these products, but to use the threat hunting capability of EDR across everything. Humio’s part in CrowdStrike’s XDR is to provide the data lake of information gathered from other third-party solutions for CrowdStrike’s threat hunting beyond the endpoint.
[ Related: Inside the Battle to Control Enterprise Security Data Lakes ]
Sentonas believes that the XDR term is overused and abused within the industry. “Our product is built on the endpoint,” he explained. But it includes those parts of the infrastructure that touch the endpoint. “We bring in network data, we bring in asset data, we bring in identity data and hygiene information. That’s basics; it’s part of what our platform does. Now the industry – bless it – has come up with this term called XDR – extended detection and response.” His belief is that good EDR is 90% of the solution on its own.
“When you look at what vendors are saying about XDR, all they talk about is log management. And it’s really being driven by a lot of SIEM vendors; that is, by vendors that do log management. They’re jumping on to the XDR term because it serves their narrative. It’s like the evolution of SIEM – it gives them something exciting to talk about. But XDR is not log management, it’s not SIEM, it’s not collecting events into one location and labeling it XDR.”
At the same time, Sentonas accepts that there is a case for XDR, albeit less compelling than commonly thought. “Customers come to us and ask if we can extend the threat hunting to their DNS or emails,” he said. Email is a case in point. A phishing mail with a malicious attachment would not be seen by CrowdStrike. “We would only see it if the user clicked on the attachment, at which point CrowdStrike would kick in. It would be useful for the security team to know if there were other unclicked copies of this email in other users’ in-boxes.”
CrowdStrike XDR solves this issue by allowing the user to ingest data from a third-party email security product – such as Proofpoint – into the Humio backend; which gives the CrowdStrike analysts visibility into the Proofpoint data via the CrowdStrike threat hunting console. This same concept can be applied to any other security solution from any other vendor. The data goes into a Humio backend from where it is analyzed by the extended CrowdStrike engine, but requires nothing further from the analyst.
In short, CrowdStrike’s approach is to employ a method that adds XDR functionality without diluting its EDR capability.
Sunnyvale, California-based CrowdStrike is publicly traded (NASDAQ: CRWD) with a valuation currently north of $57 billion.
Related: XDR is a Destination, Not a Solution
Related: How Integration is Evolving: The X Factor in XDR