CrowdStrike Store opens its endpoint security agent to other vendors

Cloud-based endpoint security company CrowdStrike has launched a new platform that allows other security vendors to use its own software agent to collect data. It’s a new model that, if successful, could disrupt the endpoint security space and could solve a problem that many organizations have: Being forced to install software agents from multiple vendors for specific use cases.

The new CrowdStrike Store opened this week with applications by Truefort and Interset, two companies that use behavioral analytics to detect suspicious activity on endpoints. Integrations that allow the sharing of data for threat detection between products from different vendors already exist, but what’s new with CrowdStrike’s platform is allowing partners to also use its software agent called Falcon to collect the data they need.

This is not simply a cloud-based API, according to Amol Kulkarni, CrowdStrike’s chief product officer, but a deep integration at even the business level. For example, CrowdStrike has worked in advance with its launch partners to add the functionality they needed to its own agent and plans to do the same for any future partner.

The company is aiming to revolutionize the endpoint security market in the same way Salesforce revolutionized the CRM space, he said.

Cloud infrastructure providers like Amazon and Microsoft have also built marketplaces that allow security vendors to plug into and extend their infrastructure-as-a-service offerings, but this is a first for integration at the endpoint level, regardless of whether the endpoint is a virtual machine in the cloud or an on-premise workstation.

“Protectwise is a similar solution for network data, but they are just an aggregator of the data,” Peter Firstbrook, research vice president at Gartner said via email. “McAfee was the most famous of the API approach; they have a lot of partners that integrate at a reporting level with ePolicy Orchestrator. This is different because it mines the data collected for different purposes. It is a really good illustration of the disruptive change of cloud endpoint solutions. Much like other software markets, the endpoint market is poised to be disrupted by cloud. It is much more extensible and agile vs client-server architecture.”

Complementary solutions most likely to adopt the CrowdStrike model

It’s unlikely that CrowdStrike’s direct competitors will want to join the company’s marketplace and become dependent on a software agent they don’t fully control, even though Kulkarni said CrowdStrike is open to collaborations. Some will probably end up copying the model, but those who develop complementary solutions for use cases that CrowdStrike’s own products don’t cover are likely to be more open to this new model and take advantage of it.

Security start-ups, in particular, might benefit most from CrowdStrike’s platform because it would reduce their time to market significantly since they would no longer need to make major investments in building their own software agents and infrastructure. They would simply rely on CrowdStrike to collect the data they need and would then apply their own proprietary techniques to detect threats.

The platform could also be appealing to more mature security companies that already have their own software products. For them, this approach could be complementary means to gain access to new customers who already use CrowdStrike as their main endpoint security provider.

Customer performance, compatibility concerns drove development of CrowdStrike Store

According to Kulkarni, the project started after receiving input from customers who wanted to try specialized products from other vendors but had concerns about installing additional software on endpoints that could lead to performance and compatibility issues. In fact, the partnerships with Truefort and Interset came about due to customer requests, he said.

“That is the major advantage of the cloud,” Firstbrook said. “The data is stored centrally and is available for experimentation and multiple purposes and the agent is adaptable because a lot of the logic is in the cloud vs a heavyweight agent that needs to be updated constantly and a rigid backend.”

CrowdStrike also gets an advantage, because having these complementary solutions in its store allows it to offer a complete portfolio of products to potential customers that could match the portfolios of larger vendors. However, the company’s market share and reputation will be critical to the success of its marketplace, Firstbrook said.

A challenge that CrowdStrike will have to address will be keeping the data secure and under strict access controls while sharing it with an increasing number of partners as its store grows. Although its platform doesn’t directly deal with personal data, the telemetry information collected through its agent can still be sensitive, and Firstbrook highlighted Facebook’s recent troubles after it overshared its data with third-party applications and researchers.

Overall, using a single agent is not likely to decrease threat visibility, and CrowdStrike’s new approach could actually provide companies with access to more detection and remediation techniques. The presence of a single security agent on machines could also reduce the number of technical issues systems administrators currently have to deal with and could help them troubleshoot any potential problems more easily.