by Alex Teh
At the time endpoint detection and response (EDR) technology was first introduced into the world of endpoint security around five years ago, there were many new entrants to the market. The most popular vendors in this category were Cylance, CrowdStrike, and Carbon Black. These vendors stormed the market with clever messaging around endpoint security being dead and claimed that older incumbent vendors using signature-based protection were not good enough. To be fair, they did a great job, especially in communicating the idea that endpoint security vendors needed to augment their endpoint protection products with a solution that provided greater visibility and analytics coupled with AI-driven protection and automation for remediation. This idea was widely accepted by the cybersecurity community.
In the world of cybersecurity, where acquisitions and consolidations are not something that happens out of the blue, we have since seen some of these next-gen vendors being acquired, such as Carbon Black by VMware and Cylance by BlackBerry. For whatever reason, vendor acquisitions often seemed to take a turn for the worse for the acquiree in the long run. In the cybersecurity industry, the pace of change is so fast that if you lose your key staff, you soon have a dying technology on your hands. Think of Intel and their McAfee acquisition or the acquisition of Symantec by Broadcom. Both former powerhouses seem to have struggled to reclaim their former glory.
CrowdStrike’s meteoric rise to become a Nasdaq darling and a (top right quadrant) leader in Gartner’s reporting make them look like a genuine long-term contender as one of the market leaders in the endpoint security market. This is despite the fact that they had reported a GAAP net loss of USD 141.8 million[1] in the 2020 fiscal year. The question that I ask myself, and of you in this opinion piece, is: How good is their technology for the ANZ market, and are they making losses because of a loss leader strategy?
There is no doubt that their marketing and messaging have been successful so far, and reviewing their EDR product made me believe that they have one of the best and most mature EDR solutions on the market. They also seem to lead in various engagements or conversations with EDR.
However if you look deeper into what an EDR solution does, it is essentially an analytic tool that requires copious amounts of events and other data to be collected and analysed. Without an experienced security analyst to review and investigate the information gathered, an EDR solution would hardly improve an organisation’s cybersecurity posture. That being said, CrowdStrike does provide an option to purchase what they call the “Falcon Overwatch” service, which is basically a managed EDR (MDR) service. Let’s take a look below at their pricing matrix from their website:
From the above screenshot, we can see that one would have to opt for Falcon Enterprise with the Overwatch add-on to have what I (and I think many of my peers) would consider as a complete, workable solution. I would certainly not entertain Falcon Pro as this EDR-less and Managed Detection and Response-less (MDR, outsourced security services which utilise EDR solution) bundle leaves much to be desired with an extremely high false positive rate (see below) and one of the lowest detection rates according to the last two AV-Comparatives reports.[1] [2] If each false positive takes up to 4 hours to investigate, then 80 hours of valuable security analyst time would be going down the drain based on the example below:
Table taken from: https://www.av-comparatives.org/tests/business-security-test-2020-august-november/
Therefore, Falcon Enterprise or higher with the Overwatch add-on would be a more sensible choice. Now we are talking about a solution that costs USD 15.99 per endpoint per month before adding Overwatch! That is a whopping NZD 22 per endpoint per month without managed services (Overwatch), which translates to NZD 264 per endpoint per year. With these numbers in mind, it’s not a surprise that CrowdStrike had a five-year total cost of ownership (TCO) per agent that was way higher than ESET in the latest report on EDRs by AV-Comparatives.[1]
To put this into perspective, the highest sum you would have to pay for the ESET PROTECT Enterprise subscription, which comes with ESET Endpoint Security and ESET Enterprise Inspector (ESET’s EDR solution), is NZD 87 per endpoint per year. Not only that, but you also get full disk encryption and cloud sandbox backed by machine learning as part of the subscription.
Image taken from: https://www.av-comparatives.org/reports/endpoint-prevention-response-epr-test-2020/
As you may already know, I am a big advocate of keeping as much cybersecurity work in New Zealand as possible. We now have a growing number of credible NZ partners that can manage ESET’s EDR product and use its automation features to respond to threats, for example, by killing processes or isolating endpoints from the network, thus providing a NZ-based 24/7 SOC (Security Operations Centre) service instead of offshoring the work to those who are based abroad.
Based on the aforementioned analysis, it also makes more economic sense to choose the ESET PROTECT Enterprise subscription and add MDR services managed by local NZ SOC providers, as it costs less than a third of the listed price of CrowdStrike’s, which does not even have MDR as an included component.
If you are keen to find out more on how to become our partner or to get a comparative quote, please contact us at sales@chillisoft.net.
_________________________________________
[1] CrowdStrike Reports Fourth Quarter and Fiscal Year 2020 Financial Results. (2020, March 19). https://ir.crowdstrike.com/news-releases/news-release-details/crowdstrike-reports-fourth-quarter-and-fiscal-year-2020
[2] AV-Comparatives. (2020, December 15). Business Security Test 2020 (August – November). https://www.av-comparatives.org/tests/business-security-test-2020-august-november/
[3] AV-Comparatives. (2020, July 15). Business Security Test 2020 (March – June). https://www.av-comparatives.org/tests/business-security-test-2020-march-june/
[4] AV-Comparatives. (2020, December 17). Endpoint Prevention & Response (EPR) Test 2020. https://www.av-comparatives.org/reports/endpoint-prevention-response-epr-test-2020/