CrowdStrike Holdings, Inc. (CRWD) Earnings Call Transcript & Summary

Good morning, everybody. Hopefully, this session will be as entertaining as the Super Bowl commercial he just watched. I'm Drew Bagley. I'm the Head of Privacy and Public Policy at CrowdStrike, and I'm joined today with someone who needs no introduction, the Executive Assistant Director of Cybersecurity at CISA, Eric Goldstein. Thank you so much for being here.

It's great to be here. Drew thanks to the CrowdStrike team and with the post this will be a great conversation.

I'm really looking forward to it. So let's dive right in. First off, in recent -- in recent years and especially in the past year, we've seen the U.S. government introduce a couple of key strategies related to cybersecurity, namely the 2024 to 2026 cybersecurity strategy as well as the national cybersecurity strategy. I understand CISA obviously, has played a leading role in both of those strategies. And I was wondering when you think about the strategies, what do you think is most impactful? And what are you most excited about?

Yes. It has been a remarkably big year for -- or actually a couple of years for national cybersecurity strategies, right? We have the national cybersecurity strategy from the White House. We have CISA's agency's future plan, and then we recently released our cybersecurity strat plan as well. And there's a few really important through lines that are reflected in all these documents. The first and maybe the most important fundamental one is this idea of the need to drive a shift in accountability in cybersecurity. And I think we'll talk more as we go about Secure by Design and what that means in practice, but the overarching concept here is we have fallen into a somewhat ineffectual model in cybersecurity, where the first place we look to cast blame or drive improvement is on the victims of intrusions. And we know that for some victims, in some cases, that might make sense, that it might be a big enterprise that actually had some control failure or control gap. But in many cases, these are school districts. These are small hospitals. These are water utilities and the National Cybersecurity strategy really is a clarity and call to say, let's shift the burden for security to those who can bear it. And let's stop blaming school districts and water utilities for poor security when they were never going to be able to withstand an attack from the adversaries, whether nation states or criminal groups that we are seeing and let's instead look for scalable solutions to the problem, looking to the vendor and product community to produce solutions that have the right controls enabled by default and are designed in a way that reduces exploitable conditions. And let's look to governments to provide more support, more information to fill gaps where needed. I'll call out just 2 other, I think, important aspects, one broad one narrow. The broad one is just an ongoing focus on partnership and on collaboration. And the key point there is we've been talking about partnership for decades. But if we've learned one thing from practically every recent major intrusion affecting American organizations, the private sector is going to see it first. And so how do we get to a model where we have frictionless cultural collaboration where we knock down the barriers, whether they are straw people or not to say if any of us is seeing something that looks like the leading edge of a new adversary campaign, let's collectively share it with urgency so we can take action in response. The final piece, which I just have to do a shout out for is the focus on open source security. And CISA recently released our open source security road map. This is really important because if we think of where the U.S. government has focused historically, open source has not been at the top of the list. That's really changed with this administration. And so we're focused on both supporting the developers and maintainers who produce the open source projects that are critical to our critical infrastructure and government agencies, but also to look for points of leverage in the ecosystem like repositories and such that can actually ensure that the open source software we are using is ideally less vulnerable and certainly not malicious by design.

One of the themes that stands out from what you just dove into with regard to the strategy is this notion of cybersecurity haves and have nots, which we obviously see that in the private sector, but we especially see that in the public sector with certain government agencies that are less well resourced from a security standpoint than others, because, in part, decades ago, that wasn't one of the issues, one of the key funding issues that it was thought that agency would have to face. Do you see this movement to -- one of the things you addressed a moment ago was shifting that burden away from the victims. Do you see that as a way for government to look at more of a shared services model and protect the government in the public sphere as more of an enterprise?

It has. We talk a lot about target rich resource poor entities. These organizations that are being targeted every day by advanced persistent threats by sophisticated criminal groups, but simply don't have the resources to help themselves. There's a few ways that we get after that problem. One way is by giving these entities confidence that when they are purchasing a technology, whether it is an operating system, an application on down the line that, that product is going to be reasonably secure against the threats we are facing, which unfortunately today, many products simply aren't. But we also know that these entities have extraordinarily limited security budgets. So, the more the government and the broader cybersecurity community can help these organizations say, if we have a finite amount of dollars, how can we invest those resources against the controls and security measures that create the most impact. That's the intent behind CISA's cross-sector cybersecurity performance goals, which are a set of outcome-oriented actions to say, if you do nothing else, do these first in what it's prioritized by complexity, by cost and impact. And the final piece, as you noted, is how can we flow help to these entities? That help could be free discounted services provided by cybersecurity companies. It could be government shared services. It could just be funding. And so at CISA, we are really excited to be rolling out the second year of our State and Local Cyber Grant Program. That is one great way to utilize resources, absolutely to these entities. But that, of course, only covers public entities. And so going forward, we'll want to collectively explore ways to make sure that we can raise the security baseline across these entities that simply can't be defensible today.

One key theme you just hit on over and over again was collaboration. So I understand at CISA you're collaborating with many entities inside and outside of government. But with NCD specifically, especially thinking about the cybersecurity strategy, how are you collaborating with NCD?

Yes. CISA at our core, is an operational agency. And our goal is to drive operational risk reduction outcomes for the country. You mentioned earlier our new cybersecurity strategic plan. One of the real changes in that plan is for the first time, we are pushing out true outcome measures, saying, yes, we came to work today, but did the work drive the change we're seeking. And so at CISA, we are really focused on driving operational security change. But as only one agency, we can't always bring together the ecosystem of partners to drive scalable change across the broader community. And so our partners like NCD are really invaluable and looking at all the different levers at the government's disposal, whether it is the federal budget, whether it is regulation, whether it is policy and making sure that every lever we have, we are deploying toward our shared goal of improving cybersecurity outcomes even as CISA is focusing on our operational and technical role.

So that holistic view is valuable to that partnership?

Absolutely.

One of the things we think about with regard to the cybersecurity strategy that really stands out. That's a game changer, especially for that notion. We both hit on a moment ago about shifting from the victim to those who are best suited to secure devices and software is security by design and default. That was a key theme, not only in the strategy, but also in the key principles [indiscernible] in the spring of this year. So with security by design and default, what are some of the key initiatives you're looking to drive? What sort of meaningful impact do you think we'll see in the near future?

This is perhaps the most fundamental shift in cybersecurity of this administration because the core point is we've been asking the wrong questions around cybersecurity. And the main question that we ask when a breach happens is should it that victim organization have done something differently. Instead of asking that organization is dependent on technology products for their critical business functions where those technology products designed in a way that was reasonably likely to reduce the prevalence of the intrusion and pack data that victim. And some aspects of the way that we think about technology would be anathema in any other field. For example, the fact that we expect technology products to be shipped to customers with known flaws that will be addressed after the fact, perhaps on a monthly basis. If we extend that to cars or medical devices or really anything else that we use, our toasters at home, it will be mind-boggling. But with technology products, we just accept this culture of going to production with a high likelihood of exploitable flaws. That needs to change. particularly when we know that categorically, many of the flaws we see can be addressed by doing things like using memory safe coding languages, using parameterized queries as a couple of examples, right? We know how to reduce the prevalence of vulnerabilities. And frankly, we make business decisions as a society to not do so. That's a cultural shift that we need to see occur. Otherwise, the victims are going to be the same school district, water utilities, small American businesses that are being impacted every day. But we also need to make sure that strong security controls are a revenue driver, right, that they are coming with the product by default. And so just as one example, we applauded Microsoft Suites of decision to make basic security logs available at a lower license tier for some of their products. That is merely a tentative step in the right direction. And we need to go dramatically further to say if you are purchasing a technology product as a customer, you deserve to be secure, you deserve to have the features in that product that are going to keep you safe and we need customers across sectors, including government, to demand that right. At CISA, we are really excited to be releasing the next version of our Secure by Design guidance in the coming weeks. We have a vast array of countries who are aligned with us on this effort. And we'll also be putting that out for some public comment to make sure that we are getting the best sense of the global community in that guidance, but the goal here is that we want customers to say I deserve to be secure and here's something to point to demand a different outcome.

Yes. With regard to logs, even the concept of immutable logs where you have logs that an adversary cannot alter after the fact or fundamentally important.

That's right.

And so I think that's something that's important to shift. Another area that we've been focused on a lot at CrowdStrike is identity threat detection and response. Especially in an area in which we have actors that are either harvesting credentials or using legitimate credentials that they've obtained in various ways to access resources to move laterally throughout an environment. We've seen this, of course, with VANGUARD PANDA, also known as Volt Typhoon in recent months. And we've seen the U.S. government, of course, fall victim to authentication-based attacks. How are you thinking about identity threat detection and response at CISA and for the government as a whole?

As we think about adversary techniques and procedures, identity-based attacks need to be our north star, right? That is where we are seeing every major threat actor beginning to move because, frankly, that is the way to affect a scale compromise of an environment. And so we are seeing for the past several years, this being really ubiquitously where adversaries are looking. This is a somewhat different way to look at potential intrusions and related controls and it also requires enterprises to have much better control over their environment so that they can do things like detect misuse of legitimate tools that might be used for an unusual purpose, showing impossible travel being used at an unusual time of day, that requires a level of baseline knowledge of the environment and the ability with automation to detect anomalies that, frankly, today, too few entities have. You know, with the recent widely reported intrusion into Microsoft Exchange Online, it was very frankly, some great analytic work done by the State Department as has been reported publicly that enabled them to identify just some unusual activity, which otherwise might have gone undetected for longer. And so we need more organizations to understand that if all you're doing is looking for signs of known malware or signs of unusual committed control connections, you're going to miss it. And you have to focus on understanding what normal looks like and then rigorously assessing deviations there from.

Yes. I think it's fundamental that in cybersecurity, we think about visibility, and if you don't know what your gaps are, if you don't know what's going on in your environment, then how are you going to defend against it? Obviously, I think with the executive order from a couple of years ago, we've seen a lot of positive developments in the endpoint space. And so similarly, that identity plane is one that needs to be protected as well. You just mentioned the need to be able to detect anomalous behavior. And I think no discussion today would be complete without us using the buzzwords of artificial intelligence. So here's your AI question, your token AI question. When we think about AI and cybersecurity, hey, I've been in cybersecurity for a very long time, even though AI these days has talked about as if it's brand new to the whole world. But AI provides a huge advantage to defenders and the ability to detect 0 days to detect the unknown unknowns. How do you see the importance of leveraging AI in protecting the U.S. government and in cybersecurity as a whole?

Yes. I couldn't reward. I think we are really excited about the opportunities for AI to address some of these scale challenges that really bedevil us in cybersecurity today. You mentioned the ability to analyze vast amounts of alert information. Another example that we're excited about is the ability to rewrite in secure code basis in a way that, frankly, human developers are just never going to have the time or resources to do. And so we think that there's a lot of potential there. And what we have to figure out as a community is first, how can we make sure that we are able to use AI tools in a way that is safely and responsibly, but also with agility, so we are not falling behind the adversaries, use of AI tools, which we know is also an emergent aspect of the space, but also how do we have confidence in the security of the AI tools themselves. And 2 of our experts at CISA just released the blog post saying software must be Secure by Design and AI is no exception. We think that's really important because one of the greatest risks we see with AI from a cybersecurity context is we think about software security over here and AI security over here. And so some of the lessons we have learned in securing software for code testing, for peer review for vulnerability transparency for a bug bounty for red teaming. All of that needs to be applied rigorously to AI systems, and so we're working closely with many of the Frontier labs and other partners to make sure that we are not making some of the same mistakes in securing AI systems that we made with software decades ago.

Absolutely. Yes. Just like with other types of software, AI, of course, can be extremely helpful, especially in defending environments, but it can also open up environments to risk, if not done properly.

That's right.

Well, unfortunately, that is all the time we have for today, but that was a fantastic conversation. Thank you so much, Eric, and thank you to the Washington Post for putting this event together.

Thank you very much. Always a pleasure. Thanks all.