Appreciate the example. I remember reading that retweet!
At the time it sounded plausible to me, and I assumed it was accurate about certain industries.
I’m interested in understanding a bit more what’s going on here. Are we sure you’re talking about the same kinds of companies? I’d guess you’re dealing with companies in the range of 2k-20k employees, and I think Crowdstrike was substantially affecting companies in the range of 20k-200k employees (or at least that’s what I thought of when I saw this tweet), where I imagine auditors have to use much more broad-brush tools to do auditing.
The sorts of companies I imagine as having this kind of broad-strokes audit are extremely broad service industries – airlines, trains, grocery stores, banks, hospitals – where my impression is they often use very old software and buggy hardware due to their overwhelming size and sloth, and where I suspect that a lot of decisions get made by the minimum possible thing required to meet some formal requirements.
The purpose of these audits is not generally to verify with certainty that you’re doing everything you say. That would be very hard, maybe impossible. Mostly you fill out a form saying you’re doing X. If it turns out later after a breach you weren’t doing the stuff you claimed to do during the audit, you’re sued.
We’re doing a PoC right now for a company with >400,000 employees. I am not their security team, and we haven’t sold yet, but on our end everything we’ve run into is normal procurement BS. The main thing that happens as you start to sell to larger customers is that you have to fill out a lot of forms saying your product does not use slave labor and such.
The “you’re sued” part is part of what ensures that the forms get filled out honestly and comprehensively.
Depending on the kind of audit you do, the actual deliverable you give your auditor may just be a spreadsheet with a bunch of Y/N answers to hundreds of questions like “Do all workstations have endpoint protection software”, “Do all servers have intrusion detection software”, etc. with screenshots of dashboards as supporting evidence for some of them.
But regardless of how much evidence an external auditor asks for, at large companies doing important audits, every single thing you say to the auditor will be backed internally with supporting evidence and justification for each answer you give.
At a bank you might have an “internal audit” department that has lots of meetings and back-and-forth with your IT department; at an airline it might be a consulting firm that you bring in to modernize your IT and help you handle the audit, or, depending on your relationship with your auditor and the nature of the audit, it might be someone from the audit firm itself that is advising you. In each case, their purpose is to make sure that every machine across your firm really does have correctly configured EDR, fully up to date security patches, firewalled, etc. before you claim that officially to an auditor.
Maybe you have some random box used to show news headlines on TVs in the hallways—turns out these are technically in-scope for having EDR and all sorts of other endpoint controls, but they’re not compatible with or not correctly configured to run Microsoft Defender, or something. Your IT department will say that there are various compensating / mitigating controls or justifications for why they’re out of scope, e.g. the firewall blocks all network access except the one website they need to show the news, the hardware itself is in a locked IT closet, they don’t even have a mouse / keyboard plugged in, etc. These justifications will usually be accepted unless you get a real stickler (or have an obstinate “internal auditor”). But it’s a lot easier to just say “they all run CrowdStrike” than it is to keep track of all these rationales and compensating controls, and indeed ease-of-deployment is literally the first bullet in CrowdStrike’s marketing vs. Microsoft Defender:
CrowdStrike: Deploy instantly with a single, lightweight agent — no OS prerequisites, complex configuration, or fine tuning required. Microsoft: Complicated deployment hinders security. All endpoints require the premium edition of the latest version of Windows, requiring upfront OS and hardware upgrades for full security functionality.
You wrote in a sibling reply:
Further, the larger implication of the above tweet is that companies use Crowdstrike because of regulatory failure, and this is also simply untrue. There are lots of reasons people sort of unthinkingly go with the name brand option in security, but that’s a normal enterprise software thing and not anything specific to compliance.
I agree that this has little to do with “regulatory failure” and don’t know / don’t have an opinion on whether that’s what the original tweet author was actually trying to communicate. But my point is that firms absolutely do make purchasing decisions about security software for compliance reasons, and a selling point of CrowdStrike (and Carbon Black, and SentinelOne) is that they make 100% compliance easier to achieve and demonstrate vs. alternative solutions. That’s not a regulatory failure or even necessarily problematic, but it does result in somewhat different outcomes compared to a decision process of “unthinkingly going with the name brand option” or “carefully evaluate and consider only which solutions provide the best actual security vs. which are theater”.
Appreciate the example. I remember reading that retweet!
At the time it sounded plausible to me, and I assumed it was accurate about certain industries.
I’m interested in understanding a bit more what’s going on here. Are we sure you’re talking about the same kinds of companies? I’d guess you’re dealing with companies in the range of 2k-20k employees, and I think Crowdstrike was substantially affecting companies in the range of 20k-200k employees (or at least that’s what I thought of when I saw this tweet), where I imagine auditors have to use much more broad-brush tools to do auditing.
The sorts of companies I imagine as having this kind of broad-strokes audit are extremely broad service industries – airlines, trains, grocery stores, banks, hospitals – where my impression is they often use very old software and buggy hardware due to their overwhelming size and sloth, and where I suspect that a lot of decisions get made by the minimum possible thing required to meet some formal requirements.
The purpose of these audits is not generally to verify with certainty that you’re doing everything you say. That would be very hard, maybe impossible. Mostly you fill out a form saying you’re doing X. If it turns out later after a breach you weren’t doing the stuff you claimed to do during the audit, you’re sued.
We’re doing a PoC right now for a company with >400,000 employees. I am not their security team, and we haven’t sold yet, but on our end everything we’ve run into is normal procurement BS. The main thing that happens as you start to sell to larger customers is that you have to fill out a lot of forms saying your product does not use slave labor and such.
The “you’re sued” part is part of what ensures that the forms get filled out honestly and comprehensively.
Depending on the kind of audit you do, the actual deliverable you give your auditor may just be a spreadsheet with a bunch of Y/N answers to hundreds of questions like “Do all workstations have endpoint protection software”, “Do all servers have intrusion detection software”, etc. with screenshots of dashboards as supporting evidence for some of them.
But regardless of how much evidence an external auditor asks for, at large companies doing important audits, every single thing you say to the auditor will be backed internally with supporting evidence and justification for each answer you give.
At a bank you might have an “internal audit” department that has lots of meetings and back-and-forth with your IT department; at an airline it might be a consulting firm that you bring in to modernize your IT and help you handle the audit, or, depending on your relationship with your auditor and the nature of the audit, it might be someone from the audit firm itself that is advising you. In each case, their purpose is to make sure that every machine across your firm really does have correctly configured EDR, fully up to date security patches, firewalled, etc. before you claim that officially to an auditor.
Maybe you have some random box used to show news headlines on TVs in the hallways—turns out these are technically in-scope for having EDR and all sorts of other endpoint controls, but they’re not compatible with or not correctly configured to run Microsoft Defender, or something. Your IT department will say that there are various compensating / mitigating controls or justifications for why they’re out of scope, e.g. the firewall blocks all network access except the one website they need to show the news, the hardware itself is in a locked IT closet, they don’t even have a mouse / keyboard plugged in, etc. These justifications will usually be accepted unless you get a real stickler (or have an obstinate “internal auditor”). But it’s a lot easier to just say “they all run CrowdStrike” than it is to keep track of all these rationales and compensating controls, and indeed ease-of-deployment is literally the first bullet in CrowdStrike’s marketing vs. Microsoft Defender:
You wrote in a sibling reply:
I agree that this has little to do with “regulatory failure” and don’t know / don’t have an opinion on whether that’s what the original tweet author was actually trying to communicate. But my point is that firms absolutely do make purchasing decisions about security software for compliance reasons, and a selling point of CrowdStrike (and Carbon Black, and SentinelOne) is that they make 100% compliance easier to achieve and demonstrate vs. alternative solutions. That’s not a regulatory failure or even necessarily problematic, but it does result in somewhat different outcomes compared to a decision process of “unthinkingly going with the name brand option” or “carefully evaluate and consider only which solutions provide the best actual security vs. which are theater”.