CrowdStrike focuses on ChromeOS security, rising cloud threats

SAN FRANCISCO – As threat actors have shifted their focus recently, so have cybersecurity vendors like CrowdStrike.

The threat detection vendor has observed noticeable changes in threat activity over the last year as attackers have moved away from traditional malware and ransomware to other tools and techniques. CrowdStrike has also noticed changes within the enterprise space, specifically with Google's ChromeOS. Raj Rajamani, CrowdStrike chief product officer of data, identity, cloud and endpoint security, said at RSA Conference 2023 that although ChromeOS devices like Chromebooks are typically associated with grade school classrooms, an increasing number of organizations are utilizing them in the enterprise space.

CrowdStrike last week announced a version of its CrowdStrike Falcon Insight XDR product for ChromeOS devices. Falcon Insight XDR is a unified detection and response product that exists as part of CrowdStrike's larger Falcon security platform.

Rajamani said Chromebooks work as a low-cost option for professionals that need a computer primarily to send emails or other low power tasks. Though he didn't share user numbers or specific company examples -- other than to say it was requested by clients in the Fortune 50 and 100 -- he referenced roles such as call center and frontline workers as well as business development representatives.

Rajamani, who joined CrowdStrike's C-suite in January, discussed the ChromeOS security move with TechTarget Editorial at the recent conference alongside his thoughts on growing cloud and identity threats as well as the rise of generative AI.

Editor's note: This interview was edited for clarity and length.

How did you end up at CrowdStrike?

Raj Rajamani

Raj Rajamani: I've known [CrowdStrike CEO and co-founder George Kurtz] for a number of years, from our days back together at McAfee. I was part of a company named Solidcore that was acquired by McAfee, and we were slotted under George's risk and compliance business unit. Over the years, we've stayed in touch even though we took divergent paths. He started CrowdStrike, and I was part of a number of other companies in the space like Cylance and SentinelOne.

When I left SentinelOne, I reached out to George on a lark. I said, 'Hey, I'm figuring out what I want to do next. Is there perhaps an opportunity for us to work together again? Because I'm seeing you, you've been super successful, and I would love to be part of the winning team.' And I'm happy to say that he remembered me.

At RSA, you announced CrowdStrike Falcon Insight XDR for ChromeOS devices. I've always associated Chromebooks, for example, with education. How does enterprise security intersect with ChromeOS?

Rajamani: We have protected our enterprise customers against threats from various attacks. These attacks could be happening on their cloud infrastructure or against their identity or their endpoints. Their endpoints could be Windows, Mac, Linux, et cetera. But we have seen customers also starting to use ChromeOS and Chromebooks in certain functions and roles. Typically, these are roles like frontline workers and contact center workers.

It's not a fully functional, general purpose-operating system the way we think of a MacOS or Windows, and there are only so many things you can truly do with it. But you can save a lot of money and operational costs by giving them something like a ChromeOS device. As enterprises have started adopting these, they have wanted the same level of protection and the same level of visibility and response capabilities they are getting for their Windows, Mac, iOS and Android [devices].

What else have you been focused on at CrowdStrike?

Rajamani: Cloud and identity are two of our fastest growing modules. The interest levels are off the roof. Almost every customer comes in asking us what we are doing in cloud and identity. The two are closely related.

In our most recent Global Threat Report, we reported that we have observed a significant increase in the number of adversaries that are now trying to do reconnaissance or understand your cloud topology once they are in your environment -- a 95% increase year over year. We also reported that the number of successful attacks involving compromised credentials has increased 80% year over year. We are also, interestingly enough, seeing a significant decrease in classic malware-based attacks.

The thesis here is that a lot of the time, adversaries are going after stolen or misplaced credentials. In fact when we look at all the compromises and incident response engagements that we are part of, the most common reason why clouds get compromised is misconfigured services.

The average enterprise uses anywhere between 20 to 25 different services, whether they're on AWS, Azure or Google. You get to 20 to 25 accounts, and suddenly the security patterns and paradigms become a little too complex for any single person or even a small team to have a thorough handle on, which has led to the proliferation of [cloud security posture management] vendors.

But what we have observed is that it only solves a small part of the problem. The second most common reason why attacks happen, especially in the cloud, relates to misplaced or lost credentials. Securing credentials becomes extremely important. The third most common reason is because the threat actors are near runtime [in attacks on applications and cloud resources]. They are exfiltrating data, or doing ransomware or cryptomining or various other nefarious activities. There are many different types of attacks.

AI was a major focus for vendors at RSA this year. Philosophically, how are you looking at this trend?

It's so interesting to me that everyone is latching on to this ChatGPT moment. Now don't get me wrong, I think it's a phenomenal engineering feat, what OpenAI has achieved in the last six months or so. Everyone is experimenting, trying to figure out how they can use this technology to improve the customer experience, protection, and time to respond and remediate.

None of this is truly new for us. We've been doing AI for the better part of a decade. We use AI across the board -- on the sensors that we deploy, for example. These AI models were trained on large volumes of data. We are continuously improving those models almost every quarter. That leads to an important part of the solution, which is that your AI models are only as good as the data that you're training them on. Because of our leadership in the EPP [endpoint protection platform] and EDR [endpoint detection and response] space and the millions of sensors that we are protecting, we collect a lot of telemetry, which we use constantly to improve our models.

If you were to take some of the same principles to generative or adversarial AI, the quality of your solution is directly proportional to the quality of the data that you are using to these models. I see many vendors talking about doing generative and adversarial AI, and I think they're all doing interesting and innovative work. But the true quality of the solutions will only be known once they have reached a certain scale of deployment. Maybe they are good, and it's just something that's not obvious to me.

But we are working on some of the same problems, and we are being challenged to deliver a high-quality product that will always work without any of the false positives and without any of the inaccuracies or discrepancies. It's easy enough to do a proof of concept. It's much harder to deploy something in production that's protecting millions of sensors at scale.

Alexander Culafi is a writer, journalist and podcaster based in Boston.