CrowdStrike CEO George Kurtz: Microsoft Recall Shows Security Promises Are ‘Purely Lip Service’
In an interview with CRN, CrowdStrike CEO George Kurtz says the now-delayed Recall offering is just the latest case where ‘Microsoft has put profits and features over security.’
As sensational as the recent saga over Microsoft’s Recall feature may be, to anyone who has been following Microsoft’s series of security failures in recent years, it’s also just not a shocker, CrowdStrike CEO George Kurtz said in an interview with CRN.
At this point, “nothing surprises me with Microsoft,” Kurtz said.
Recall—which has now been delayed by Microsoft over security concerns—was touted by the tech giant for its ability to take continuous screenshots of a user’s desktop and then store the images. Security experts noted that for any hacker, this would be a highly sought-after prize to pursue.
Notably, the unveiling of the Recall feature came less than three weeks after Microsoft CEO Satya Nadella issued a memo urging staff to prioritize security over new feature releases.
Speaking with CRN, Kurtz said he believes that “Microsoft's stance on security—and the fact that they want to make some changes—is purely lip service, to be crystal clear. And I think Recall is a shining example of the lack of attention paid to security.”
“They got called out on it — when you're storing such sensitive information in [a] cleartext SQL database on the system, that is just ripe for abuse,” he said. “Time and time again, Microsoft has put profits and features over security.”
The CrowdStrike co-founder and CEO also weighed in on the scathing report on Microsoft’s security culture and practices, issued in April by the U.S. Homeland Security-appointed Cyber Safety Review Board (CSRB). The report probed the Microsoft cloud email breach that impacted multiple federal agencies in 2023.
CrowdStrike has seen an acceleration in customers switching over from Microsoft’s security offerings in the wake of the CSRB report, Kurtz said. “I think it hit a bit of a tipping point, particularly after that report came out.”
Beating Expectations
Meanwhile, for the first quarter of CrowdStrike’s fiscal 2025, ended April 30, the company easily surpassed analyst expectations and raised its revenue guidance for the fiscal year. A few days later, Austin, Texas-based CrowdStrike was added to the S&P 500 index, becoming one of the few pure-play cybersecurity vendors to gain a spot on the benchmark index.
The company’s growth is coming in part through its expansion into major segments such as cloud security and SIEM (security information and event management), providing more opportunities for consolidation on CrowdStrike’s single-architecture Falcon platform, Kurtz said. The growth streak is also coming through working hand-in-hand with a greater number of channel partners, including MSSPs, he said.
“We’ve really focused on the partner-first selling motion,” Kurtz said. “The overall message is, we're embracing partners and we're focused on them making money — and not [on] giving a bunch of products away.”
What follows is an edited portion of CRN’s interview with Kurtz.
During the quarterly earnings call, you mentioned winning deals over Microsoft — do you see that accelerating? Do you have any sense on whether this is happening more now than in the past?
In my opinion, it has accelerated. And it's accelerated because, as I talked about, there’s really a crisis of trust with many of the Microsoft customers. [With] the Cyber Safety Review Board paper that came out, that was really I think a turning point for many customers to say, “OK, we have a real risk.” [There’s] an audit risk, a business resiliency [risk from] basically having a monoculture — which would be using your application, your operating system and your security provider, all from the same group. From that perspective, we've had many customers state that they can't trust what comes out of the Microsoft cloud. They don't have visibility into it. You probably have seen over the years — it's just difficult to get logging and data out of what's happening in Azure. So that has been something that’s been growing. But I think it hit a bit of a tipping point, particularly after that [CSRB] report came out.
The second thing that we did that we announced Falcon for Defender at RSA [Conference in May]. That was very well-received because there are a lot of customers that are saddled with a [Microsoft 365] E5 license. Maybe it was made because of a procurement decision, but they know they're under-protected. They know someone like Microsoft can't match the technology, and can't even match things like Overwatch, which is an incredible service for customers. So it gives them a very cost-effective way to be able to backstop the Microsoft technology.
Are you seeing it as likely that a lot of these customers are going to switch to Falcon at some point?
I don't doubt that many customers will switch to the full version of Falcon. But at least it gets them in the game with some technology that's going to help backstop what they have. It's always a cost-risk decision. And some companies may take a lower cost and accept more risk — and other companies will say, “Hey, I can get a good deal on a leaky lifeboat, but I would rather pay for technology that's going to keep us safe and stop the breach.” They can go back to the business and say [that] they're still leveraging the E5 [license], and they're providing additional security capabilities and services like Overwatch to be able to backstop the Microsoft technology.
You’d said previously that your incident response team had found so many cases where Defender had not done the job?
That's exactly right. The vast majority of the breaches that we respond to — we respond to probably half of the big breaches — and the vast majority of those breaches that we respond to are using Microsoft technology, both in the cloud and on-prem.
I’m also interested to hear your thoughts on Microsoft’s Recall feature and the juxtaposition of that being announced a few weeks after Satya had put out his memo about prioritizing security. How did that strike you?
Microsoft's stance on security—and the fact that they want to make some changes—is purely lip service, to be crystal clear. And I think Recall is a shining example of the lack of attention paid to security. They got called out on it — when you're storing such sensitive information in [a] cleartext SQL database on the system, that is just ripe for abuse. And time and time again, Microsoft has put profits and features over security.
Were you surprised that Microsoft released this so soon after that memo?
Nothing surprises me with Microsoft.
As far as the Snowflake attacks go, I know you are part of the investigation but are there any general thoughts or takeaways you could share from what’s been disclosed?
I would say just in general what we've seen, obviously, is the adversaries continue to change their tactics. Ransomware certainly is a prevalent attack vector. But with companies being a bit better in terms of restoring their files and data this “extortion-ware,” as I call it, has become more and more prevalent. So this is another case of, in general, the criminals are weaponizing data and trying to get paid for it. That's just a general comment — nothing specific to Snowflake.
I think in general, as an industry, we still haven't solved the problem of poor passwords and reusable passwords. It really is the simple things that continue to get organizations in trouble. And it's one of the reasons why our identity module has done so well and is one of the fastest-growing modules in company history. It’s because identity is being abused [so frequently]. There isn't an incident response that we've ever done, for the most part, that hasn't had an identity-based attack. You could exploit [a vulnerability] — but in general, then credentials are stolen and laundered and used to move laterally. So poor passwords or no MFA continue to be the bane of many companies’ security programs. And I think, again, it's another example of organizations looking at their identity protection, and threat detection and response solution around identity — and understanding that traditional technologies, just the basic stuff that you're going to get, is not going to work.
Our identity solution is unique in the industry because it is the only single, integrated agent that provides this capability. And it's one of those that not only can tell you where you have issues in your directory services, but can also implement dynamic MFA in very fine, granular detail — for either users or systems or even services like remote desktop.
When it comes to working with partners, what have other vendors been getting wrong that you're getting right?
I think it's something that we've worked really hard on. We’ve really focused on the partner-first selling motion. I think what we're getting right is a couple of things. One is, we've got the right platform with the customer demand — customers are asking for CrowdStrike. You can have the best [channel] program in the world — but if you don't have demand for it, that's not going to work.
The second piece is putting partners first — a lot of our competitors are still taking some of these bigger deals direct. I think [it’s] disrupting the partners’ cadence in these accounts. They're involved in a deal and all of a sudden it gets taken direct. We've seen that pop up a few times, particularly for these bigger platform-type deals by our competitors. I think some of the additions that we made with the CrowdCard launch — with performance and rebates and certifications, and really putting margin back into the partners’ pocket — has really helped. So long story short, if the partners are making money [from] a.) selling our products because there's demand, and b.) because we have a great program, which is very consistent — I think that stands above what our competitors are doing.
Why are partners saying they're choosing to consolidate with Falcon?
I think when you look at the product portfolio, in the various areas — obviously we've got endpoint protection, which has been a core staple. But the addition of things like next-gen SIEM, identity and cloud, I think has made it super attractive for customers. A big part of what CrowdStrike is focused on is making sure that we deliver technology that works and that's integrated as part of the platform. So when you look at Next-Gen SIEM, it isn't a hodgepodge of technologies strewn together that take six months to get off the ground. It's easy for partners to get a customer up and running. It's easy for them to add some value-added services around it. But it's all integrated. The 30,000-plus customers that we have are all Next-Gen SIEM-enabled, because we've moved everyone over to the newest release of the platform, which is Raptor. That's much different than what our competitors are doing in the platform space.
One last point on that is — and we've said this for a while, but I want to reinforce it — 80 to 85 percent of the data that goes into SIEM and other places, is generated from the endpoint. I think when you look at the fact that the data is now resident, when a partner is trying to sell the solution, it's a matter of just activating some of the newer modules that we have, as an example. Certainly, if it's a new customer, you're selling value and getting them up and running. But I think the fact that we don't have to ship a bunch of data out into other [platforms] is a real advantage for the partners.
That is still fairly unique with SIEM? Most of the time, you need to pay for it to be moved and pay to store it in two places?
Correct. And that's the beauty of the Raptor release with LogScale natively integrated into the platform — it's a “better, faster, cheaper” model. We're seeing 150X speed improvements on searches versus our competitors. It's dramatically reducing the cost — sometimes to a third of what they were paying. And they're getting better outcomes, which is understanding if there's anomalies or threats or really any kind of search queries in the environment. So it's a real benefit. And they're really only paying for the data ingest for third-party data. They're getting the native SIEM piece basically as part of the platform.
Just as far as Splunk goes, my understanding is that if you use Splunk for SIEM, you still need to use something for EDR. You're going to have two sets of your data to be able to use their SIEM?
Exactly. And the thing is that we're really in-line, in terms of being able to take an action. If your [SIEM] data is resident in your endpoint platform, that allows you to take immediate action. You're not just correlating data and telling someone else they need to do something with it. You're in-line [and] active, versus passive, is what I would call it.
Specific to Splunk, what is the biggest differentiator for your Next-Gen SIEM compared to what they offer?
It gets back to better, faster, cheaper. It's significantly less expensive to use our technology for a variety of reasons, including the compression that we can provide and the scalability of index-free ingestion. When we think about the technology side, particularly in security, time is of the essence. Index-free ingestion [means] you’re immediately getting data, rather than waiting a couple days to create an index.
Second is the compression, and particularly that we can search with the speeds I talked about, which dramatically lowers the overall cost and increases the performance. We can do that with, I would say, probably more modern technology than the way it was architected. In terms of outcomes, it's all integrated into the workflow that they're already used to — the Falcon Insight workflow, plus now all of the Next-Gen SIEM dashboards, with LogScale has given our customers just amazing results. I've gotten texts and emails every week from customers who have switched over to Raptor that said, “Oh my god, I can't believe how fast and how good this works.”
With the M&A activity in SIEM, has that sort of stirred up customer angst over their current SIEM? Maybe you weren’t even aware of how much there was?
Yes, whenever you see this level of activity, and we've seen more movement in the space, I would say in the last year than the last decade. Whenever you see this level of movement, I think it's an opportunity for CrowdStrike. You have a lot of customers that are concerned with some of the M&A activity, whether it's Splunk or QRadar. It's a natural point for them to say, “Hey, we've been frustrated with some of the legacy technologies. We want to look at other things.” It's been on the radar — but now, given these moves from an M&A perspective, they've I would say accelerated the process of looking at the market and doing a market check. So it makes sense for them and provides a good opportunity for us and a logical point in their lifecycle to [consider] something that is better, faster, cheaper.
So if all these M&A moves hadn’t been made, then it wouldn’t be accelerating the shift of customers to different SIEM vendors?
Absolutely. I think you have a confluence of good things that have come together [for CrowdStrike] — you have this M&A activity in the space. And the fact that with the Raptor release, which we started migrating customers late last year, and we've finished up over the last month, in terms of small, medium and large — we've got everything I think in our favor. You've got market disruption and a willingness by buyers to look at something else, and we've got the right solution, which is running at scale for some of the largest companies in the world.
Does adding Next-Gen SIEM really make you particularly relevant to MSSPs in a way that maybe you weren’t even two or three years ago?
I think so, because SIEM can be very complex. When you look at MSSPs, particularly the smaller ones that we're working with — they want to have simple things that work and they want to drive the cost down. So they can do that with ours because they're not shipping it somewhere else, they don't have to pay the egress costs, they don't have to pay for the hosting costs from other providers and technologies. Then when you look at what they're getting, it's a much more elegant, integrated solution. So we see interest and MSSPs driving business across small, medium and large companies. Then when you transition into some of the larger MSSPs, they've got their own businesses around managing large enterprises. SIEM in the past has been, you needed some consulting, you needed to set it up right and you needed to configure it. There is an opportunity for these MSSPs — particularly the larger ones — to be able to generate significant revenue from their customers and build a big book of business. Now, it's all integrated, it's easy — but it's part of a larger management of that technology as part of a SOC transformation. So some of these big players are really [incentivized] and putting a lot of resources behind this.
Is there anything else looking ahead that you think is going to be especially important for CrowdStrike and your partners?
Particularly with the AI that we've added to our Next-Gen SIEM, Charlotte is aware of just about every module that we have. And then from a SIEM perspective, it makes a lot of sense that you can ask Charlotte questions and essentially have Charlotte create the queries and do the hunting on your behalf in an automated way. And then create situational reports from the same data that you have. So if there is an incident, we have an incident workbench, which ties into the SIEM that allows you to understand sort of the start of an incident the scope of it, who touched it all the various attributes associated with it, which could be identity, could be machine could be IP address, could be files, all of that. And then the AI piece can then create a full report and a bow that would take a couple of days, you can do that in under a minute. So that's one piece. The second piece, which is something that we're working on, is the ability to ingest data that you haven't mapped before and allow the AI parser to be able to automatically map these sorts of things. It makes can make it really easy for customers to ingest data all sorts of data, because the Charlotte will understand that kind of the format of the data, even if it's even if it's different, and from different streams, it will be able to kind of parse that out and create its own automated parser for it. So we're excited about that piece as well.
And that’s something you feel like that's going to be pretty differentiated?
I do think it will be differentiated. And it's just going to make it a lot easier. The more data that you can ingest, the better. And people shouldn't have to make trade-off decisions on what data they ingest, because of either the format or more importantly, as a cost. We want to make it very cost-disruptive to be able to adjust data within the CrowdStrike Falcon platform.
Overall, how do you see GenAI coming into play for CrowdStrike and Falcon going forward? What are the biggest enhancements that maybe we haven't even seen yet, but like you just mentioned, you're working on it?
A lot of it is helping to automate mundane tasks for the SOC. If you get a PowerShell blob that is encrypted or obfuscated, you can just throw it in Charlotte, it'll just decode it. It could take somebody days to figure that out. If you throw a piece of malware into it, it'll basically sort out what it's doing. And again, the good thing is it's tied into lots of other technologies. We've got sandbox technology, we've got other technology that can look for different pieces of malware, even if it's in the assembly code. Writing reports, or understanding all of the TTPs — those things normally take a long period of time. So [it’s automating] a lot of the mundane tasks that a SOC analyst would have to go through. And we keep adding more and more capabilities. Part of the design of Charlotte is that Charlotte is the brain and then you've got individual LLMs or different modules that are very bespoke that understand what that module does, and then Charlotte can put it all together.
[For security] a big piece of leveraging AI [is consistency]. If you ask ChatGPT the same question three times, you’ll probably get three different answers. In security, you need to have a deterministic outcome. So we built a lot of the tooling to be able to get Charlotte to an accurate decision, rather than a non-deterministic decision. So there's a lot that went into it over the years of building Charlotte out. And we just keep getting more and more feedback from customers and keep adding more and more capabilities.
I also wanted to ask about Falcon for IT — how has that been going and where are some other places you might want to be going with that next?
Falcon for IT right now is probably the most-requested module that we have. We've got some really nice deals done on it. We keep adding additional functionality and capability to it. The goal for us is to provide an alternative to a Tanium for many of our customers who have been asking for it. The other piece is, it actually gives IT a home. When you think about the fact that our agent is widely adopted, it’s trusted, it’s used on things like domain controllers — which is very difficult real estate to get on given the sensitivity of it. It's good to have IT leverage the capability that we have. We have the automation workflow with Falcon SOAR, we've got Falcon Foundry, which allows customers to create their own modules. With Falcon for IT, we can answer any question that they might ask and we can take an action on their behalf. So it's been very well-received and we do think that is going to be a big part of our business in the future.
In terms of working with channel partners, I would imagine some are interested in offerings for the IT side in addition to the security offerings? Is this opening doors for you with partners that you haven't done a lot with before?
Yes, I think there's other more IT-focused partners that it opens up. I think there are partners that probably specialize more in the SIEM space as well. So because we've added and expanded our product portfolio, and certainly our [total addressable market], it does expand the partner ecosystem that we have. They're not just security-focused partners. They could be broader partners. You think about Accenture — that's not just security. That's a broad opportunity for us — given the fact that they're very central to organizations and have relationships in the IT arena, rather than just security.
In terms of your expansion into SMB, how has that been going? Any updates in that regard?
It's been going very well. We’d launched Falcon Go some time ago and that has been received very well in the SMB space. We work very closely with many partners who [have] big businesses in the SMB. So that has been a bright spot for us. I think you can look at our results, and you can see that we're taking market share from others that have traditionally been strong in the SMB. And then we are handling and servicing a lot of the SMB customers through our [distribution partners] like Pax8 and others. So that is a focus for us. We started in the enterprise, we went down to the mid-market, and now we’re really doubling down on the SMB.
What is the overall message to partners, especially when it comes to consolidating with CrowdStrike?
The overall message is, we're embracing partners and we're focused on them making money — and not [on] giving a bunch of products away. We're going to protect our partners and we're going to make sure that they're successful, they're trained, they can solve customer problems, and they can partner in our success and make money with CrowdStrike.