 Hey everyone, good afternoon, good evening. Welcome back to theCUBE's coverage of CrowdStrike, Thalcon 23, live from Caesars Palace in Las Vegas. Lisa Martin, Dave Vellante, we've been having great conversations all day because you know, because you've been here on theCUBE. This is only day one of our coverage, two days. Lots more to talk about tomorrow, but we're excited to have one of our alumni back. Adam Myers rejoins us. SVP of Counter-Adversary Operations at CrowdStrike. Adam, great to have you back on theCUBE. Thanks for joining us. Tell me a little bit about your role. SVP Counter-Adversary Operations. Give us the history on the role. Well, it's changed a little bit from last year because we just launched Counter-Adversary Operations. So what we kind of realized was, and I'm sure you heard from George Kurtz earlier today about how the adversaries are getting faster, demonstrably faster. We had our threat hunting report come out a couple weeks ago and the average breakout time was 79 minutes and the fastest was seven minutes. So we've kind of acknowledged that these adversaries are getting faster and faster every single year and every month really. And so we took our threat hunting team Overwatch, which is kind of industry leading managed threat hunting and we took our Intel team and we kind of co-located them into the same organization. So they have a much tighter integration now. So as the Intel team finds something interesting, they could pass it to the threat hunting team much faster. You can go out and find something on the platform and then bring that back in and then find new leads for the Intel team. So it becomes like a virtuous cycle, if you will, of threat hunting and threat intelligence kind of working together. Yeah, we used to talk about Patch Tuesday meant Hack Wednesday. Now you're saying Patch Tuesday means zero day Tuesday. Yeah. So, I mean, a lot has changed in the last year. A lot of times we do these conferences, it's like, yeah, what's new? Well, we announced a couple new products, but pretty much everything's the same, but it's almost like nothing's the same these days. Yeah, it's wild. I mean, when you think about the enterprise security landscape, there's been so much advancement there. Things like Falcon and the whole EDR market has, the analogy I've been giving is that it's very much like trying to take a rocket launcher into the airport. These EDR tools are there and they're able to catch malicious binaries or suspicious tools as soon as they cross the line. The adversaries didn't try to come up with a more creative way to get past it, necessarily. Now they're taking an easier path and they're going after identities. Stealing a user's identity either through social engineering, phishing the credentials, buying it on an underground forum. Once they get that identity, they can log in very much like a legitimate user. And rather than bringing tools that might be alerting with them, now they're moving laterally. They're living off the land with existing tools on the enterprise or they're bringing what we call a remote monitoring and management tool. These are legitimate tools lots of admins might use, things like any desk or fleet deck. And so they're kind of using things that will be under the radar and they're going after infrastructure that's either not monitored, unmanaged type devices or things like hypervisors that don't support modern security tools. And they're deploying their ransomware there. So now we've seen kind of the entire market move from endpoint security into identity security. And that's where the real, the new kind of wild west is in the identity space. Is dwell time getting worse? Yeah, I mean, no, because the operations are happening so much faster. Dwell time doesn't even really matter anymore. Dwell time used to be the measure of how long were they in the environment before you found them, right? And so that very typical with like China and a long tail espionage operation stealing all of this intellectual property, they wanted persistent access. But as we're looking at the threats today, they're hit it and quit it. So they come in real fast, they get on target, they get on the objective that they want and they get out or they deploy their ransomware or they steal their sensitive information. And so because they're moving so quickly, dwell time isn't really even that relevant. It's kind of irrelevant, yeah. I mean, even a year ago last winter, not less than two winters ago, dwell time was right, the solar winds hack. Right, that was all about hanging out. 200 something days that they were on the environment, right? But, and that's terrifying from a long scale operation. But if you look at how quickly there's been two supply chain attacks that we found this year with the Falcon platform and we notified the vendor within a week or so of it happening. And so think about that in the context of a solar winds. We went from 270, 280 days, whatever it was, down to six, seven days, that the adversaries have to work harder and faster. And it's because of the types of things we're doing, counter-adversary operations, one of our mandates is to disrupt the adversaries, to introduce things that kind of make their job harder, waste their cycles, waste their time. And because of that, they're moving, they're also trying to keep up and move faster. And that's always been the high level math, but the actual equation has completely changed. Talk a little bit about, from a speed perspective, you talked about how the adversaries are getting faster and faster. They obviously have access to great technology. But what are some of the speedy things that CrowdStrike is doing to help reduce the risk to organizations and be able to detect things and reach us faster? Yeah, so just to give you a sense of the time, in 2021, the breakout time was 98 minutes. In 2022, it was 84 minutes. Adversary got 14 minutes faster. We recomputed that six months later, back in August, and it was 79 minutes, right? And so the adversary keeps whittling down that time. And we have so much of the CrowdStrike racing, the F1 stuff here, there's an F1 car over there. And George was telling me, I'm not big into racing, but George was telling me that with racing, they don't look at minutes, taking minutes off each lap, or even seconds. They're looking at tenths or hundreds of a second. And that's where we're getting with the adversary's speed. They're getting faster and faster, and we're going to be down to not competing, breakout time changes in minutes, but seconds. And so that gives you a sense of how important speed is in this mix. And so one of the things that we're really excited about is Charlotte AI and how we integrate that through things like Falcon Fusion. So we can not only allow people to use our platform faster to take action and to find and to stop things, but we can also lower the bar of how well trained they need to be. So taking what would have been a super high level sock analyst and now giving a mid-level sock analyst that same ability to do that with things like Charlotte, where we can help simplify that process by making it natural language and using generative AI to really speed up that process, because we need to not only slow the adversary down with things like counter-adversary operations, but we need to speed up the defenders through things like Charlotte AI and some of the other exciting announcements we have coming out this week. So is AI ultimately of greater benefit to the attackers or the defenders? You know, I think for right now for the defenders, because we're able to take, I think about Falcon Intelligence. We produce 1,300 pages of intelligence per month, right? That's a lot of written prose that people need to read and understand and internalize and then turn that into action. So with something like a large language model and what we've done with Charlotte AI, you can ask questions of that entire rolling corpus of intelligence as it changes and get those answers very quickly. Who's targeting me? What are they after? Where have we seen them in our environment? Network contain that machine? All of these things, it's almost like minority report. And I'd be remiss to not say, Crouch Tech's 12 years old today. We launched the company September 19th, 2011. And when we were doing that, the first meeting we had, I remember being in the boardroom at our venture capital and we were saying it's going to be like minority report where you could take things on the platform and use the intelligence and all of the capabilities to make those decisions. And we're here today. It's 12 years later, you can do it. Happy birthday. Yeah, and the VCs, their reaction was I'm in? Oh, they were already in at that point. They were like, how are you going to do it? Hurry up. Yeah, get going. What's been some of the customer feedback as you guys have launched the counter-adversary operations? I know the customer base is very strong, it's growing. What's been some of the feedback from them on some of the things strategically that CrowdStrike is doing to help them really defend well? Well, to be fair, I think when we announced it publicly in August, everybody was like, okay, but what does that mean? So when we launched it, we had obviously the announcement that we were doing this and we integrated the two teams. We released the threat hunting report, Nowhere to Hide, which talked about how the adversaries had advanced in the identity space and organizations really need to invest in identity security as well as enterprise security. And we announced what we called identity-based threat hunting. So now our threat hunting teams are not only looking at the platform data and all of the nuances of how the platforms operate and the operating system and the computer, but they're also looking at the behaviors of the people. And so we brought, I think, what would be the first identity-based threat hunting to market. And this week we're announcing the integration of all of our elite services. So we have these white glove services that you could add to our intelligence subscription to our Overwatch subscription. And so we're going to be moving into a world where that's all one consolidated offering and you don't have one person focused on your Overwatch threat hunting and one expert on your Intel. It's one analyst who will support all of your threat hunting and threat intelligence needs with kind of one throat to choke, if you will. And so it is a much more seamless go-to-market and seamless experience for the customer. And there's a lot more that will be announcing in the coming months, but this is from a CAO perspective. That's what we've announced this week. Explain to people, because when people hear identity, they think IAM, they think OCTA. Oh, CrowdStrike, competing with OCTA now. But no, OCTA's a partner. Explain what you mean by your treating identity essentially as an endpoint versus what an OCTA would do. So I always kind of start with zero trust, right? And I think the market has adopted this whole zero trust messaging, but for me it's really a methodology. Zero trust is kind of like need to know in the government space, right? If you don't need to know, I'm not going to give you that access. And so as you implement a zero trust methodology, now you have to start to enforce that. So you put controls in place to ensure that zero trust is working the way it should. And so with identity protection, we wrap around all of that. Partners like OCTA and all of the other IDPs that are out there, they're the IDP. That's not the space we're trying to be in, but we can wrap around that. So if Adams account, he usually logs in from an iPhone in Washington, D.C. and today he's coming from an iPhone in Oxford, UK and he time traveled, there's no way to go, magically that quickly from Washington to Oxford. Let's ratchet up the monitoring on Adams account and say everything needs two factor authentication. And what's really cool about our identity offering is there's things that don't support two factor authentication, like remote desktop protocol. There's no built-in two factor auth for that, but we can actually enforce that and say before you can initiate this remote desktop protocol session, you need to go through two factor auth. And so that's kind of the power of the identity protection is saying you could choose who you're using in your authentication and identity stack. We're going to put a big hug around that and we're going to keep it safe. What about two factor authentication with only SMS? What are your thoughts on that versus having a third party authenticator? Can you explain sort of the risks? How people should think about that? What you would tell your family? Yeah, I advise everybody to stay away from text-based two factor auth. One of the big threat actors everybody's hearing about today is Scattered Spider. A lot of information about them out there. And one of the things that they're really good at is SIM swapping. So your phone, you don't have it out, oh there it is, your phone has a SIM card in it, whether it be an eSIM or a physical piece of plastic. And that effectively has a unique identifier, which is tied to your account at your service provider. So if I'm a threat actor and I either get unauthorized access to your service provider, or I call them up and I social engineer them pretending to be you, I effectively switch the SIM number for your phone with my phone. And now anytime you get a text message it comes to me and anytime you get a phone call it comes to me. So if I'm trying to attack your identity, I get your username and password, maybe I've phished it or maybe it leaked and I bought it on an underground forum, all I have left is to bypass that two-factor auth. If that two-factor comes via text message, SIM swapping is easier than most people realize. And so now I can SIM swap your phone number and I'm you. And you got access to everything. I'm you. Your bank accounts, your crypto, everything. Yeah, it's incredible. But it's amazing to me, Adam, that there are a number of, for instance, brand-name financial institutions that only have SMS-based two-factor authentication. And I think, I don't know, maybe it's just inertia, legacy infrastructure, technical debt. Well, you got to figure who they're trying to service, right? Their customers are looking for an easy solution and having an off application, having some other mechanism or a biometric or a physical token. It's expensive. It's difficult to troubleshoot. People get confused. So text is the easiest way to do it. But I'll tell you, there's a couple of things people could do to stay safe, which is every provider, certainly here in the US, has the ability to lock the SIM so you could add enhanced security to lock your SIM. Lock your SIM, people. Lock your SIM. And then the other thing that you could do is use like a Google voice type of number because that doesn't rely on a SIM. So if you have the text message going to that account, you still have to keep that account safe. And so you could end up down a rabbit hole of accounts, but there's ways to mitigate that risk. But I think that the big concern is most people aren't thinking about that. That's the thing. People aren't aware of it. They're hitting the easy button. And that's also part of that's cultural, part of that's awareness and education. You talked about scattered spider and obviously that MGM hack was social engineering and got into a person via LinkedIn. So talk about the awareness and the education. Does your group provide that to customers and the ecosystem because that the people problem is consistent? That's always been the thing. I think, you know, going all the way back to the Kevin Mitnick days back in the late 90s, social engineering was a big concern. And you listen to some of these phone calls that you hear with the social engineering and it's incredible just how effective they are. Just calling up, I lost my password and a help desk wants to help them out and so that's how it goes. So social engineering is extremely powerful but what's kind of interesting is if you think about how that landscape has changed, you know, a year ago it was a lot of word documents with embedded macros and cobalt strike and it was a pretty regular and regimented tool chain of that attack and over the last year it's completely shifted to your point earlier. It's completely shifted and now it's social engineering stealing the access to the credential, bypassing the multi-factor auth if it's there. And by the way, you could also not target the telephone company or the mobile provider to get that multi-factor auth bypassed. You could do a multi-factor authentication fatigue attack where if it's a push notification, you're constantly getting that push message three o'clock in the morning, you're going to be like, I'm just trying to go to sleep and you accept it. Or I then call you up and social engineer you and I say, oh, you've had a bunch of failed multi-factor authentication attempts. There's a synchronization issue. I'll reset it for you, but I'm going to push you one more and you accept it and then you're good. And they never realized that they just let somebody into the, so there's lots of different ways to get at it. Definitely. What's your favorite customer story that you think really just shines the spotlight on the value that CrowdStrike is delivering to your customer base? Well, I try not to go into any customer specifics because they trust us to keep that stuff internal and secret and off the record, but there's been a number of situations where we've had customers who have called us up to thank us for stopping a breach, or I was talking to a customer earlier today and he said, hey, you guys saved our butt a year ago and still happy and thank you for that. So without going into too many details, I could say that we've had a lot of great successes helping customers. Our services team is out there every day and they're hitting these environments a couple hours after Scattered Spider gets there and they've got a whole playbook that they start working with the customer to keep them safe. And if the customer listens to the direction, then we're able to keep them one step ahead because on average, Scattered Spider about eight hours before their mission accomplished. In and out. Wow. Wasn't it Mattel on stage today, was it Sean talking about? They didn't give specifics, but in terms of kind of the kudos that you're referencing that you've been hearing for organization saying, you saved our hinds. Yeah, yeah. Well, look, I mean, we work very closely and I tell everybody, I don't see customers, I see partners, right? We're in this together, we're here to help you and I give, when I talk to customers, partners, I give them my phone number and I'm like, hey, call me up if you ever need anything because we're in this together, it's us versus them. And that's the whole approach to CrowdStrike and 12 years ago, we launched this to say, you don't have a malware problem, you have an adversary problem and we're here to help our customers deal with those adversaries and to fight through it. Yep, help those adversaries. Yeah, the CISO from Mattel said, CrowdStrike paid for itself, I was like, oh boy. That's right. Here goes his bill. Yeah, that's right, that's right. Adam, it's been a pleasure having you back on theCUBE. Thanks for having me, yeah. The counter-adversary operations group, what you guys are doing there and the impact that it's making. Thank you for your time. Thank you. Our pleasure. For our guests and for Dave Vellante, I'm Lisa Martin. You're watching theCUBE's day one coverage of CrowdStrike Falcon 23. Right next up is Dave and I going to do a CUBE Insights. Really kind of give you an analysis of today and some of the nuggets that Dave got out of some of our guests. Stick around, we'll see you in a minute.