nameless927
2021-09-11
Nice article on Antivirus company
Why SentinelOne Is Better Than CrowdStrike<blockquote>为什么SentinelOne比CrowdStrike更好</blockquote>
免责声明:上述内容仅代表发帖人个人观点,不构成本平台的任何投资建议。
分享至
微信
复制链接
精彩评论
我们需要你的真知灼见来填补这片空白
打开APP,发表看法
APP内打开
发表看法
{"i18n":{"language":"zh_CN"},"detailType":1,"isChannel":false,"data":{"magic":2,"id":881368624,"tweetId":"881368624","gmtCreate":1631294936168,"gmtModify":1631888855044,"author":{"id":3577602781065384,"idStr":"3577602781065384","authorId":3577602781065384,"authorIdStr":"3577602781065384","name":"nameless927","avatar":"https://static.tigerbbs.com/ff218b44b2e07b129c0d4b2f98a1fcbb","vip":1,"userType":1,"introduction":"","boolIsFan":false,"boolIsHead":false,"crmLevel":12,"crmLevelSwitch":0,"individualDisplayBadges":[],"fanSize":1,"starInvestorFlag":false},"themes":[],"images":[],"coverImages":[],"extraTitle":"","html":"<html><head></head><body><p>Nice article on Antivirus company</p></body></html>","htmlText":"<html><head></head><body><p>Nice article on Antivirus company</p></body></html>","text":"Nice article on Antivirus company","highlighted":1,"essential":1,"paper":1,"likeSize":0,"commentSize":0,"repostSize":0,"favoriteSize":0,"link":"https://laohu8.com/post/881368624","repostId":1111681724,"repostType":2,"repost":{"id":"1111681724","kind":"news","pubTimestamp":1631244064,"share":"https://www.laohu8.com/m/news/1111681724?lang=zh_CN&edition=full","pubTime":"2021-09-10 11:21","market":"us","language":"en","title":"Why SentinelOne Is Better Than CrowdStrike<blockquote>为什么SentinelOne比CrowdStrike更好</blockquote>","url":"https://stock-news.laohu8.com/highlight/detail?id=1111681724","media":"Seeking Alpha","summary":"Summary\n\nSentinelOne is technically better than CrowdStrike according to the performance results of ","content":"<p><b>Summary</b></p><p><blockquote><b>总结</b></blockquote></p><p> <ul> <li>SentinelOne is technically better than CrowdStrike according to the performance results of the MITRE ATT&CK Evaluation.</li> <li>SentinelOne leverages a highly autonomous, out-the-box solution that's proving to deliver a more scalable business model than CrowdStrike’s – evident in 2Q22 results.</li> <li>SentinelOne has a significant last-mover advantage and is using it to target CrowdStrike's weak spots.</li> </ul> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/e6e594ecb7b47299440e7129e25e25e1\" tg-width=\"1536\" tg-height=\"864\" referrerpolicy=\"no-referrer\"><span>Sundry Photography/iStock Editorial via Getty Images</span></p><p><blockquote><ul><li>根据MITRE ATT&CK评估的性能结果,SentinelOne在技术上优于CrowdStrike。</li><li>SentinelOne利用高度自治、开箱即用的解决方案,事实证明,该解决方案可以提供比CrowdStrike更具可扩展性的商业模式——这在2022年第二季度结果中显而易见。</li><li>SentinelOne拥有显着的后发优势,并正在利用它来瞄准CrowdStrike的弱点。</li></ul><p class=\"t-img-caption\"><span>杂项摄影/iStock社论来自Getty Images</span></p></blockquote></p><p> <b>About this Report</b></p><p><blockquote><b>关于本报告</b></blockquote></p><p> Since its June 19 IPO, CrowdStrike's(NASDAQ:CRWD)market cap has soared sixfold as the company has experienced near triple-digit revenue growth thanks to its aggressive marketing of its highly effective and differentiated endpoint protection solution. Sentinel(NYSE:S)is the new kid on the block with even faster growth – more than doubling annual revenues YoY in 2Q22 [released after market close yesterday]. S also claims NGAV (Next-Gen Antivirus) superiority and goes head-to-head with CRWD in ultra-aggressive marketing.</p><p><blockquote>自6月19日IPO以来,CrowdStrike(纳斯达克股票代码:CRWD)的市值飙升了六倍,由于其高效且差异化的终端保护解决方案的积极营销,该公司的收入实现了近三位数的增长。Sentinel(纽约证券交易所股票代码:S)是增长更快的新人——2022年第二季度年收入同比增长了一倍多(昨天收盘后发布)。S还声称NGAV(下一代防病毒)具有优越性,并在超激进的营销中与CRWD正面交锋。</blockquote></p><p> Given S’s sky-high valuation of 92x NTM EV/S at the time of writing, it's difficult to rationalize an investment - by pretty much all measures the stock is insanely overvalued. Therefore, this report is largely about outlining why we believe S is technically superior to CRWD, and if you as investors are convinced, then you can speculate on your own growth and stock price trajectories using CRWD’s recent history as an anchor. We provide some financials and multiples projections in the Valuation Considerations section toward the end of the report.</p><p><blockquote>鉴于在撰写本文时S的92倍NTM EV/S的天价估值,很难合理化投资——从几乎所有指标来看,该股都被严重高估。因此,本报告主要是概述为什么我们认为S在技术上优于CRWD,如果您作为投资者深信不疑,那么您可以使用CRWD最近的历史作为锚来推测自己的增长和股价轨迹。我们在报告末尾的估值考虑部分提供了一些财务和倍数预测。</blockquote></p><p> We should make clear that any criticism of CRWD is in direct comparison to S. CRWD are still way better than legacy AV vendors – there's no denying that. And hopefully, this report may serve as somewhat of a framework for evaluating other EPP/EDR vendors that may catch your attention.</p><p><blockquote>我们应该明确的是,对CRWD的任何批评都是与s直接比较的。CRWD仍然比传统的AV供应商好得多——这是不可否认的。希望这份报告能成为评估其他可能引起您注意的EPP/EDR供应商的框架。</blockquote></p><p> <b>The Evolution of AV Industry</b></p><p><blockquote><b>AV行业的演变</b></blockquote></p><p> There are quite a few acronyms connected to the antivirus [AV] software industry to become familiar with before delving into what CRWD and S actually. The AV industry began life using signature databases followed by two decades of using signature databases with various tweaks. Then around 2011, EPP [Endpoint Protection] and EDR [Endpoint Detection & Response] became popular, ushering in the era of NGAV [Next-Gen Antivirus]. XDR [Extended Detection and Response] is often referred to as the second wave of NGAV that correlates broader and disparate data sources to enhance the detection of threats, and improve investigation and responses. The following diagram - from SentinelOne with additional annotation by ourselves – provides a useful high-level view of where the AV industry has been and where it is today. We’ll elaborate on this diagram in the following sections.</p><p><blockquote>在深入研究CRWD和S实际上是什么之前,有相当多的首字母缩略词需要熟悉。AV行业开始使用签名数据库,随后二十年来使用经过各种调整的签名数据库。然后在2011年左右,EPP【端点保护】和EDR【端点检测与响应】开始流行,开启了NGAV【下一代防病毒】时代。XDR[扩展检测和响应]通常被称为NGAV的第二波,它将更广泛和不同的数据源关联起来,以增强对威胁的检测,并改进调查和响应。下图来自SentinelOne,并附有我们自己的附加注释,提供了一个有用的高级视图,了解AV行业的过去和现在。我们将在下面的章节中详细说明该图。</blockquote></p><p> Figure 1 - Evolution of the AV Industry</p><p><blockquote>图1-AV行业的演变</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/cbbf1db00601920823977504a2369bd4\" tg-width=\"640\" tg-height=\"387\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne presentation, Convequity modification</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:SentinelOne演示,Convequity modification</span></p></blockquote></p><p> <b>Signature-Based AV</b></p><p><blockquote><b>基于签名的AV</b></blockquote></p><p> In 1987, the late John McAfee released the first commercial AV [antivirus] software to be installed on desktops. It was a signature-based AV, which means it would check the signature of all inbound files to see if they matched a known malicious signature in the database. If there was a match then the AV would block and delete the file.</p><p><blockquote>1987年,已故的约翰·迈克菲发布了第一个安装在台式机上的商业反病毒软件。这是一个基于签名的反病毒软件,这意味着它将检查所有入站文件的签名,看看它们是否与数据库中已知的恶意签名相匹配。如果有匹配,那么AV将阻止并删除该文件。</blockquote></p><p> Most cyber-attacks involve the hacker attempting to land a malicious file on a user’s device. The file contains a virus that, when triggered with a click by the user, installs itself onto the device. From there the virus can do various things, though usually, the main objective is to ascertain the device’s network connections and send itself to critical systems of an organization.</p><p><blockquote>大多数网络攻击都涉及黑客试图将恶意文件登陆用户的设备。该文件包含一种病毒,当用户点击触发时,该病毒会自行安装到设备上。从那里,病毒可以做各种事情,尽管通常,主要目标是确定设备的网络连接,并将自己发送到组织的关键系统。</blockquote></p><p> Every file has a unique signature that looks like a random combination of letters and numbers. The combination of letters and numbers is produced by a hashing algorithm. For example, a file containing only the text of “We built this city!” and the hashing was based on the SHA256 hash algorithm (one of the most secure and efficient hashes), the signature will be the following:</p><p><blockquote>每个文件都有一个唯一的签名,看起来像是字母和数字的随机组合。字母和数字的组合由哈希算法产生。例如,一个只包含“我们建造了这座城市!”哈希基于SHA256哈希算法(最安全、最高效的哈希算法之一),签名如下:</blockquote></p><p> c0fed07bbfcd9ea317d495d0c9b43021ac839f699cff44f3d3bf60993df66467</p><p><blockquote>c0fed07bbfcd9ea317d495d0c9b43021ac839f699cff44f3d3bf60993df66467</blockquote></p><p> The hashing algorithm converts a file with any amount of content to a fixed-length signature – in the case of the SHA256 hashing algorithm, it is 64 characters long, also known as 64 bytes because 1 character equals 1 byte.</p><p><blockquote>哈希算法将具有任意数量内容的文件转换为固定长度的签名——在SHA256哈希算法的情况下,它是64个字符长,也称为64字节,因为1个字符等于1个字节。</blockquote></p><p> It’s also worth noting that changing 1 character or even flipping 1 bit [8 bits in 1 byte] from 0 to 1 or vice versa, will completely change the signature. Removing the exclamation mark so the text reads “We built this city” produces this 64-byte signature:</p><p><blockquote>还值得注意的是,更改1个字符,甚至将1位【1字节中的8位】从0翻转到1,反之亦然,都会完全改变签名。删除感叹号,使文本变为“We built this city”,将生成64字节的签名:</blockquote></p><p></p><p> 1b12cb77bb08ac8c826795eab8389346b1f36c9f20b7841f7552d12c7fbf4c27</p><p><blockquote>1b12cb77bb08ac8c826795eab8389346b1f36c9f20b7841f7552d12c7fbf4c27</blockquote></p><p> Visit this website to hash your own input or alternatively you can get the hash for any file you upload.</p><p><blockquote>访问这个网站来散列你自己的输入,或者你可以得到你上传的任何文件的散列。</blockquote></p><p> Throughout the 1990s it became apparent that signature-based AV had some fundamental shortcomings. Here are some of them:</p><p><blockquote>在整个20世纪90年代,基于签名的AV有一些基本的缺点变得很明显。以下是其中一些:</blockquote></p><p> <ul> <li>Cybercriminals can change one line of code to completely change the signature of the virus, and as a result, evade detection. This puts the hacker vs AV battle economics firmly in the favor of the former, because it takes a lot of time and computing resources to detect and confirm a new virus variant.</li> <li>As the number of malicious files grows, so does the signature database. The database resides on the endpoint so as it grows it consumes more disk space, more CPU, and more memory.</li> <li>Immediately after the AV is installed it becomes out of date because there's a continual creation of new viruses and variants of existing viruses. In essence, even the best signature-based AV provides < 100% protection.</li> </ul> To compensate for the < 100% protection, existing and new AV vendors came to the market with tweaks and variations of the signature-based model.</p><p><blockquote><ul><li>网络犯罪分子可以更改一行代码来完全更改病毒的特征,从而逃避检测。这使得黑客vs AV之战经济学坚定地偏向前者,因为检测并确认一种新病毒变种需要花费大量时间和计算资源。</li><li>随着恶意文件数量的增长,签名数据库也在增长。数据库驻留在端点上,因此随着它的增长,它会消耗更多的磁盘空间、更多的CPU和更多的内存。</li><li>反病毒软件安装后,它立即变得过时,因为新病毒和现有病毒的变种不断产生。本质上,即使是最好的基于签名的AV也能提供<100%的保护。</li></ul>为了补偿<100%的保护,现有的和新的反病毒供应商带着基于签名的模型的调整和变化进入市场。</blockquote></p><p> During the 1990s and 2000s, the early attempts to make up for the weaknesses of signature-based AV included:</p><p><blockquote>在20世纪90年代和21世纪初,弥补基于签名的AV弱点的早期尝试包括:</blockquote></p><p> <ul> <li>Firewall vendors such as Check Point Software(NASDAQ:CHKP), F5 Networks(NASDAQ:FFIV), and Fortinet(NASDAQ:FTNT)leveraged their dominant status within the corporate network to improve signature-based AV solutions. They used their deep packet inspection capabilities at the gateway of the network to inspect inbound data packets transmitting the malicious files as well as outbound connections triggered by the virus. This added more context to help sniff out the malicious inbound files and attempts to exfiltrate data.</li> <li>Bit9, founded in 2003, (later renamed Carbon Black and now acquired by VMware) introduced app whitelisting, whereby only authorized apps are allowed to run. This turned out to be highly restrictive and unproductive as apps change and upgrade rapidly.</li> <li>FireEye(NASDAQ:FEYE), founded in 2004, introduced sandboxing, whereby an unknown suspicious app or file would be executed in an isolated environment and monitored closely for any malicious activity. Although game-changing at the time, its effectiveness didn’t last long because hackers found ways to detect the sandbox environment to then trigger the virus into stealth mode and continue the attack at a later point in time.</li> </ul> Collectively, these attempts, while lacking sustainability, did an alright job at filling in the gaps, and generally speaking, provided adequate protection during the 1990s and 2000s.</p><p><blockquote><ul><li>Check Point Software(纳斯达克:CHKP)、F5 Networks(纳斯达克:FFIV)和Fortinet(纳斯达克:FTNT)等防火墙供应商利用其在企业网络中的主导地位来改进基于签名的AV解决方案。他们使用网络网关的深度数据包检查功能来检查传输恶意文件的入站数据包以及由病毒触发的出站连接。这增加了更多的上下文来帮助嗅出恶意的入站文件和泄露数据的尝试。</li><li>成立于2003年的Bit9(后来更名为Carbon Black,现已被VMware收购)引入了应用白名单,只有授权的应用才允许运行。随着应用程序的快速变化和升级,这被证明是高度限制性和低效的。</li><li>FireEye(纳斯达克:FEYE)成立于2004年,引入了沙盒,通过沙盒,未知的可疑应用程序或文件将在隔离的环境中执行,并密切监控任何恶意活动。尽管在当时改变了游戏规则,但它的有效性并没有持续多久,因为黑客找到了检测沙盒环境的方法,然后触发病毒进入隐形模式,并在稍后的时间点继续攻击。</li></ul>总的来说,这些尝试虽然缺乏可持续性,但在填补空白方面做得很好,总的来说,在20世纪90年代和21世纪初提供了足够的保护。</blockquote></p><p> Things changed, however, at the dawn of the iPhone in 2007. As the attack surface expanded so did the attack cadence, and computing experienced an exponential rise in the variety of viruses and the signatures connected to those viruses. The number of forms in which a virus would reside pre-execution also proliferated – scripts (code)began appearing in website photos, PDF add-ons, Excel VBA, and many other forms, waiting to be triggered.</p><p><blockquote>然而,在2007年iPhone问世时,情况发生了变化。随着攻击面的扩大,攻击节奏也随之扩大,计算机的病毒种类和与这些病毒相关的特征也呈指数级增长。病毒在执行前驻留的形式也在激增——脚本(代码)开始出现在网站照片、PDF插件、Excel VBA和许多其他形式中,等待被触发。</blockquote></p><p> On the whole, signature-based AV has proven not to scale very well and in the modern computing landscape does not provide adequate protection.</p><p><blockquote>总的来说,基于签名的AV已被证明不是很好地扩展,并且在现代计算环境中不能提供足够的保护。</blockquote></p><p> <b>Next-Gen AV</b></p><p><blockquote><b>下一代AV</b></blockquote></p><p> From 2007 to 2013, a new wave of AV startups emerged with a novel approach to AV. Some Next-Gen AV [NGAV] startups focused on the EPP [Endpoint Protection] – still aiming to perform the prevention, detection, and response on the end-user device itself, but by using static AI techniques to obviate the need for a signature database. Other NGAV startups focused on the EDR [Endpoint Detection and Response] side - whereby most of the protection was delivered via the cloud and therefore the EPP software component could be lightweight and serve merely as a sensor rather than an agent that can perform the full requirements of AV.</p><p><blockquote>从2007年到2013年,新一波AV创业公司以一种新颖的AV方式出现。一些下一代AV[NGAV]初创公司专注于EPP[端点保护]——仍然旨在在最终用户设备本身上执行预防、检测和响应,但通过使用静态人工智能技术来消除对签名数据库的需求。其他NGAV初创公司专注于EDR【端点检测和响应】方面——其中大部分保护是通过云提供的,因此EPP软件组件可以是轻量级的,仅充当传感器,而不是可以执行AV全部要求的代理。</blockquote></p><p> There are pros and cons to singularly focusing on either EPP or EDR. EPP avoids the shortcomings of signature databases, however, by running static AI on the endpoint without the big picture from the cloud, it's less flexible and less effective over the long term. EDR maintains the complete global threat picture because it’s powered by the cloud, but the downside is the deluge of data is overwhelming for security analysts and leads to many false alerts.</p><p><blockquote>单独关注EPP或EDR有利也有弊。EPP避免了签名数据库的缺点,但是,通过在端点上运行静态人工智能,而没有来自云的大局,从长远来看,它的灵活性和效率都较低。EDR维护了完整的全球威胁图景,因为它是由云驱动的,但缺点是大量的数据让安全分析师不知所措,并导致许多错误警报。</blockquote></p><p> As the shortcomings of EPP and EDR became increasingly apparent, NGAV vendors began to shift along the EPP/EDR spectrum to improve their products. The screenshot taken from S’s demo presentation summarizes the direction the vendors and the market moved from 2014 through to 2019.</p><p><blockquote>随着EPP和EDR的缺点越来越明显,NGAV供应商开始沿着EPP/EDR频谱转移以改进他们的产品。取自S演示演示的截图总结了供应商和市场从2014年到2019年的发展方向。</blockquote></p><p> <i>Figure2- Market Shifts: EPP vs EDR</i></p><p><blockquote><i>图2-市场变化:EPP与EDR</i></blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/dd7cfc885dd56210dffb2212159d7ac3\" tg-width=\"505\" tg-height=\"280\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:youtube.com</span></p></blockquote></p><p></p><p> XDR [Extended Detection & Response], first coined by Nir Zuk of Palo Alto Networks(NYSE:PANW)in 2018, is now the latest technology that leading vendors are striving toward. It blends EPP and EDR together whilst also adding SOAR [Security Orchestration, Automation & Response], SIEM [Security Information & Event Management], and NTA [Network Traffic Analysis]. The objective of XDR is to collect and correlate data from endpoints, network points, servers, cloud workloads, and emails to enhance detection capabilities and improve protection whilst also increasing productivity and lowering the overall cost of security software ownership.</p><p><blockquote>XDR(扩展检测和响应)由Palo Alto Networks(纽约证券交易所代码:PANW)的Nir Zuk于2018年首次提出,现在是领先供应商努力追求的最新技术。它将EPP和EDR融合在一起,同时还添加了SOAR【安全编排、自动化和响应】、SIEM【安全信息和事件管理】和NTA【网络流量分析】。XDR的目标是从端点、网络点、服务器、云工作负载和电子邮件收集和关联数据,以增强检测能力和改善保护,同时提高工作效率并降低安全软件拥有的总体成本。</blockquote></p><p> <b>CrowdStrike Intro</b></p><p><blockquote><b>CrowdStrike简介</b></blockquote></p><p> CRWD, founded in 2011, came to the market with EDR, which at the time was a radical approach to AV. Instead of destroying malicious files with AV software residing on the device, CRWD destroyed them from the cloud.</p><p><blockquote>CRWD成立于2011年,与EDR一起进入市场,这在当时是一种激进的AV方法。CRWD没有销毁设备上带有反病毒软件的恶意文件,而是从云端销毁了它们。</blockquote></p><p> They achieved this by having a super lightweight sensor with no database [consuming only 35 MB of storage space whereas signature-based AV can consume 4GB] installed on the endpoint. This sensor continually collects the logs (activities) related to the files on the device (i.e., what files are downloaded, open, from where, how, what time, what recent patches have been made?) and sends this telemetry data to the CRWD cloud. CRWD analysts collect this data from all CRWD devices and check it against a giant signature database in the cloud looking for matches in techniques. For example, the CRWD database contains a previous technique whereby opening a file from IP address 1.1.1.1 executed XXX.exe which was a piece of malware. As CRWD analysts recognize this technique being used again, they will block it, gather more intel, delete the file from the cloud, and share the insight across all endpoints.</p><p><blockquote>他们通过在终端上安装无数据库的超轻量级传感器(仅消耗35 MB的存储空间,而基于签名的AV可以消耗4GB)来实现这一目标。该传感器持续收集与设备上的文件相关的日志(活动)(即,下载了哪些文件、打开了哪些文件、从哪里、如何、什么时间、最近制作了哪些补丁?)并将这些遥测数据发送到CRWD云。CRWD分析师从所有CRWD设备收集这些数据,并将其与云中的一个巨大签名数据库进行检查,以寻找技术上的匹配。例如,CRWD数据库包含一种以前的技术,通过这种技术,从IP地址1.1.1.1打开文件会执行XXX.exe,这是一种恶意软件。当CRWD分析师意识到这种技术再次被使用时,他们将阻止它,收集更多情报,从云中删除文件,并在所有终端共享洞察力。</blockquote></p><p> However, it should be noted that while CRWD can detect a potential virus within seconds, it doesn’t complete its response and eliminate the threat until hours later. The complex nature of EDR delivers a high number of false alerts that need to be investigated by a client organization's analysts and CRWD's analysts alike. Therefore, CRWD does take considerably longer to completely eliminate the threat. However, they're able to contain the spread of the threat until a full investigation is complete. S, on the other hand, can detect<i>and</i>respond within seconds thanks to its greater degree of automation and hybrid EPP/EDR approach.</p><p><blockquote>然而,应该注意的是,虽然CRWD可以在几秒钟内检测到潜在的病毒,但它直到几个小时后才完成响应并消除威胁。EDR的复杂性带来了大量错误警报,需要由客户组织的分析师和CRWD的分析师进行调查。因此,CRWD确实需要相当长的时间才能完全消除威胁。然而,他们能够遏制威胁的蔓延,直到全面调查完成。另一方面,S可以检测到<i>和</i>得益于其更高程度的自动化和混合EPP/EDR方法,可在几秒钟内做出响应。</blockquote></p><p> The key benefit of this approach is that there are no constraints on the size of the database, as it’s located in a centralized cloud. Moreover, this EDR approach obviates the need to periodically push out software updates to the endpoints to include the latest signature database, again because the database is located in the cloud. The other benefit is that the aggregated threat hunting ensures new viruses and variants and attack methods are identified faster. In essence, this AV model makes the front-end software simple and light [collecting evidence] and makes the back-end operations complex, detailed, and shared across all devices - generating insights for all. The essence of EDR is to restrain from doing early prevention, and instead wait, observe, and collect more intel regarding the threats, and respond accordingly. And this approach inspired the name of CRWD’s flagship platform Falcon.</p><p><blockquote>这种方法的主要好处是对数据库的大小没有限制,因为它位于集中式云中。此外,这种EDR方法消除了定期向端点推出软件更新以包括最新签名数据库的需要,这也是因为数据库位于云中。另一个好处是,聚合威胁搜索可确保更快地识别新病毒和变种以及攻击方法。从本质上讲,这种AV模型使前端软件变得简单而轻便【收集证据】,并使后端操作变得复杂、详细,并在所有设备上共享——为所有人生成见解。EDR的本质是避免做早期预防,而是等待、观察和收集更多关于威胁的情报,并做出相应的反应。这种方法启发了CRWD旗舰平台Falcon的名称。</blockquote></p><p> <b>SentinelOne Intro</b></p><p><blockquote><b>哨兵介绍</b></blockquote></p><p> S, founded in 2013, is the youngest among established NGAV vendors, and this gives it a great last-mover advantage. Instead of heavily focusing on EDR or EPP, S has utilized them both to cover all major aspects of the endpoint security to deliver the so-called XDR. Similar to CRWD, S deploys a lightweight software agent with no database on the endpoint [200 MB of disk space]. It does more than CRWD’s sensor, however. It runs static AI to establish baseline file and device behavior in which to identify anomalous activity, relating to when the file was received and how long the file was open, for example. If the file passes the rigors of static AI analysis, the user is allowed to use the file but the agent will continue to monitor closely. The agent will apply a more dynamic AI to detect any suspicious lateral movement emanating from the file – e.g., when Word opened it triggered PowerShell to open, or a command is triggered to reach out to the Internet. At any point the agent determines there's malicious activity, it will kill the virus and clean up the environment. It's this level of autonomous capability in the EPP that differentiates S from other NGAV vendors.</p><p><blockquote>S成立于2013年,是老牌NGAV供应商中最年轻的,这使其具有巨大的后发优势。S没有重点关注EDR或EPP,而是利用它们来涵盖端点安全的所有主要方面,以提供所谓的XDR。与CRWD类似,S部署了一个轻量级软件代理,在端点上没有数据库【200 MB磁盘空间】。然而,它比CRWD的传感器做得更多。它运行静态AI来建立基线文件和设备行为,以识别异常活动,例如与文件何时被接收以及文件打开多长时间有关。如果文件通过了静态人工智能分析的严格要求,用户将被允许使用该文件,但代理将继续密切监控。代理将应用更动态的人工智能来检测文件发出的任何可疑横向移动,例如,当Word打开时,它会触发PowerShell打开,或者触发命令来访问互联网。在任何时候,代理确定存在恶意活动,它都会杀死病毒并清理环境。正是EPP中这种级别的自主能力将S与其他NGAV供应商区分开来。</blockquote></p><p></p><p> Despite the sophistication of such AI-powered detection methods, some types of malwares can still evade detection. Polymorphic malware variants change their own features, such as file names and hashes, to bypass detection methods. Techniques such as code obfuscation make malicious code hard to find and/or understand. Therefore, some threats manage to bypass the front-end, or EPP, defenses, necessitating the need for EDR.</p><p><blockquote>尽管这种人工智能检测方法非常复杂,但某些类型的恶意软件仍然可以逃避检测。多态恶意软件变体改变自己的特征,如文件名和哈希,以绕过检测方法。诸如代码混淆的技术使得恶意代码难以被发现和/或理解。因此,一些威胁设法绕过前端或EPP防御,因此需要EDR。</blockquote></p><p> Similar to CRWD, S utilizes back-end, or EDR, for deeper visibility threat hunting. The data collected is used by both S’s own analysts for global threat hunting,<i>and</i>its clients’ analysts working in Security Operation Centers [SOC]. On the EDR side, compared to CRWD the key differentiator is that S uses a \"story\" technique to add more context relevancy which leads to fewer alerts for analysts to handle. S have named this ‘story’ technique TrueContext ID.</p><p><blockquote>与CRWD类似,S利用后端或EDR进行更深入的可见性威胁搜索。收集的数据被两个S自己的分析师用于全球威胁搜寻,<i>和</i>其客户的分析师在安全运营中心[SOC]工作。在EDR方面,与CRWD相比,关键的区别在于S使用“故事”技术来添加更多的上下文相关性,从而减少分析师需要处理的警报。我们将这种“故事”技术命名为TrueContext ID。</blockquote></p><p> Taken from an S demo presentation, the screenshot below compares TrueContext ID to previous context-building techniques - Indicators of Compromise [IOC] and Indicators of Attack [IOA] – and the more typical existing EDR solutions – Tactics, Techniques & Procedures [TTP]. The slide uses the analogy of piecing together the description of a person to illustrate piecing together the description of a malicious action.</p><p><blockquote>下面的屏幕截图取自S演示演示,将TrueContext ID与以前的上下文构建技术(危害指标[IOC]和攻击指标[IOA])以及更典型的现有EDR解决方案(策略、技术和程序[TTP])进行了比较。该幻灯片使用拼凑一个人的描述的类比来说明拼凑一个恶意行为的描述。</blockquote></p><p> Figure 3 - Comparing TrueContext ID to Typical EDR Methods</p><p><blockquote>图3-TrueContext ID与典型EDR方法的比较</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/e1fe08039bb960fee41b415e31c6d06e\" tg-width=\"544\" tg-height=\"293\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:youtube.com</span></p></blockquote></p><p> IOCs look like random descriptors that would need substantial effort to comprehend. IOAs are slightly more organized but still require effort to form the full picture. TTPs actually describe the bad action and offer useful context but don’t explain what happened before that led to the bad action. TrueContext ID takes it a whole level further by not just describing the traits of the bad action but also puts together a story of the events that led to the bad action – the DNA strand implies it knows everything about a given action.</p><p><blockquote>IOC看起来像随机描述符,需要大量的努力才能理解。IOAs稍微更有组织性,但仍然需要努力形成完整的画面。TTP实际上描述了不良行为,并提供了有用的背景,但没有解释导致不良行为之前发生的事情。TrueContext ID更进一步,不仅描述了不良行为的特征,还整理了导致不良行为的事件的故事——DNA链意味着它知道关于给定行为的一切。</blockquote></p><p> For example, there has been a connection made to an external FTP server [a server for transferring files] >>> this links back to some registry files that were archived in a new hard drive location >>> this links back to an unusual command-line execution in PowerShell >>> it transpires that the opening of PowerShell was triggered by the opening of an Office document >>> deeper analysis indicates the document contained a brand-new unknown virus >>> did the user single or double click it or did it download automatically? >>> where did it come from? >>> did it come from an email or a USB drive? >>> is the email address and source IP address associated with previous malicious activity? >>> or, when was the USB drive inserted on the device?</p><p><blockquote>例如,已经连接到外部FTP服务器【用于传输文件的服务器】>>>这链接回一些存档在新硬盘位置的注册表文件>>>这链接回PowerShell中不寻常的命令行执行>>>原来PowerShell的打开是由Office文档的打开触发的>>>更深入的分析表明该文档包含全新的未知病毒>>>用户是单击还是双击还是自动下载?它是从哪里来的?>>>它来自电子邮件还是USB驱动器?>>>电子邮件地址和源IP地址是否与以前的恶意活动相关联?>>>或者,USB驱动器是什么时候插入设备的?</blockquote></p><p> The above example shows a bad actor attempting to transfer a copy of the critical OS files [registry files], perhaps to learn more about the target organization in order to plan a devastating future attack, or something more imminent. TrueContext ID connects all the data points from the static and dynamic AI detection methods and synthesizes them with its own globally collated intelligence to string together a timeline of sequential events. And this is presented to SOC analysts either in tabular or graphical form. Putting together a chain of events like this ensures only relevant context is presented, which radically reduces the number of alerts and enables swift investigation and remediation.</p><p><blockquote>上面的示例显示了一个不良行为者试图传输关键操作系统文件[注册表文件]的副本,可能是为了了解有关目标组织的更多信息,以便计划未来的毁灭性攻击或更迫在眉睫的攻击。TrueContext ID连接了来自静态和动态AI检测方法的所有数据点,并将它们与自己的全局整理智能进行合成,以将连续事件的时间线串在一起。这以表格或图形的形式呈现给SOC分析师。将这样的一系列事件放在一起可以确保只呈现相关的上下文,从而从根本上减少警报的数量,并实现快速调查和补救。</blockquote></p><p> CRWD investors and advocates may be somewhat confused as to why S’s storing techniques are a technical competitive advantage. Indeed, CRWD has an event timelining feature that is core to their EDR solution – they refer to it as \"maps.\" However, generally, a client organization’s SOC analysts need to be tier 2 or 3 certified for using CRWD’s Falcon EDR solution – one reason for this being the high number of false alerts that an analyst needs to navigate, which is far easier for the more experienced.</p><p><blockquote>CRWD的投资者和倡导者可能有些困惑,为什么S的存储技术是一种技术竞争优势。事实上,CRWD有一个事件时间线功能,这是他们EDR解决方案的核心——他们称之为“地图”。然而,一般来说,客户组织的SOC分析师需要获得2级或3级认证才能使用CRWD的Falcon EDR解决方案,原因之一是分析师需要处理大量错误警报,这对于更有经验的人来说要容易得多。</blockquote></p><p> If a client organization doesn’t have a SOC team and hence cannot conduct the threat investigation on CRWD and leverage its EDR component, then they can just run it and let it handle things by the default settings or use the MDR [Managed Detection & Response] option whereupon CRWD experts will do the legwork. But when it comes to SOC operations, S’s storing technique appears to have an edge over CRWD because it radically reduces the alerts and false positives and, on the whole, makes life easier for SOC analysts.</p><p><blockquote>如果客户组织没有SOC团队,因此无法对CRWD进行威胁调查并利用其EDR组件,那么他们可以运行它,让它按照默认设置处理事情,或者使用MDR【托管检测和响应】选项,CRWD专家将进行跑腿工作。但在SOC操作方面,S的存储技术似乎比CRWD更有优势,因为它从根本上减少了警报和误报,总体而言,使SOC分析师的生活更加轻松。</blockquote></p><p></p><p> To summarize, S can deliver fully automated detection, response, and system recovery all within the EPP software itself, but also has the EDR-based TrueContext ID technology that can catch more sophisticated attacks and help SOC analysts triage with far fewer false positive alerts. With this in mind, it appears that S has the edge over CRWD on both the EPP and EDR sides of the market. Moreover, as we’ll show in the presentation of MITRE ATT&CK performance results, S’s out-of-the-box solution that leverages greater automation is likely to offer greater scalability than CRWD’s. We think this greater scalability is shining through in the recent 2Q22 results whereby S generated 127% YoY growth.</p><p><blockquote>总而言之,S可以在EPP软件本身中提供全自动检测、响应和系统恢复,而且还具有基于EDR的TrueContext ID技术,可以捕获更复杂的攻击,并帮助SOC分析师以更少的误报进行分类。考虑到这一点,S似乎在市场的EPP和EDR方面都比CRWD有优势。此外,正如我们将在MITRE ATT&CK性能结果演示中展示的那样,S的开箱即用解决方案利用了更高的自动化,可能会提供比CRWD更大的可扩展性。我们认为这种更大的可扩展性在最近的2022年第二季度业绩中得到了体现,S同比增长了127%。</blockquote></p><p> <b>Key Differences Between S and CRWD</b></p><p><blockquote><b>S和CRWD之间的主要区别</b></blockquote></p><p> We’ve listed 11 aspects of endpoint protection whereupon S and CRWD differ by substantial margins. And it may seem overly biased [though we don’t have a position in S yet], but all 11 aspects are in favor of S outcompeting CRWD. We’ll elaborate on a few of these in the following sections.</p><p><blockquote>我们已经列出了端点保护的11个方面,S和CRWD有很大的不同。这可能看起来过于偏颇【尽管我们还没有在S中的地位】,但所有11个方面都有利于S超越CRWD。我们将在下面的章节中详细介绍其中的一些。</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/8e23001654d05cb1774d7adce7ed7e1c\" tg-width=\"573\" tg-height=\"253\" referrerpolicy=\"no-referrer\"><span>Source: Convequity</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:Convequity</span></p></blockquote></p><p> Brains of Software</p><p><blockquote>软件的大脑</blockquote></p><p> <b>CRWD</b>: As already alluded, the brain of CRWD is in the cloud only and utilizes EDR to understand the global landscape of threats. The very nature of this cloud-based EDR approach requires the computation of petabytes of data that quickly detects potential threats but also generates large numbers of false alerts. The notion of the false alert volumes necessitates the need for thorough investigation which is why the response time takes hours instead of seconds. Ultimately, CRWD’s approach is rather labour-intensive but is still more autonomous than legacy signature-based AV.</p><p><blockquote><b>CRWD</b>:正如已经提到的,CRWD的大脑仅在云中,并利用EDR来了解全球威胁格局。这种基于云的EDR方法的本质需要计算Pb的数据,这些数据可以快速检测潜在威胁,但也会产生大量错误警报。错误警报量的概念需要彻底的调查,这就是为什么响应时间需要几个小时而不是几秒钟。最终,CRWD的方法是相当劳动密集型的,但仍然比传统的基于签名的AV更加自主。</blockquote></p><p> <b>S</b>: The brain of S is in a hybrid form that utilizes both automation and AI in the front-end EPP and cloud-powered global intel in the back-end EDR, and blends the two harmoniously together. The storying technique applied in TrueContext ID radically reduces the number of alerts and the manual investigation for the EDR side of operations. So, as aforementioned, for the high majority of threats, this results in full automated response and recovery [system cleanup] within seconds, and results in relatively less manpower requirements [versus CRWD] for the more sophisticated attacks. Moreover, S can work offline and catch the majority of threats whereas CRWD must be connected online to work.</p><p><blockquote><b>S</b>:S的大脑是一种混合形式,在前端EPP中利用自动化和人工智能,在后端EDR中利用云驱动的全球英特尔,并将两者和谐地融合在一起。TrueContext ID中应用的故事技术从根本上减少了EDR操作方面的警报和手动调查数量。因此,如上所述,对于大多数威胁,这会在几秒钟内实现全自动响应和恢复【系统清理】,并且对于更复杂的攻击,相对于CRWD,人力需求相对较少。此外,S可以离线工作并捕获大多数威胁,而CRWD必须在线连接才能工作。</blockquote></p><p> <b>Operation of AV</b></p><p><blockquote><b>AV操作</b></blockquote></p><p> We’ve already touched on S’s software being highly autonomous while CRWD’s software requires human experts to be effective. This contrast offers an apt segue into taking a look at which approach is ultimately more effective. So, we’ll use this section to review the MITRE ATT&CK endpoint protection test results.</p><p><blockquote>我们已经提到S的软件是高度自主的,而CRWD的软件需要人类专家才能有效。这种对比提供了一个恰当的切入点,让我们来看看哪种方法最终更有效。因此,我们将使用本节来回顾米特ATT&CK端点保护测试结果。</blockquote></p><p> MITRE is an independent, federally funded, not-for-profit R&D organization that periodically performs attacks against leading security vendors’ software solutions. MITRE has long been the authority in cybersecurity testing, and in 2018, they launched the MITRE ATT&CK Evaluations, where MITRE evaluates the efficacy of cybersecurity products. S, CRWD, and PANW participated in the series of tests (2019, 2020, and 2021) and we’ll present the two most recent.</p><p><blockquote>MITRE是一个独立的、由联邦政府资助的非营利性研发组织,定期对领先的安全供应商的软件解决方案进行攻击。MITRE长期以来一直是网络安全测试的权威,2018年,他们推出了MITRE ATT&CK评估,MITRE评估网络安全产品的功效。S、CRWD和PANW参与了一系列测试(2019年、2020年和2021年),我们将介绍最近的两项测试。</blockquote></p><p> In the MITRE ATT&CK tests, vendors are assessed on how effective they are in stopping tactics and techniques. A Tactic is a bad actor’s objective – for example, to acquire a username and password, acquire remote control of the system, or exfiltrate data. A Technique is a method deployed to achieve the objective – for example, cross-site scripting [taking advantage of website vulnerabilities to lure victims into submitting their login details]. There are usually several techniques included in each tactic.</p><p><blockquote>在米特ATT&CK测试中,供应商将根据他们在阻止策略和技术方面的有效性进行评估。战术是坏人的目标——例如,获取用户名和密码、获得系统的远程控制或泄露数据。技术是为实现目标而部署的一种方法,例如,跨站点脚本【利用网站漏洞引诱受害者提交其登录详细信息】。每种战术通常都包含几种技术。</blockquote></p><p> Figure 4 - Tactics & Techniques</p><p><blockquote>图4-战术和技术</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/22780f1dd68425ed1bd3bf6ea164e17d\" tg-width=\"640\" tg-height=\"251\" referrerpolicy=\"no-referrer\"><span>Source: medium.com</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:medium.com</span></p></blockquote></p><p> Rather confusingly to the layman, MITRE presents the performance results in references to Steps and Substeps instead of Tactics and Techniques. So, for high-level knowledge purposes, Steps are closely associated with Tactics and Substeps are closely associated with Techniques. The following diagram from SentinelOne is useful to solidify the levels of detections.</p><p><blockquote>令外行人相当困惑的是,MITRE在引用步骤和子步骤而不是策略和技术时呈现了性能结果。因此,对于高层次的知识目的,步骤与战术密切相关,子步骤与技术密切相关。SentinelOne的下图有助于巩固检测水平。</blockquote></p><p> Figure 5 - Analytic Detections: Tactics/Steps and Techniques/Substeps</p><p><blockquote>图5-分析检测:策略/步骤和技术/子步骤</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/1c271214a738c15e65d44d3a2fcf7800\" tg-width=\"640\" tg-height=\"272\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne on YouTube, Convequity modification</span></p><p><blockquote><p class=\"t-img-caption\"><span>资料来源:YouTube上的SentinelOne,对流修改</span></p></blockquote></p><p></p><p> The 2020 test results [based on techniques from APT29, a hacker group linked to Russian intelligence agencies] are shown below. The first chart shown shows that S led the pack in regards to overall detections, aka Substeps. The chart shows the number of detections out of the 135 Substeps for each vendor.</p><p><blockquote>2020年的测试结果[基于与俄罗斯情报机构有联系的黑客组织APT29的技术]如下所示。显示的第一个图表显示,S在整体检测(也称为子步骤)方面领先。该图表显示了每个供应商的135个子步骤中的检测数量。</blockquote></p><p> Figure 6 – MITRE ATT&CK 2020 Performance Result: Total Detections</p><p><blockquote>图6-MITRE ATT&CK 2020性能结果:总检测量</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/f2e9e22cd5dadfe733a41b4d89f36776\" tg-width=\"541\" tg-height=\"384\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:elastic.co/blog/</span></p></blockquote></p><p> The next two charts show the Tactic and Technique detections for the MITRE AV test. As a gentle reminder, Tactics are closely associated with Steps and Techniques are associated with Substeps.</p><p><blockquote>接下来的两个图表显示了MITRE AV测试的战术和技术检测。作为一个温和的提醒,战术与步骤密切相关,技术与子步骤相关。</blockquote></p><p> Figure 7 - MITRE ATT&CK 2020 Performance Result: Tactic and Technique Detections</p><p><blockquote>图7-MITRE ATT&CK 2020性能结果:战术和技术检测</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/d3c4d692af2713c6fe0b234c68a23cec\" tg-width=\"640\" tg-height=\"284\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:elastic.co/blog/</span></p></blockquote></p><p> Observing that S had the best performance in Tactic detections and the second-best performance in Technique detections, aligns with the storing capability of TrueContext ID. A Tactic is a Step or objective, such as data exfiltration. A Technique is a Substep or method which is one of the Substeps required to achieve the Tactic, such as connecting to an external server in the exfiltration example. TrueContext ID has been designed to provide both high-level and granular detail of each attack, and therefore, it’s understandable as to why S has performed the best across Tactics and Techniques.</p><p><blockquote>观察到S在战术检测中具有最好的性能,在技术检测中具有第二好的性能,这与TrueContext ID的存储能力一致。战术是一个步骤或目标,如数据泄露。技术是子步骤或方法,其是实现策略所需的子步骤之一,例如在渗透示例中连接到外部服务器。TrueContext ID旨在提供每次攻击的高级和精细细节,因此,可以理解为什么S在战术和技术方面表现最好。</blockquote></p><p> Interestingly, the performance rankings in the following year [2021] are very similar. In the 2020 test, it looks like CRWD detected a total of c. 115 Substeps versus S’s c. 130. And in 2021 it looks like CRWD detected c. 150 versus S detecting c. 175. So, the ratio is very similar between the two rivals in both years.</p><p><blockquote>有趣的是,次年[2021年]的业绩排名非常相似。在2020年的测试中,看起来CRWD总共检测到了c。115子步骤与s的c。130.2021年,CRWD似乎检测到了c。150对S检测c。175.因此,这两个竞争对手在这两年的比率非常相似。</blockquote></p><p> Figure 8 - MITRE ATT&CK 2021 Performance Result: Total Detections</p><p><blockquote>图8-MITRE ATT&CK 2021性能结果:总检测量</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/9f3bfc1ecc4575acfb81df5fa624348e\" tg-width=\"640\" tg-height=\"320\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:elastic.co/blog/</span></p></blockquote></p><p> It would be hard to dispute that S has a better performing AV than CRWD based on the results presented in the previous charts. Though what creates further distance between S and CRWD are the configuration changes made by the vendors before MITRE conducted its test – which we’ll cover next.</p><p><blockquote>根据前面图表中给出的结果,很难否认S的AV性能比CRWD更好。尽管在MITRE进行测试之前供应商所做的配置更改在S和CRWD之间造成了更大的距离——我们将在接下来介绍。</blockquote></p><p> <b>Deployment</b></p><p><blockquote><b>部署</b></blockquote></p><p> Much of S’s marketing outlines how their software works straight out-of-the-box. This is a common claim in competitive software markets, though in S’s case, it does appear to be largely true.</p><p><blockquote>S的大部分营销概述了他们的软件如何开箱即用。在竞争激烈的软件市场中,这是一种常见的说法,尽管在S的案例中,这似乎在很大程度上是正确的。</blockquote></p><p> The next chart shows how many configurations changes each vendor made in preparation for the 2020 test. S didn’t change anything – their AV software was applied out-of-the-box. CRWD, on the other hand, made 25 tweaks to optimize their AV for the test. This fits in very well with the earlier discussion that CRWD is designed for enterprises with more experienced security analysts [SOC 2 and 3 analysts] – more on this later. These configuration changes also underscore what we’ve outlined in regards to S being way more automated than CRWD. CRWD’s lack of automation means it can’t work out-of-the-box with high effectiveness – the AV has been designed for heavy human involvement.</p><p><blockquote>下图显示了每个供应商在准备2020年测试时所做的配置更改。S没有改变任何东西——他们的反病毒软件是开箱即用的。另一方面,CRWD做了25次调整来优化他们的测试AV。这非常符合之前的讨论,即CRWD是为拥有更有经验的安全分析师[SOC 2和3分析师]的企业设计的——稍后将详细介绍。这些配置变化也强调了我们所概述的S比CRWD更加自动化。CRWD缺乏自动化意味着它无法高效地开箱即用——AV是为大量人工参与而设计的。</blockquote></p><p> Figure 9 - MITRE ATT&CK Configuration Changes for 2020 Test</p><p><blockquote>图9-2020年测试的MITRE ATT&CK配置变化</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/f75663784c5d8c76b727e0d5c6fe33a2\" tg-width=\"640\" tg-height=\"336\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:youtube.com</span></p></blockquote></p><p> So, despite CRWD making 25 tweaks to its AV software versus S’s zero tweaks, the market-leading endpoint protection provider still underperformed S by considerable margins in the MITRE test. And it’s worth reminding ourselves that S will have performed using AI and automation, whilst CRWD will have performed with heavy involvement from its own cloud-based SOC 2/3 analysts. Moreover, to add further context, this is the first test CRWD has participated in wherein it has performed acceptably well – previous tests by MITRE and NSS Labs yielded very poor results for CRWD. When you add these factors together, it really does open up a significant gap in the software capability between S and CRWD.</p><p><blockquote>因此,尽管CRWD对其反病毒软件进行了25次调整,而S的调整为零,但这家市场领先的终端保护提供商在MITRE测试中的表现仍大幅落后于S。值得提醒我们自己的是,S将使用人工智能和自动化来执行,而CRWD将在其自己的基于云的SOC 2/3分析师的大力参与下执行。此外,为了进一步补充,这是CRWD参与的第一次测试,其中它的表现还可以接受——MITRE和NSS实验室之前的测试对CRWD产生了非常差的结果。当你把这些因素加在一起时,它确实在S和CRWD之间的软件能力上打开了一个巨大的差距。</blockquote></p><p> It’s also refreshing to note that PANW also chose not to make any changes, and they achieved a top four overall total detection performance and finished in the top half in the Tactic and Technique components of the test. We’ve reiterated for a long time now that Palo Alto Networks is simply the best at cybersecurity, and considering that endpoint protection isn’t even their core/original expertise, this is a huge testament to that.</p><p><blockquote>同样令人耳目一新的是,PANW也选择不做任何改变,他们实现了前四名的总检测性能,并在测试的战术和技术组件中排名前半。我们长期以来一直重申,Palo Alto Networks是网络安全领域的佼佼者,考虑到终端保护甚至不是他们的核心/原始专业知识,这是对这一点的巨大证明。</blockquote></p><p> <b>Expertise Requirements</b></p><p><blockquote><b>专业知识要求</b></blockquote></p><p></p><p> For SMBs that don’t have a SOC [Security Operations Centre], have relatively simpler security needs, and for some reason may be less of a hacker target, then deploying CRWD in its default settings shouldn’t be much of an issue and is way better than opting for legacy AV. Indeed, a simple deployment across an all-Windows organization is very simple. Alternatively, if an all-Windows SMB has more nuanced security needs but doesn’t have a SOC, then CRWD’s MDR [Managed Detection & Response] service will be deployed and work smoothly with negligible issues. Expertise becomes a consideration in the case where an enterprise with its own SOC [and more complex requirements] and/or non-Windows operating systems (i.e., Linux and/or Mac) wants to install CRWD.</p><p><blockquote>对于没有SOC(安全运营中心)、安全需求相对简单且出于某种原因可能不太成为黑客目标的中小型企业来说,在默认设置中部署CRWD应该不是什么大问题,而且比选择传统反病毒要好得多。事实上,跨所有Windows组织的简单部署非常简单。或者,如果全Windows SMB有更微妙的安全需求,但没有SOC,那么CRWD的MDR【托管检测和响应】服务将被部署并顺利工作,问题可以忽略不计。在拥有自己的SOC【和更复杂的要求】和/或非Windows操作系统(即Linux和/或Mac)的企业想要安装CRWD的情况下,专业知识成为一个考虑因素。</blockquote></p><p> As highlighted in the previous section, to maximize CRWD and protect against a full range of sophisticated attack techniques, substantial configuration tweaks are required. SOC 2 and 3 analysts will comfortably be able to handle this, however, SOC 1 and/or IT generalists will find it difficult and are likely to require assistance or make a mistake. Additionally, a higher-level of expertise is necessary to swiftly navigate through the barrage of alerts received with CRWD. Analysts need to coordinate Falcon with Splunk’s legacy SIEM to correlate data and gain the fullest threat landscape picture [this will eventually change, however, once they fully integrate the Humio acquisition]. Again, this requires a higher-level of expertise – SOC 2 or 3.</p><p><blockquote>正如上一节所强调的,为了最大限度地提高CRWD并防范各种复杂的攻击技术,需要进行大量的配置调整。SOC 2和3分析师将能够轻松处理这一点,但是,SOC 1和/或IT通才会发现这很困难,并且可能需要帮助或犯错误。此外,需要更高水平的专业知识来快速浏览CRWD收到的大量警报。分析师需要将Falcon与Splunk的传统SIEM协调,以关联数据并获得最全面的威胁形势图[然而,一旦他们完全整合了Humio收购,这种情况最终将会改变]。同样,这需要更高水平的专业知识——SOC 2或3。</blockquote></p><p> Then if you add in non-Windows OS, deployment complicates further. Yes, in the past 12 or so months CRWD has better adapted Falcon to Linux and Mac, though a high-level of expertise is required to ensure a smooth deployment following many years of incompatibility issues.</p><p><blockquote>然后,如果您添加非Windows操作系统,部署会变得更加复杂。是的,在过去12个月左右的时间里,CRWD已经更好地将Falcon适应了Linux和Mac,尽管在经历了多年的不兼容问题后,需要高水平的专业知识来确保顺利部署。</blockquote></p><p> So, because of the config changes and the multi-OS environments, typically SOC 2 or 3 analysts are required for the CRWD enterprise use case.</p><p><blockquote>因此,由于配置变化和多操作系统环境,CRWD企业用例通常需要SOC 2或3名分析师。</blockquote></p><p> In contrast, as evident in the MITRE test, S works right out of the box and hence IT generalists can get on fine with it. TrueContext ID - the storing feature - radically reduces the volume of alerts to enable more efficient threat hunting and remediation and hence making for a more user-friendly interface for SOC 1 and IT generalists to get along with. And, S has built its Singularity Platform with Windows, Linux, and Mac in mind right from the outset [a by-product of S’s last-mover advantage and taking more time in R&D before pumping the GTM strategy], delivering feature parity across all platforms – which again, means lower expertise is required to complete a successful multi-OS environment.</p><p><blockquote>相比之下,正如在MITRE测试中显而易见的那样,S开箱即用,因此IT通才可以很好地使用它。TrueContext ID(存储功能)从根本上减少了警报的数量,以实现更有效的威胁搜索和补救,从而为SOC 1和IT通才提供了一个更加用户友好的界面。此外,S从一开始就考虑到了Windows、Linux和Mac构建了Singularity平台【这是S后发优势的副产品,在实施GTM战略之前在R&D花费了更多时间】,在所有平台上提供功能对等——这也意味着完成一个成功的多操作系统环境所需的专业知识更少。</blockquote></p><p> <b>Target Market and Pricing</b></p><p><blockquote><b>目标市场和定价</b></blockquote></p><p> As previously mentioned, CRWD and S can be easily deployed for simple use cases associated with certain SMBs. Where we view S as having a notable larger target market is in the more complicated use cases associated with certain SMBs and enterprises. Taking into account the aforementioned expertise requirements, for complex use cases, S appears as the more attractive solution – by a wide margin. In using S over CRWD, SOC two and three analysts can work with more productivity, and SOC 1 and IT generalists can deploy and manage the software with little hassle. This opens up a wider TAM for S vs. CRWD.</p><p><blockquote>如前所述,CRWD和S可以很容易地部署到与某些SMB相关的简单用例中。我们认为S拥有明显更大的目标市场的地方是与某些中小型企业和企业相关的更复杂的用例。考虑到上述专业知识要求,对于复杂的用例,S似乎是更有吸引力的解决方案——以很大的优势。在使用S over CRWD时,SOC 2和SOC 3分析师可以提高工作效率,SOC 1和IT通才可以轻松部署和管理软件。这为S与CRWD打开了更广泛的TAM。</blockquote></p><p> So, at the low-end of the market, comparing S and CRWD is trivial, because for simple use cases CRWD’s default settings are adequate. But CRWD is expensive. Our research on Reddit forums indicates that CRWD is 2x to 3x more expensive than S, and from this, we infer that CRWD is or will eventually price themselves out of the market segment in which they are most technically competitive.</p><p><blockquote>因此,在低端市场,比较S和CRWD是微不足道的,因为对于简单的用例,CRWD的默认设置就足够了。但是CRWD很贵。我们在Reddit论坛上的研究表明,CRWD比S贵2到3倍,由此我们推断,CRWD正在或最终将自己排除在技术上最具竞争力的细分市场之外。</blockquote></p><p> CRWD maximizes the land-and-expand sales model as aggressively as any other software vendor. They sell the Falcon platform in modules; implementing a bare minimum number of modules in the beginning and then aggressively upselling/cross-selling other modules. Though many of the other modules are a necessity for full protection. Usually, most clients need to bundle together NGAV which is the Falcon Prevent module, EDR which is the Falcon Insight module, and device control which is the Falcon Device Control module. However, in pursuit of greater DBNR [Dollar-based Net Retention], CRWD separated device control into an independent module.</p><p><blockquote>CRWD像任何其他软件供应商一样积极地最大化土地和扩张销售模式。他们以模块形式出售猎鹰平台;开始时实施最少数量的模块,然后积极追加销售/交叉销售其他模块。尽管许多其他模块是全面保护所必需的。通常,大多数客户端需要将NGAV(即Falcon Prevent模块)、EDR(即Falcon Insight模块)和Device Control(即Falcon设备控制模块)捆绑在一起。然而,为了追求更大的DBNR【基于美元的净保留率】,CRWD将设备控制分离成一个独立的模块。</blockquote></p><p> Figure 10 - CRWD's Falcon Platform Modules</p><p><blockquote>图10-CRWD的Falcon平台模块</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/c475e910dc1a094d382a08896b76d275\" tg-width=\"633\" tg-height=\"318\" referrerpolicy=\"no-referrer\"><span>Source: CrowdStrike</span></p><p><blockquote><p class=\"t-img-caption\"><span>资料来源:CrowdStrike</span></p></blockquote></p><p> The combined pricing is well beyond the price quote from legacy AV vendors – which is absolutely fine given CRWD is better. Though, according to Reddit forum discussions, those clients that mentioned \"SentinelOne\" to CRWD salespeople immediately received a ~50% discount.</p><p><blockquote>综合定价远远超出了传统AV供应商的报价——考虑到CRWD更好,这绝对没问题。不过,根据Reddit论坛的讨论,那些向CRWD销售人员提到“SentinelOne”的客户立即获得了约50%的折扣。</blockquote></p><p></p><p> CRWD’s module-based land-and-expand ploys are most evident in the immediate quarters post-IPO. A cynical view, but reading between the lines it looks like a nice stock-based compensation booster was at play for the year-end of FY19.</p><p><blockquote>CRWD基于模块的土地和扩张策略在IPO后的几个季度最为明显。这是一种愤世嫉俗的观点,但从字里行间来看,2019财年年底似乎有一个不错的基于股票的薪酬助推器正在发挥作用。</blockquote></p><p> Figure 11 - CRWD's DBNR</p><p><blockquote>图11-CRWD的DBNR</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/6cc506dae651f32b97fc0affb3ce4111\" tg-width=\"598\" tg-height=\"240\" referrerpolicy=\"no-referrer\"><span>Source: CrowdStrike</span></p><p><blockquote><p class=\"t-img-caption\"><span>资料来源:CrowdStrike</span></p></blockquote></p><p> In a clear attempt to differentiate and do things better than CRWD, S doesn’t sell individual modules. Instead, it sells its full Singularity Platform as bundles across three tiers – Core, Control, and Complete. It appears that on a like-for-like, S’s bundles are ~30% even after CRWD’s discounts.</p><p><blockquote>为了脱颖而出并比CRWD做得更好,S不销售单个模块。相反,它将其完整的Singularity平台作为三个层次(核心、控制和完整)的捆绑销售。即使在CRWD的折扣之后,S的捆绑包似乎也在30%左右。</blockquote></p><p> Figure 12 - S's Singularity Platform Tiered Bundles</p><p><blockquote>图12-S的奇点平台分层捆绑包</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/5c77f334f8f81a839d3022612b73ead9\" tg-width=\"639\" tg-height=\"307\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:SentinelOne</span></p></blockquote></p><p> Insincere sales ploys like what CRWD has been doing only last for so long. Eventually, customers catch onto what is happening – evident by discussion on Reddit. And it feels like that day has already come, probably brought to the fore by S’s differentiated bundle pricing.</p><p><blockquote>像CRWD这样不真诚的销售策略只持续了这么久。最终,客户会意识到正在发生的事情——从Reddit上的讨论中可以明显看出这一点。感觉这一天已经到来,可能是由S的差异化捆绑定价带来的。</blockquote></p><p> To summarize, CRWD effectively competes with S on a technical basis at the lower-end of the market involving simple use cases but they are risking pricing themselves out of the market. At the higher-end of the market involving complex use cases, it looks like S is both technically better and more affordable than CRWD. Additionally, S will store logs for a maximum of 365 days whilst CRWD’s max is 90 days. All of this strongly aligns itself with S’s founder and CEO Tomer Weingarten claiming that S wins 70% of head-to-heads with CRWD.</p><p><blockquote>总而言之,CRWD在涉及简单用例的低端市场上在技术基础上与S有效竞争,但他们面临着因定价而被挤出市场的风险。在涉及复杂用例的高端市场中,S似乎在技术上比CRWD更好,而且更实惠。此外,S将最多存储365天的日志,而CRWD的最多存储90天。所有这些都与S的创始人兼首席执行官Tomer Weingarten声称S赢得了与CRWD 70%的正面交锋。</blockquote></p><p> In comparison to CRWD, not only will S’s technical superiority and competitiveness help it penetrate more of the TAM whilst also widening the TAM, being able to deploy in the cloud and on-prem further expands their customer reach vis-à-vis CRWD.</p><p><blockquote>与CRWD相比,S的技术优势和竞争力不仅有助于其渗透更多TAM,同时还扩大了TAM,能够在云端和本地部署进一步扩大了CRWD的客户覆盖范围。</blockquote></p><p> On the whole, S can target a broader market and based on its technical/performance superiority plus aggressive but transparent pricing, can outcompete CRWD in its own TAM.</p><p><blockquote>总体而言,S可以瞄准更广阔的市场,并基于其技术/性能优势加上积极但透明的定价,可以在自己的TAM中击败CRWD。</blockquote></p><p> <b>Architecture</b></p><p><blockquote><b>建筑</b></blockquote></p><p> Before we move onto valuation considerations, we’ll briefly share our views and CRWD’s and S’s software architecture. In all honesty, we can’t find much information related to who has the more modern architecture, but you’ve probably guessed already that we think S has the edge here. The cadence in which both vendors release new features and modules is testament that both operate within advanced microservice architectures. However, we assume, that as CRWD partners with a legacy vendor like Splunk for SIEM and log management, its architecture is probably semi-dated and that there has been an absence of major revamp in recent years. This line of thinking could be kind of validated by the number of years it’s taken for CRWD to overhaul its Mac and Linux sensors.</p><p><blockquote>在我们讨论估值考虑因素之前,我们将简要分享我们的观点以及CRWD和S的软件架构。老实说,我们找不到太多关于谁拥有更现代架构的信息,但您可能已经猜到我们认为S在这里有优势。两家供应商发布新功能和模块的节奏证明了两者都在高级微服务架构中运行。然而,我们假设,由于CRWD与Splunk等传统供应商合作进行SIEM和日志管理,其架构可能是半过时的,并且近年来没有进行重大改造。CRWD大修其Mac和Linux传感器所花费的时间可以验证这种想法。</blockquote></p><p> It’s interesting how in March 2021 CRWD bought Humio for $392m in cash and equity just one month after S bought Scalyr for $155m in cash and equity. This may be reading into things too much, but some may view it as a sign of desperation to shore up an aging architecture and move away from legacy SPLK.</p><p><blockquote>有趣的是,在S以1.55亿美元现金和股权收购Scalyr仅一个月后,CRWD在2021年3月以3.92亿美元现金和股权收购了Humio。这可能是对事情的解读太多了,但有些人可能会认为这是绝望的迹象,以支撑老化的架构并远离传统的SPLK。</blockquote></p><p> Any differences in the modernity of the two NGAV architectures will very likely widen in the coming quarters and years. CRWD is only 14 months older than S, but because it grew early and superfast, it will have accumulated way more technical debt. And issues that come with technical debt will only be amplified as a $60bn company like CRWD needs to continue aggressively expanding its TAM via acquisitions in order to keep the mega growth story alive.</p><p><blockquote>在未来几个季度和几年内,两种NGAV架构的现代性差异很可能会扩大。CRWD只比S大14个月,但由于它增长早且速度超快,它将积累更多的技术债务。随着像CRWD这样价值600亿美元的公司需要继续通过收购积极扩大其TAM,以保持巨大的增长故事,技术债务带来的问题只会被放大。</blockquote></p><p> As all software firms grow, they lose their nimbleness but it will happen a lot sooner to CRWD than it will to S - and this gives another upper hand to S in years to come.</p><p><blockquote>随着所有软件公司的成长,他们会失去灵活性,但CRWD会比S更快地发生这种情况——这让S在未来几年再次占据上风。</blockquote></p><p> <b>S’s Edge Summary</b></p><p><blockquote><b>S的边缘摘要</b></blockquote></p><p> At a high level, the key competitive advantages S has over CRWD can be summarized into four fundamental drivers:</p><p><blockquote>在高层次上,S相对于CRWD的关键竞争优势可以总结为四个基本驱动因素:</blockquote></p><p> <ul> <li>Better product effectiveness.</li> <li>Better user experience.</li> <li>Better pricing.</li> <li>A more scalable business model afforded by a highly automated out-the-box solution.</li> </ul> <b>Valuation Considerations</b></p><p><blockquote><ul><li>更好的产品效果。</li><li>更好的用户体验。</li><li>更好的定价。</li><li>由高度自动化的开箱即用解决方案提供的更具可扩展性的业务模式。</li></ul><b>估值考虑</b></blockquote></p><p> S’s IPO, on June 30, was the highest-valued cybersecurity IPO ever. The stock finished its IPO day 21% up, closing at $42.50/share with a LTM EV/S of 100x. At the time of writing the stock is trading at $68/share with a LTM EV/S of 163x and a NTM EV/S of 92x.</p><p><blockquote>S于6月30日进行的IPO是有史以来估值最高的网络安全IPO。该股IPO当天上涨21%,收于每股42.50美元,LTM EV/S为100倍。截至撰写本文时,该股交易价格为每股68美元,LTM EV/S为163倍,NTM EV/S为92倍。</blockquote></p><p></p><p> Below are some projections going out to FY26. FY22 revenue is anchored to management’s guidance. In the 2Q22 earnings presentation released yesterday, management also gave long-term targets that included a mature gross margin of 75%-80%, hence why we’ve made it so gross margin is 78% in FY26. We’ve used CRWD’s current TTM FCF margin as a rough long-term estimate of S’s in FY26.</p><p><blockquote>以下是对2026财年的一些预测。2022财年收入取决于管理层的指导。在昨天发布的2022年第二季度财报中,管理层还给出了长期目标,其中包括75%-80%的成熟毛利率,因此我们将2026财年的毛利率定为78%。我们使用CRWD当前的TTM FCF利润率作为2026财年S的粗略长期估计。</blockquote></p><p> Guessing the multiple declines is kind of an unchartered territory because of the unprecedented level and sustainability of multiples we’re witnessing in the COVID-era market. Some may argue a decline to a 53x EV/S by FY26 is not steep enough, and that might be right. Though in FY26 we expect revenue to be at similar levels to CRWD’s today and CRWD is currently trading at 56x EV/S. Of course, no macro assessment is being taken into account so please take this exercise with a pinch of salt.</p><p><blockquote>猜测倍数下降是一个未知的领域,因为我们在新冠时代的市场中看到了前所未有的倍数水平和可持续性。有些人可能会认为,到2026财年,EV/S下降到53倍还不够陡峭,这可能是对的。尽管我们预计2026财年的收入将与CRWD目前的水平相似,而且CRWD目前的交易价格为56倍EV/S。当然,没有考虑宏观评估,所以请对这个练习持保留态度。</blockquote></p><p> Figure 13 - Financials & Multiples Projections</p><p><blockquote>图13-财务和倍数预测</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/b47610548d3c3dd40fbf6fc5d8c66a60\" tg-width=\"640\" tg-height=\"281\" referrerpolicy=\"no-referrer\"><span>Source: Convequity</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:Convequity</span></p></blockquote></p><p> In the 4.5 years from today to the end of FY26 [fiscal year end 31stJan], if the EV reaches $68bn then S’s stock will deliver a 36% annualized return. So, yes the multiples are insanely high but because of the extreme growth that will presumably remain high for a few years, even a sharp decline in multiples can still deliver sufficient investor returns.</p><p><blockquote>从今天到2026财年结束(1月31日财年结束)的4.5年内,如果电动汽车达到680亿美元,那么S的股票将实现36%的年化回报率。因此,是的,市盈率高得离谱,但由于极端增长可能会在几年内保持高位,即使市盈率急剧下降,仍然可以为投资者带来足够的回报。</blockquote></p><p> CRWD’s LTM EV/S at the close of its IPO day [6thJune 2019] was 47x and it has peaked at c. 70x in Aug-19 and Feb-21. This highlights the richness in S’s current valuation. However, is S still worth an investment at the present time? Well, investors need to be aware of the melt-up and melt-down that has often occurred with high-growth tech IPOs, especially during the past 12-18 months. S could very well follow a similar path and climb much higher before falling down once the lockup period ends [27thDecember, 2021] and early investors can cash in some of their profits. Investors should also note that S employees are allowed to sell 15% of their shares as of 6thOctober 2021. For readers’ information, S’s number of shares in float to number of shares outstanding is just 17% - in contrast, a post lockup stock like CRWD has 86% in float.</p><p><blockquote>CRWD在IPO日(2019年6月6日)结束时的LTM EV/S为47倍,峰值为c。19年8月和21年2月70倍。这凸显了S目前估值的丰富性。然而,目前S还值得投资吗?嗯,投资者需要意识到高增长科技IPO经常发生的熔化和熔化,尤其是在过去12-18个月内。一旦禁售期结束[2021年12月27日],S很可能会遵循类似的路径,在下跌之前攀升得更高,并且早期投资者可以兑现部分利润。投资者还应注意,自2021年10月6日起,S员工可以出售15%的股份。供读者参考,S的流通股数量占已发行股数量的比例仅为17%,相比之下,CRWD等锁定后股票的流通股数量为86%。</blockquote></p><p> Therefore, high-risk tolerant and/or short-term investors may want to consider a long position right now. Longer-term investors may prefer to let the liquidation unravel post Oct-21 and then post Dec-21 before buying shares. A compromise may be to buy a fourth of a position today and opportunistically add to it in the future. Personally, we’re waiting for a correction before opening a position. If the stock corrects c. 25% we’ll probably add half of the total planned allocation and then wait to see what happens after the lockup.</p><p><blockquote>因此,高风险承受能力和/或短期投资者现在可能需要考虑多头头寸。长期投资者可能更愿意让清算在10月21日之后结束,然后在12月21日之后再购买股票。折中的办法可能是今天买入四分之一的头寸,并在未来机会主义地增加。就我个人而言,我们正在等待调整后再建仓。如果股票修正c。25%我们可能会增加计划分配总额的一半,然后等着看锁定后会发生什么。</blockquote></p><p> At first glance S’s extremely negative operating and FCF margins are alarming, but what investors should bear in mind is that S has the edge in technical and performance superiority and therefore they need to capitalize on this edge in the fastest way possible. CRWD is just 14 months older than S but has over 7x more ARR [Annual Recurring Revenue], which illuminates the differences in market approach. CRWD hit the market early and aggressively whilst S spent many years with their primary focus in R&D before focusing on sales and marketing [S&M]. Now S has a refined and market-leading product they need to maximize the GTM strategy as much as they can and catch up the market leader.</p><p><blockquote>乍一看,S极负的营业利润率和自由现金流利润率令人震惊,但投资者应该记住的是,S在技术和性能优势方面具有优势,因此他们需要以最快的方式利用这一优势。CRWD仅比S大14个月,但ARR(年度经常性收入)却高出7倍以上,这说明了市场方法的差异。CRWD很早就积极地进入了市场,而S在专注于销售和营销之前,花了很多年的时间主要专注于R&D【S&M】。现在,S拥有了一款精致且市场领先的产品,他们需要尽可能地最大化GTM战略并赶上市场领导者。</blockquote></p><p> Figure 14 - 1Q22 Margins</p><p><blockquote>图14-2022年第一季度利润率</blockquote></p><p> <img src=\"https://static.tigerbbs.com/f13e4a5a906b763afaa3476b59045597\" tg-width=\"187\" tg-height=\"81\" referrerpolicy=\"no-referrer\"></p><p><blockquote></blockquote></p><p> The current gross margin doesn’t exactly indicate a profitable long-term business model. However, investors should bear in mind that S’s competitiveness, especially in offering 365-day log storage, is a big suppressant at the moment. When S captures a larger share of the market, builds a solid reputation, and fully integrates Scalyr’s novel way of ingesting and storing log data, S can command a greater premium and simultaneously lower cost of revenue, and hence gross margin will rise accordingly. Interestingly, 2Q22 gross margin has already jumped c. 800 basis points since 1Q22, and no doubt the integration of Scalyr will have contributed to this. Throw into the mix that S will more than likely follow CRWD in shifting from cloud to colocation infrastructure once they reach a certain scale, the mature end-state gross margin for S will be close to 80%, in our opinion.</p><p><blockquote>目前的毛利率并不完全表明有利可图的长期商业模式。然而,投资者应该记住,S的竞争力,尤其是在提供365天日志存储方面,目前是一个很大的抑制因素。当S占据更大的市场份额,建立稳固的声誉,并完全集成Scalyr摄取和存储日志数据的新颖方式时,S可以获得更大的溢价,同时降低收入成本,因此毛利率将相应上升。有趣的是,2022年第二季度的毛利率已经跃升了c。自2022年第一季度以来已上涨800个基点,毫无疑问,Scalyr的整合将对此做出贡献。我们认为,一旦达到一定规模,S很可能会跟随CRWD从云转向托管基础设施,S的成熟最终状态毛利率将接近80%。</blockquote></p><p> Irrespective of the trading tactics, we think S has a strong chance to prove to be a good investment, even at the current multiple levels. We’ll list the pros to consider:</p><p><blockquote>无论交易策略如何,我们认为S很有可能被证明是一项不错的投资,即使在当前的多个层面上也是如此。我们将列出需要考虑的优点:</blockquote></p><p></p><p> <ul> <li>Currently, S has very low penetration - FY21 [fiscal year ending 31stJan] generated $93m of revenue and $161m of ARR [Apr-21] - in a market estimated to be worth between $20bn and $30bn by 2025.</li> <li>Similar to what CRWD has done, S will acquire more talent, expand its product’s capabilities, and expand into new markets - the IPO proceeds will go toward these objectives. This will expand an already large TAM for S.</li> <li>As we’ve presented in this report, S is the technical leader in the endpoint protection market. Technical leadership combined with mega aggressive S&M expenditure [110% of revenue vs CRWD’s IPO year of 69% of revenue] will very likely be highly effective.</li> <li>Given the relatively low revenue base ($93m for FY21) and the autonomous, out-the-box nature of S’s AV, we would not be surprised if they regularly exceeded analyst consensus growth expectations (91% for FY22). From c. $100m in FY18, CRWD has grown c. 100% and this is with an AV solution that needs to be customized for many customers. Therefore, NTM growth of 100% is more probable than not, in our opinion – especially, with the S&M aggressiveness.</li> </ul> Of course, stocks such as S pose substantial risks for investors, so we’ll outline some of the cons to consider:</p><p><blockquote><ul><li>目前,S的渗透率非常低——2021财年(截至1月31日的财年)创造了9300万美元的收入和1.61亿美元的ARR【21年4月】——预计到2025年,市场价值将在200亿至300亿美元之间。</li><li>与CRWD所做的类似,S将获得更多人才、扩展其产品功能并扩展到新市场——IPO收益将用于实现这些目标。这将扩展S已经很大的TAM。</li><li>正如我们在本报告中所介绍的,S是终端保护市场的技术领导者。技术领先地位与大规模积极的S&M支出相结合(占收入的110%,而CRWD IPO年度占收入的69%)很可能会非常有效。</li><li>鉴于S的收入基础相对较低(2021财年为9300万美元)以及S的自动驾驶、开箱即用的特性,如果它们经常超出分析师一致的增长预期(2022财年为91%),我们不会感到惊讶。从c。2018财年,CRWD增长了1亿美元。100%,这是一个需要为许多客户定制的反病毒解决方案。因此,在我们看来,NTM增长100%的可能性更大——尤其是在S&M咄咄逼人的情况下。</li></ul>当然,S等股票给投资者带来了巨大的风险,因此我们将概述一些需要考虑的缺点:</blockquote></p><p> <ul> <li>S is a company with fast-growing revenue but also growing losses. EBIT margin for FY20 and FY21 was -161% and -124%. FCF margin for FY20 and FY21 was -102% and -78%. So, it’s clear that cash flows in any DCF valuation are far into the future which makes the stock very vulnerable to changes in inflation and interest rate expectations – which is happening with frequency at present.</li> <li>Given the large losses, all of the stock’s future trajectory is dependent on the company beating revenue growth expectations. Consequently, any quarterly revenue misses will have a severe impact on the share price and it could take the stock a long time to recover.</li> <li>S’s technical superiority might not be insurmountable – we believe it's the best but groundbreaking is a stretch too far. Endpoint protection is a highly competitive market abundant with innovation, so it’s a possibility S could eventually lose a degree of its product leadership.</li> <li>CRWD may up the ante with ‘smoke and mirrors’ tactics and even more aggressive S&M that specifically aims to<i>legally</i>defame S.</li> </ul> There are certainly a few pros and cons to consider. In our opinion, the optimal approach to gaining exposure to S is to<b>1</b>) wait for a correction,<b>2</b>) open a ¼, a 1/3, or a ½ of the total eventual position subject to the magnitude of the correction,<b>3</b>) add during risk-off episodes during the next several months, and<b>4</b>) leave some capital spare to buy some more after the effects of the lockup expiry have been fully reflected.</p><p><blockquote><ul><li>S是一家收入快速增长但亏损也在不断增加的公司。2020财年和2021财年的息税前利润率分别为-161%和-124%。2020财年和2021财年的自由现金流利润率分别为-102%和-78%。因此,很明显,任何DCF估值中的现金流都是遥远的未来,这使得股票非常容易受到通胀和利率预期变化的影响——这种情况目前经常发生。</li><li>鉴于巨额亏损,该股未来的所有轨迹都取决于该公司超出收入增长预期。因此,任何季度收入低于预期都会对股价产生严重影响,并且该股可能需要很长时间才能恢复。</li><li>S的技术优势可能并非不可逾越——我们相信它是最好的,但开创性太过分了。终端保护是一个竞争激烈、创新丰富的市场,因此S最终有可能失去一定程度的产品领先地位。</li><li>CRWD可能会通过“烟雾和镜子”策略以及更激进的S&M来加大赌注,专门旨在<i>合法地</i>诽谤S。</li></ul>当然有一些利弊需要考虑。我们认为,接触S的最佳方法是<b>1</b>)等待回调,<b>2</b>)打开受校正幅度影响的总最终位置的1/4、1/3或1/2,<b>3</b>)在接下来几个月的避险期间添加,以及<b>4</b>)在禁售期到期的影响充分体现后,留出一些资本闲置来购买更多。</blockquote></p><p> The conundrum, as is with all pioneering software stocks, is that investors are usually forced to pay a hefty premium in order to participate in future price appreciation. This is because these types of stocks have a tendency to remain elevated for a long time. However, on the flip-side, S has not yet made it in the Global MSCI indices, therefore, bouts of risk-off sentiment have the potential to knock down the share price considerably more than stocks such as Cloudflare(NYSE:NET), Okta(NASDAQ:OKTA), Twilio(NYSE:TWLO), and Palantir(NYSE:PLTR). With this in mind, opportunities to buy big dips are likely but sustained elevated multiples and/or multiple expansion is also a strong possibility. Hence, the optimal approach, in our opinion, is to add a fraction after a correction [or even now for the highly risk-tolerant] and complete the position in the months ahead.</p><p><blockquote>与所有先锋软件股一样,难题在于投资者通常被迫支付高额溢价才能参与未来的价格升值。这是因为这些类型的股票往往会长期保持高位。然而,另一方面,S尚未进入全球MSCI指数,因此,一轮又一轮的避险情绪对股价的打击可能远远超过Cloudflare(NYSE:NET)等股票。、Okta(纳斯达克股票代码:OKTA)、Twilio(纽约证券交易所股票代码:TWLO)和Palantir(纽约证券交易所股票代码:PLTR)。考虑到这一点,逢低买入的机会是可能的,但持续升高的倍数和/或倍数扩张也是一个很大的可能性。因此,我们认为,最佳方法是在调整后增加一部分(甚至现在对于高风险承受能力强的人来说),并在未来几个月完成头寸。</blockquote></p><p> <b>Conclusion</b></p><p><blockquote><b>结论</b></blockquote></p><p> This report was not intended to bash CRWD’s technology because obviously it's extremely sophisticated and great at stopping threats. However, comparing to CRWD does highlight a degree of superiority in S’s approach to AV. And most importantly, from an investment perspective, S’s out-of-the-box solution certainly makes its business appear more scalable than CRWD. And this is exciting when considering CRWD’s super growth in spite of each deployment requiring a good dose of configuration tweaking and training.</p><p><blockquote>这份报告无意抨击CRWD的技术,因为显然它非常复杂,在阻止威胁方面非常出色。然而,与CRWD相比,确实突出了S的AV方法的一定程度的优越性。最重要的是,从投资角度来看,S的开箱即用解决方案无疑使其业务看起来比CRWD更具可扩展性。尽管每次部署都需要大量的配置调整和培训,但考虑到CRWD的超级增长,这是令人兴奋的。</blockquote></p><p> The valuation is mega rich but investors need to accept that the premium is for a game-changing technical leader in a high-growth and very large market. Upside growth surprises could very well materialize given the scalability of S’s out-the-box solution.</p><p><blockquote>估值非常高,但投资者需要接受这样一个事实,即溢价是针对一个高增长且非常大的市场中改变游戏规则的技术领导者。鉴于S开箱即用解决方案的可扩展性,上行增长惊喜很可能会实现。</blockquote></p><p></p>","collect":0,"html":"<!DOCTYPE html>\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no\"/>\n<meta name=\"format-detection\" content=\"telephone=no,email=no,address=no\" />\n<title>Why SentinelOne Is Better Than CrowdStrike<blockquote>为什么SentinelOne比CrowdStrike更好</blockquote></title>\n<style type=\"text/css\">\na,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,\nem,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,\nobject,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{ font:inherit;margin:0;padding:0;vertical-align:baseline;border:0 }\nbody{ font-size:16px; line-height:1.5; color:#999; background:transparent; }\n.wrapper{ overflow:hidden;word-break:break-all;padding:10px; }\nh1,h2{ font-weight:normal; line-height:1.35; margin-bottom:.6em; }\nh3,h4,h5,h6{ line-height:1.35; margin-bottom:1em; }\nh1{ font-size:24px; }\nh2{ font-size:20px; }\nh3{ font-size:18px; }\nh4{ font-size:16px; }\nh5{ font-size:14px; }\nh6{ font-size:12px; }\np,ul,ol,blockquote,dl,table{ margin:1.2em 0; }\nul,ol{ margin-left:2em; }\nul{ list-style:disc; }\nol{ list-style:decimal; }\nli,li p{ margin:10px 0;}\nimg{ max-width:100%;display:block;margin:0 auto 1em; }\nblockquote{ color:#B5B2B1; border-left:3px solid #aaa; padding:1em; }\nstrong,b{font-weight:bold;}\nem,i{font-style:italic;}\ntable{ width:100%;border-collapse:collapse;border-spacing:1px;margin:1em 0;font-size:.9em; }\nth,td{ padding:5px;text-align:left;border:1px solid #aaa; }\nth{ font-weight:bold;background:#5d5d5d; }\n.symbol-link{font-weight:bold;}\n/* header{ border-bottom:1px solid #494756; } */\n.title{ margin:0 0 8px;line-height:1.3;color:#ddd; }\n.meta {color:#5e5c6d;font-size:13px;margin:0 0 .5em; }\na{text-decoration:none; color:#2a4b87;}\n.meta .head { display: inline-block; overflow: hidden}\n.head .h-thumb { width: 30px; height: 30px; margin: 0; padding: 0; border-radius: 50%; float: left;}\n.head .h-content { margin: 0; padding: 0 0 0 9px; float: left;}\n.head .h-name {font-size: 13px; color: #eee; margin: 0;}\n.head .h-time {font-size: 12.5px; color: #7E829C; margin: 0;}\n.small {font-size: 12.5px; display: inline-block; transform: scale(0.9); -webkit-transform: scale(0.9); transform-origin: left; -webkit-transform-origin: left;}\n.smaller {font-size: 12.5px; display: inline-block; transform: scale(0.8); -webkit-transform: scale(0.8); transform-origin: left; -webkit-transform-origin: left;}\n.bt-text {font-size: 12px;margin: 1.5em 0 0 0}\n.bt-text p {margin: 0}\n</style>\n</head>\n<body>\n<div class=\"wrapper\">\n<header>\n<h2 class=\"title\">\nWhy SentinelOne Is Better Than CrowdStrike<blockquote>为什么SentinelOne比CrowdStrike更好</blockquote>\n</h2>\n<h4 class=\"meta\">\n<p class=\"head\">\n<strong class=\"h-name small\">Seeking Alpha</strong><span class=\"h-time small\">2021-09-10 11:21</span>\n</p>\n</h4>\n</header>\n<article>\n<p><b>Summary</b></p><p><blockquote><b>总结</b></blockquote></p><p> <ul> <li>SentinelOne is technically better than CrowdStrike according to the performance results of the MITRE ATT&CK Evaluation.</li> <li>SentinelOne leverages a highly autonomous, out-the-box solution that's proving to deliver a more scalable business model than CrowdStrike’s – evident in 2Q22 results.</li> <li>SentinelOne has a significant last-mover advantage and is using it to target CrowdStrike's weak spots.</li> </ul> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/e6e594ecb7b47299440e7129e25e25e1\" tg-width=\"1536\" tg-height=\"864\" referrerpolicy=\"no-referrer\"><span>Sundry Photography/iStock Editorial via Getty Images</span></p><p><blockquote><ul><li>根据MITRE ATT&CK评估的性能结果,SentinelOne在技术上优于CrowdStrike。</li><li>SentinelOne利用高度自治、开箱即用的解决方案,事实证明,该解决方案可以提供比CrowdStrike更具可扩展性的商业模式——这在2022年第二季度结果中显而易见。</li><li>SentinelOne拥有显着的后发优势,并正在利用它来瞄准CrowdStrike的弱点。</li></ul><p class=\"t-img-caption\"><span>杂项摄影/iStock社论来自Getty Images</span></p></blockquote></p><p> <b>About this Report</b></p><p><blockquote><b>关于本报告</b></blockquote></p><p> Since its June 19 IPO, CrowdStrike's(NASDAQ:CRWD)market cap has soared sixfold as the company has experienced near triple-digit revenue growth thanks to its aggressive marketing of its highly effective and differentiated endpoint protection solution. Sentinel(NYSE:S)is the new kid on the block with even faster growth – more than doubling annual revenues YoY in 2Q22 [released after market close yesterday]. S also claims NGAV (Next-Gen Antivirus) superiority and goes head-to-head with CRWD in ultra-aggressive marketing.</p><p><blockquote>自6月19日IPO以来,CrowdStrike(纳斯达克股票代码:CRWD)的市值飙升了六倍,由于其高效且差异化的终端保护解决方案的积极营销,该公司的收入实现了近三位数的增长。Sentinel(纽约证券交易所股票代码:S)是增长更快的新人——2022年第二季度年收入同比增长了一倍多(昨天收盘后发布)。S还声称NGAV(下一代防病毒)具有优越性,并在超激进的营销中与CRWD正面交锋。</blockquote></p><p> Given S’s sky-high valuation of 92x NTM EV/S at the time of writing, it's difficult to rationalize an investment - by pretty much all measures the stock is insanely overvalued. Therefore, this report is largely about outlining why we believe S is technically superior to CRWD, and if you as investors are convinced, then you can speculate on your own growth and stock price trajectories using CRWD’s recent history as an anchor. We provide some financials and multiples projections in the Valuation Considerations section toward the end of the report.</p><p><blockquote>鉴于在撰写本文时S的92倍NTM EV/S的天价估值,很难合理化投资——从几乎所有指标来看,该股都被严重高估。因此,本报告主要是概述为什么我们认为S在技术上优于CRWD,如果您作为投资者深信不疑,那么您可以使用CRWD最近的历史作为锚来推测自己的增长和股价轨迹。我们在报告末尾的估值考虑部分提供了一些财务和倍数预测。</blockquote></p><p> We should make clear that any criticism of CRWD is in direct comparison to S. CRWD are still way better than legacy AV vendors – there's no denying that. And hopefully, this report may serve as somewhat of a framework for evaluating other EPP/EDR vendors that may catch your attention.</p><p><blockquote>我们应该明确的是,对CRWD的任何批评都是与s直接比较的。CRWD仍然比传统的AV供应商好得多——这是不可否认的。希望这份报告能成为评估其他可能引起您注意的EPP/EDR供应商的框架。</blockquote></p><p> <b>The Evolution of AV Industry</b></p><p><blockquote><b>AV行业的演变</b></blockquote></p><p> There are quite a few acronyms connected to the antivirus [AV] software industry to become familiar with before delving into what CRWD and S actually. The AV industry began life using signature databases followed by two decades of using signature databases with various tweaks. Then around 2011, EPP [Endpoint Protection] and EDR [Endpoint Detection & Response] became popular, ushering in the era of NGAV [Next-Gen Antivirus]. XDR [Extended Detection and Response] is often referred to as the second wave of NGAV that correlates broader and disparate data sources to enhance the detection of threats, and improve investigation and responses. The following diagram - from SentinelOne with additional annotation by ourselves – provides a useful high-level view of where the AV industry has been and where it is today. We’ll elaborate on this diagram in the following sections.</p><p><blockquote>在深入研究CRWD和S实际上是什么之前,有相当多的首字母缩略词需要熟悉。AV行业开始使用签名数据库,随后二十年来使用经过各种调整的签名数据库。然后在2011年左右,EPP【端点保护】和EDR【端点检测与响应】开始流行,开启了NGAV【下一代防病毒】时代。XDR[扩展检测和响应]通常被称为NGAV的第二波,它将更广泛和不同的数据源关联起来,以增强对威胁的检测,并改进调查和响应。下图来自SentinelOne,并附有我们自己的附加注释,提供了一个有用的高级视图,了解AV行业的过去和现在。我们将在下面的章节中详细说明该图。</blockquote></p><p> Figure 1 - Evolution of the AV Industry</p><p><blockquote>图1-AV行业的演变</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/cbbf1db00601920823977504a2369bd4\" tg-width=\"640\" tg-height=\"387\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne presentation, Convequity modification</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:SentinelOne演示,Convequity modification</span></p></blockquote></p><p> <b>Signature-Based AV</b></p><p><blockquote><b>基于签名的AV</b></blockquote></p><p> In 1987, the late John McAfee released the first commercial AV [antivirus] software to be installed on desktops. It was a signature-based AV, which means it would check the signature of all inbound files to see if they matched a known malicious signature in the database. If there was a match then the AV would block and delete the file.</p><p><blockquote>1987年,已故的约翰·迈克菲发布了第一个安装在台式机上的商业反病毒软件。这是一个基于签名的反病毒软件,这意味着它将检查所有入站文件的签名,看看它们是否与数据库中已知的恶意签名相匹配。如果有匹配,那么AV将阻止并删除该文件。</blockquote></p><p> Most cyber-attacks involve the hacker attempting to land a malicious file on a user’s device. The file contains a virus that, when triggered with a click by the user, installs itself onto the device. From there the virus can do various things, though usually, the main objective is to ascertain the device’s network connections and send itself to critical systems of an organization.</p><p><blockquote>大多数网络攻击都涉及黑客试图将恶意文件登陆用户的设备。该文件包含一种病毒,当用户点击触发时,该病毒会自行安装到设备上。从那里,病毒可以做各种事情,尽管通常,主要目标是确定设备的网络连接,并将自己发送到组织的关键系统。</blockquote></p><p> Every file has a unique signature that looks like a random combination of letters and numbers. The combination of letters and numbers is produced by a hashing algorithm. For example, a file containing only the text of “We built this city!” and the hashing was based on the SHA256 hash algorithm (one of the most secure and efficient hashes), the signature will be the following:</p><p><blockquote>每个文件都有一个唯一的签名,看起来像是字母和数字的随机组合。字母和数字的组合由哈希算法产生。例如,一个只包含“我们建造了这座城市!”哈希基于SHA256哈希算法(最安全、最高效的哈希算法之一),签名如下:</blockquote></p><p> c0fed07bbfcd9ea317d495d0c9b43021ac839f699cff44f3d3bf60993df66467</p><p><blockquote>c0fed07bbfcd9ea317d495d0c9b43021ac839f699cff44f3d3bf60993df66467</blockquote></p><p> The hashing algorithm converts a file with any amount of content to a fixed-length signature – in the case of the SHA256 hashing algorithm, it is 64 characters long, also known as 64 bytes because 1 character equals 1 byte.</p><p><blockquote>哈希算法将具有任意数量内容的文件转换为固定长度的签名——在SHA256哈希算法的情况下,它是64个字符长,也称为64字节,因为1个字符等于1个字节。</blockquote></p><p> It’s also worth noting that changing 1 character or even flipping 1 bit [8 bits in 1 byte] from 0 to 1 or vice versa, will completely change the signature. Removing the exclamation mark so the text reads “We built this city” produces this 64-byte signature:</p><p><blockquote>还值得注意的是,更改1个字符,甚至将1位【1字节中的8位】从0翻转到1,反之亦然,都会完全改变签名。删除感叹号,使文本变为“We built this city”,将生成64字节的签名:</blockquote></p><p></p><p> 1b12cb77bb08ac8c826795eab8389346b1f36c9f20b7841f7552d12c7fbf4c27</p><p><blockquote>1b12cb77bb08ac8c826795eab8389346b1f36c9f20b7841f7552d12c7fbf4c27</blockquote></p><p> Visit this website to hash your own input or alternatively you can get the hash for any file you upload.</p><p><blockquote>访问这个网站来散列你自己的输入,或者你可以得到你上传的任何文件的散列。</blockquote></p><p> Throughout the 1990s it became apparent that signature-based AV had some fundamental shortcomings. Here are some of them:</p><p><blockquote>在整个20世纪90年代,基于签名的AV有一些基本的缺点变得很明显。以下是其中一些:</blockquote></p><p> <ul> <li>Cybercriminals can change one line of code to completely change the signature of the virus, and as a result, evade detection. This puts the hacker vs AV battle economics firmly in the favor of the former, because it takes a lot of time and computing resources to detect and confirm a new virus variant.</li> <li>As the number of malicious files grows, so does the signature database. The database resides on the endpoint so as it grows it consumes more disk space, more CPU, and more memory.</li> <li>Immediately after the AV is installed it becomes out of date because there's a continual creation of new viruses and variants of existing viruses. In essence, even the best signature-based AV provides < 100% protection.</li> </ul> To compensate for the < 100% protection, existing and new AV vendors came to the market with tweaks and variations of the signature-based model.</p><p><blockquote><ul><li>网络犯罪分子可以更改一行代码来完全更改病毒的特征,从而逃避检测。这使得黑客vs AV之战经济学坚定地偏向前者,因为检测并确认一种新病毒变种需要花费大量时间和计算资源。</li><li>随着恶意文件数量的增长,签名数据库也在增长。数据库驻留在端点上,因此随着它的增长,它会消耗更多的磁盘空间、更多的CPU和更多的内存。</li><li>反病毒软件安装后,它立即变得过时,因为新病毒和现有病毒的变种不断产生。本质上,即使是最好的基于签名的AV也能提供<100%的保护。</li></ul>为了补偿<100%的保护,现有的和新的反病毒供应商带着基于签名的模型的调整和变化进入市场。</blockquote></p><p> During the 1990s and 2000s, the early attempts to make up for the weaknesses of signature-based AV included:</p><p><blockquote>在20世纪90年代和21世纪初,弥补基于签名的AV弱点的早期尝试包括:</blockquote></p><p> <ul> <li>Firewall vendors such as Check Point Software(NASDAQ:CHKP), F5 Networks(NASDAQ:FFIV), and Fortinet(NASDAQ:FTNT)leveraged their dominant status within the corporate network to improve signature-based AV solutions. They used their deep packet inspection capabilities at the gateway of the network to inspect inbound data packets transmitting the malicious files as well as outbound connections triggered by the virus. This added more context to help sniff out the malicious inbound files and attempts to exfiltrate data.</li> <li>Bit9, founded in 2003, (later renamed Carbon Black and now acquired by VMware) introduced app whitelisting, whereby only authorized apps are allowed to run. This turned out to be highly restrictive and unproductive as apps change and upgrade rapidly.</li> <li>FireEye(NASDAQ:FEYE), founded in 2004, introduced sandboxing, whereby an unknown suspicious app or file would be executed in an isolated environment and monitored closely for any malicious activity. Although game-changing at the time, its effectiveness didn’t last long because hackers found ways to detect the sandbox environment to then trigger the virus into stealth mode and continue the attack at a later point in time.</li> </ul> Collectively, these attempts, while lacking sustainability, did an alright job at filling in the gaps, and generally speaking, provided adequate protection during the 1990s and 2000s.</p><p><blockquote><ul><li>Check Point Software(纳斯达克:CHKP)、F5 Networks(纳斯达克:FFIV)和Fortinet(纳斯达克:FTNT)等防火墙供应商利用其在企业网络中的主导地位来改进基于签名的AV解决方案。他们使用网络网关的深度数据包检查功能来检查传输恶意文件的入站数据包以及由病毒触发的出站连接。这增加了更多的上下文来帮助嗅出恶意的入站文件和泄露数据的尝试。</li><li>成立于2003年的Bit9(后来更名为Carbon Black,现已被VMware收购)引入了应用白名单,只有授权的应用才允许运行。随着应用程序的快速变化和升级,这被证明是高度限制性和低效的。</li><li>FireEye(纳斯达克:FEYE)成立于2004年,引入了沙盒,通过沙盒,未知的可疑应用程序或文件将在隔离的环境中执行,并密切监控任何恶意活动。尽管在当时改变了游戏规则,但它的有效性并没有持续多久,因为黑客找到了检测沙盒环境的方法,然后触发病毒进入隐形模式,并在稍后的时间点继续攻击。</li></ul>总的来说,这些尝试虽然缺乏可持续性,但在填补空白方面做得很好,总的来说,在20世纪90年代和21世纪初提供了足够的保护。</blockquote></p><p> Things changed, however, at the dawn of the iPhone in 2007. As the attack surface expanded so did the attack cadence, and computing experienced an exponential rise in the variety of viruses and the signatures connected to those viruses. The number of forms in which a virus would reside pre-execution also proliferated – scripts (code)began appearing in website photos, PDF add-ons, Excel VBA, and many other forms, waiting to be triggered.</p><p><blockquote>然而,在2007年iPhone问世时,情况发生了变化。随着攻击面的扩大,攻击节奏也随之扩大,计算机的病毒种类和与这些病毒相关的特征也呈指数级增长。病毒在执行前驻留的形式也在激增——脚本(代码)开始出现在网站照片、PDF插件、Excel VBA和许多其他形式中,等待被触发。</blockquote></p><p> On the whole, signature-based AV has proven not to scale very well and in the modern computing landscape does not provide adequate protection.</p><p><blockquote>总的来说,基于签名的AV已被证明不是很好地扩展,并且在现代计算环境中不能提供足够的保护。</blockquote></p><p> <b>Next-Gen AV</b></p><p><blockquote><b>下一代AV</b></blockquote></p><p> From 2007 to 2013, a new wave of AV startups emerged with a novel approach to AV. Some Next-Gen AV [NGAV] startups focused on the EPP [Endpoint Protection] – still aiming to perform the prevention, detection, and response on the end-user device itself, but by using static AI techniques to obviate the need for a signature database. Other NGAV startups focused on the EDR [Endpoint Detection and Response] side - whereby most of the protection was delivered via the cloud and therefore the EPP software component could be lightweight and serve merely as a sensor rather than an agent that can perform the full requirements of AV.</p><p><blockquote>从2007年到2013年,新一波AV创业公司以一种新颖的AV方式出现。一些下一代AV[NGAV]初创公司专注于EPP[端点保护]——仍然旨在在最终用户设备本身上执行预防、检测和响应,但通过使用静态人工智能技术来消除对签名数据库的需求。其他NGAV初创公司专注于EDR【端点检测和响应】方面——其中大部分保护是通过云提供的,因此EPP软件组件可以是轻量级的,仅充当传感器,而不是可以执行AV全部要求的代理。</blockquote></p><p> There are pros and cons to singularly focusing on either EPP or EDR. EPP avoids the shortcomings of signature databases, however, by running static AI on the endpoint without the big picture from the cloud, it's less flexible and less effective over the long term. EDR maintains the complete global threat picture because it’s powered by the cloud, but the downside is the deluge of data is overwhelming for security analysts and leads to many false alerts.</p><p><blockquote>单独关注EPP或EDR有利也有弊。EPP避免了签名数据库的缺点,但是,通过在端点上运行静态人工智能,而没有来自云的大局,从长远来看,它的灵活性和效率都较低。EDR维护了完整的全球威胁图景,因为它是由云驱动的,但缺点是大量的数据让安全分析师不知所措,并导致许多错误警报。</blockquote></p><p> As the shortcomings of EPP and EDR became increasingly apparent, NGAV vendors began to shift along the EPP/EDR spectrum to improve their products. The screenshot taken from S’s demo presentation summarizes the direction the vendors and the market moved from 2014 through to 2019.</p><p><blockquote>随着EPP和EDR的缺点越来越明显,NGAV供应商开始沿着EPP/EDR频谱转移以改进他们的产品。取自S演示演示的截图总结了供应商和市场从2014年到2019年的发展方向。</blockquote></p><p> <i>Figure2- Market Shifts: EPP vs EDR</i></p><p><blockquote><i>图2-市场变化:EPP与EDR</i></blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/dd7cfc885dd56210dffb2212159d7ac3\" tg-width=\"505\" tg-height=\"280\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:youtube.com</span></p></blockquote></p><p></p><p> XDR [Extended Detection & Response], first coined by Nir Zuk of Palo Alto Networks(NYSE:PANW)in 2018, is now the latest technology that leading vendors are striving toward. It blends EPP and EDR together whilst also adding SOAR [Security Orchestration, Automation & Response], SIEM [Security Information & Event Management], and NTA [Network Traffic Analysis]. The objective of XDR is to collect and correlate data from endpoints, network points, servers, cloud workloads, and emails to enhance detection capabilities and improve protection whilst also increasing productivity and lowering the overall cost of security software ownership.</p><p><blockquote>XDR(扩展检测和响应)由Palo Alto Networks(纽约证券交易所代码:PANW)的Nir Zuk于2018年首次提出,现在是领先供应商努力追求的最新技术。它将EPP和EDR融合在一起,同时还添加了SOAR【安全编排、自动化和响应】、SIEM【安全信息和事件管理】和NTA【网络流量分析】。XDR的目标是从端点、网络点、服务器、云工作负载和电子邮件收集和关联数据,以增强检测能力和改善保护,同时提高工作效率并降低安全软件拥有的总体成本。</blockquote></p><p> <b>CrowdStrike Intro</b></p><p><blockquote><b>CrowdStrike简介</b></blockquote></p><p> CRWD, founded in 2011, came to the market with EDR, which at the time was a radical approach to AV. Instead of destroying malicious files with AV software residing on the device, CRWD destroyed them from the cloud.</p><p><blockquote>CRWD成立于2011年,与EDR一起进入市场,这在当时是一种激进的AV方法。CRWD没有销毁设备上带有反病毒软件的恶意文件,而是从云端销毁了它们。</blockquote></p><p> They achieved this by having a super lightweight sensor with no database [consuming only 35 MB of storage space whereas signature-based AV can consume 4GB] installed on the endpoint. This sensor continually collects the logs (activities) related to the files on the device (i.e., what files are downloaded, open, from where, how, what time, what recent patches have been made?) and sends this telemetry data to the CRWD cloud. CRWD analysts collect this data from all CRWD devices and check it against a giant signature database in the cloud looking for matches in techniques. For example, the CRWD database contains a previous technique whereby opening a file from IP address 1.1.1.1 executed XXX.exe which was a piece of malware. As CRWD analysts recognize this technique being used again, they will block it, gather more intel, delete the file from the cloud, and share the insight across all endpoints.</p><p><blockquote>他们通过在终端上安装无数据库的超轻量级传感器(仅消耗35 MB的存储空间,而基于签名的AV可以消耗4GB)来实现这一目标。该传感器持续收集与设备上的文件相关的日志(活动)(即,下载了哪些文件、打开了哪些文件、从哪里、如何、什么时间、最近制作了哪些补丁?)并将这些遥测数据发送到CRWD云。CRWD分析师从所有CRWD设备收集这些数据,并将其与云中的一个巨大签名数据库进行检查,以寻找技术上的匹配。例如,CRWD数据库包含一种以前的技术,通过这种技术,从IP地址1.1.1.1打开文件会执行XXX.exe,这是一种恶意软件。当CRWD分析师意识到这种技术再次被使用时,他们将阻止它,收集更多情报,从云中删除文件,并在所有终端共享洞察力。</blockquote></p><p> However, it should be noted that while CRWD can detect a potential virus within seconds, it doesn’t complete its response and eliminate the threat until hours later. The complex nature of EDR delivers a high number of false alerts that need to be investigated by a client organization's analysts and CRWD's analysts alike. Therefore, CRWD does take considerably longer to completely eliminate the threat. However, they're able to contain the spread of the threat until a full investigation is complete. S, on the other hand, can detect<i>and</i>respond within seconds thanks to its greater degree of automation and hybrid EPP/EDR approach.</p><p><blockquote>然而,应该注意的是,虽然CRWD可以在几秒钟内检测到潜在的病毒,但它直到几个小时后才完成响应并消除威胁。EDR的复杂性带来了大量错误警报,需要由客户组织的分析师和CRWD的分析师进行调查。因此,CRWD确实需要相当长的时间才能完全消除威胁。然而,他们能够遏制威胁的蔓延,直到全面调查完成。另一方面,S可以检测到<i>和</i>得益于其更高程度的自动化和混合EPP/EDR方法,可在几秒钟内做出响应。</blockquote></p><p> The key benefit of this approach is that there are no constraints on the size of the database, as it’s located in a centralized cloud. Moreover, this EDR approach obviates the need to periodically push out software updates to the endpoints to include the latest signature database, again because the database is located in the cloud. The other benefit is that the aggregated threat hunting ensures new viruses and variants and attack methods are identified faster. In essence, this AV model makes the front-end software simple and light [collecting evidence] and makes the back-end operations complex, detailed, and shared across all devices - generating insights for all. The essence of EDR is to restrain from doing early prevention, and instead wait, observe, and collect more intel regarding the threats, and respond accordingly. And this approach inspired the name of CRWD’s flagship platform Falcon.</p><p><blockquote>这种方法的主要好处是对数据库的大小没有限制,因为它位于集中式云中。此外,这种EDR方法消除了定期向端点推出软件更新以包括最新签名数据库的需要,这也是因为数据库位于云中。另一个好处是,聚合威胁搜索可确保更快地识别新病毒和变种以及攻击方法。从本质上讲,这种AV模型使前端软件变得简单而轻便【收集证据】,并使后端操作变得复杂、详细,并在所有设备上共享——为所有人生成见解。EDR的本质是避免做早期预防,而是等待、观察和收集更多关于威胁的情报,并做出相应的反应。这种方法启发了CRWD旗舰平台Falcon的名称。</blockquote></p><p> <b>SentinelOne Intro</b></p><p><blockquote><b>哨兵介绍</b></blockquote></p><p> S, founded in 2013, is the youngest among established NGAV vendors, and this gives it a great last-mover advantage. Instead of heavily focusing on EDR or EPP, S has utilized them both to cover all major aspects of the endpoint security to deliver the so-called XDR. Similar to CRWD, S deploys a lightweight software agent with no database on the endpoint [200 MB of disk space]. It does more than CRWD’s sensor, however. It runs static AI to establish baseline file and device behavior in which to identify anomalous activity, relating to when the file was received and how long the file was open, for example. If the file passes the rigors of static AI analysis, the user is allowed to use the file but the agent will continue to monitor closely. The agent will apply a more dynamic AI to detect any suspicious lateral movement emanating from the file – e.g., when Word opened it triggered PowerShell to open, or a command is triggered to reach out to the Internet. At any point the agent determines there's malicious activity, it will kill the virus and clean up the environment. It's this level of autonomous capability in the EPP that differentiates S from other NGAV vendors.</p><p><blockquote>S成立于2013年,是老牌NGAV供应商中最年轻的,这使其具有巨大的后发优势。S没有重点关注EDR或EPP,而是利用它们来涵盖端点安全的所有主要方面,以提供所谓的XDR。与CRWD类似,S部署了一个轻量级软件代理,在端点上没有数据库【200 MB磁盘空间】。然而,它比CRWD的传感器做得更多。它运行静态AI来建立基线文件和设备行为,以识别异常活动,例如与文件何时被接收以及文件打开多长时间有关。如果文件通过了静态人工智能分析的严格要求,用户将被允许使用该文件,但代理将继续密切监控。代理将应用更动态的人工智能来检测文件发出的任何可疑横向移动,例如,当Word打开时,它会触发PowerShell打开,或者触发命令来访问互联网。在任何时候,代理确定存在恶意活动,它都会杀死病毒并清理环境。正是EPP中这种级别的自主能力将S与其他NGAV供应商区分开来。</blockquote></p><p></p><p> Despite the sophistication of such AI-powered detection methods, some types of malwares can still evade detection. Polymorphic malware variants change their own features, such as file names and hashes, to bypass detection methods. Techniques such as code obfuscation make malicious code hard to find and/or understand. Therefore, some threats manage to bypass the front-end, or EPP, defenses, necessitating the need for EDR.</p><p><blockquote>尽管这种人工智能检测方法非常复杂,但某些类型的恶意软件仍然可以逃避检测。多态恶意软件变体改变自己的特征,如文件名和哈希,以绕过检测方法。诸如代码混淆的技术使得恶意代码难以被发现和/或理解。因此,一些威胁设法绕过前端或EPP防御,因此需要EDR。</blockquote></p><p> Similar to CRWD, S utilizes back-end, or EDR, for deeper visibility threat hunting. The data collected is used by both S’s own analysts for global threat hunting,<i>and</i>its clients’ analysts working in Security Operation Centers [SOC]. On the EDR side, compared to CRWD the key differentiator is that S uses a \"story\" technique to add more context relevancy which leads to fewer alerts for analysts to handle. S have named this ‘story’ technique TrueContext ID.</p><p><blockquote>与CRWD类似,S利用后端或EDR进行更深入的可见性威胁搜索。收集的数据被两个S自己的分析师用于全球威胁搜寻,<i>和</i>其客户的分析师在安全运营中心[SOC]工作。在EDR方面,与CRWD相比,关键的区别在于S使用“故事”技术来添加更多的上下文相关性,从而减少分析师需要处理的警报。我们将这种“故事”技术命名为TrueContext ID。</blockquote></p><p> Taken from an S demo presentation, the screenshot below compares TrueContext ID to previous context-building techniques - Indicators of Compromise [IOC] and Indicators of Attack [IOA] – and the more typical existing EDR solutions – Tactics, Techniques & Procedures [TTP]. The slide uses the analogy of piecing together the description of a person to illustrate piecing together the description of a malicious action.</p><p><blockquote>下面的屏幕截图取自S演示演示,将TrueContext ID与以前的上下文构建技术(危害指标[IOC]和攻击指标[IOA])以及更典型的现有EDR解决方案(策略、技术和程序[TTP])进行了比较。该幻灯片使用拼凑一个人的描述的类比来说明拼凑一个恶意行为的描述。</blockquote></p><p> Figure 3 - Comparing TrueContext ID to Typical EDR Methods</p><p><blockquote>图3-TrueContext ID与典型EDR方法的比较</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/e1fe08039bb960fee41b415e31c6d06e\" tg-width=\"544\" tg-height=\"293\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:youtube.com</span></p></blockquote></p><p> IOCs look like random descriptors that would need substantial effort to comprehend. IOAs are slightly more organized but still require effort to form the full picture. TTPs actually describe the bad action and offer useful context but don’t explain what happened before that led to the bad action. TrueContext ID takes it a whole level further by not just describing the traits of the bad action but also puts together a story of the events that led to the bad action – the DNA strand implies it knows everything about a given action.</p><p><blockquote>IOC看起来像随机描述符,需要大量的努力才能理解。IOAs稍微更有组织性,但仍然需要努力形成完整的画面。TTP实际上描述了不良行为,并提供了有用的背景,但没有解释导致不良行为之前发生的事情。TrueContext ID更进一步,不仅描述了不良行为的特征,还整理了导致不良行为的事件的故事——DNA链意味着它知道关于给定行为的一切。</blockquote></p><p> For example, there has been a connection made to an external FTP server [a server for transferring files] >>> this links back to some registry files that were archived in a new hard drive location >>> this links back to an unusual command-line execution in PowerShell >>> it transpires that the opening of PowerShell was triggered by the opening of an Office document >>> deeper analysis indicates the document contained a brand-new unknown virus >>> did the user single or double click it or did it download automatically? >>> where did it come from? >>> did it come from an email or a USB drive? >>> is the email address and source IP address associated with previous malicious activity? >>> or, when was the USB drive inserted on the device?</p><p><blockquote>例如,已经连接到外部FTP服务器【用于传输文件的服务器】>>>这链接回一些存档在新硬盘位置的注册表文件>>>这链接回PowerShell中不寻常的命令行执行>>>原来PowerShell的打开是由Office文档的打开触发的>>>更深入的分析表明该文档包含全新的未知病毒>>>用户是单击还是双击还是自动下载?它是从哪里来的?>>>它来自电子邮件还是USB驱动器?>>>电子邮件地址和源IP地址是否与以前的恶意活动相关联?>>>或者,USB驱动器是什么时候插入设备的?</blockquote></p><p> The above example shows a bad actor attempting to transfer a copy of the critical OS files [registry files], perhaps to learn more about the target organization in order to plan a devastating future attack, or something more imminent. TrueContext ID connects all the data points from the static and dynamic AI detection methods and synthesizes them with its own globally collated intelligence to string together a timeline of sequential events. And this is presented to SOC analysts either in tabular or graphical form. Putting together a chain of events like this ensures only relevant context is presented, which radically reduces the number of alerts and enables swift investigation and remediation.</p><p><blockquote>上面的示例显示了一个不良行为者试图传输关键操作系统文件[注册表文件]的副本,可能是为了了解有关目标组织的更多信息,以便计划未来的毁灭性攻击或更迫在眉睫的攻击。TrueContext ID连接了来自静态和动态AI检测方法的所有数据点,并将它们与自己的全局整理智能进行合成,以将连续事件的时间线串在一起。这以表格或图形的形式呈现给SOC分析师。将这样的一系列事件放在一起可以确保只呈现相关的上下文,从而从根本上减少警报的数量,并实现快速调查和补救。</blockquote></p><p> CRWD investors and advocates may be somewhat confused as to why S’s storing techniques are a technical competitive advantage. Indeed, CRWD has an event timelining feature that is core to their EDR solution – they refer to it as \"maps.\" However, generally, a client organization’s SOC analysts need to be tier 2 or 3 certified for using CRWD’s Falcon EDR solution – one reason for this being the high number of false alerts that an analyst needs to navigate, which is far easier for the more experienced.</p><p><blockquote>CRWD的投资者和倡导者可能有些困惑,为什么S的存储技术是一种技术竞争优势。事实上,CRWD有一个事件时间线功能,这是他们EDR解决方案的核心——他们称之为“地图”。然而,一般来说,客户组织的SOC分析师需要获得2级或3级认证才能使用CRWD的Falcon EDR解决方案,原因之一是分析师需要处理大量错误警报,这对于更有经验的人来说要容易得多。</blockquote></p><p> If a client organization doesn’t have a SOC team and hence cannot conduct the threat investigation on CRWD and leverage its EDR component, then they can just run it and let it handle things by the default settings or use the MDR [Managed Detection & Response] option whereupon CRWD experts will do the legwork. But when it comes to SOC operations, S’s storing technique appears to have an edge over CRWD because it radically reduces the alerts and false positives and, on the whole, makes life easier for SOC analysts.</p><p><blockquote>如果客户组织没有SOC团队,因此无法对CRWD进行威胁调查并利用其EDR组件,那么他们可以运行它,让它按照默认设置处理事情,或者使用MDR【托管检测和响应】选项,CRWD专家将进行跑腿工作。但在SOC操作方面,S的存储技术似乎比CRWD更有优势,因为它从根本上减少了警报和误报,总体而言,使SOC分析师的生活更加轻松。</blockquote></p><p></p><p> To summarize, S can deliver fully automated detection, response, and system recovery all within the EPP software itself, but also has the EDR-based TrueContext ID technology that can catch more sophisticated attacks and help SOC analysts triage with far fewer false positive alerts. With this in mind, it appears that S has the edge over CRWD on both the EPP and EDR sides of the market. Moreover, as we’ll show in the presentation of MITRE ATT&CK performance results, S’s out-of-the-box solution that leverages greater automation is likely to offer greater scalability than CRWD’s. We think this greater scalability is shining through in the recent 2Q22 results whereby S generated 127% YoY growth.</p><p><blockquote>总而言之,S可以在EPP软件本身中提供全自动检测、响应和系统恢复,而且还具有基于EDR的TrueContext ID技术,可以捕获更复杂的攻击,并帮助SOC分析师以更少的误报进行分类。考虑到这一点,S似乎在市场的EPP和EDR方面都比CRWD有优势。此外,正如我们将在MITRE ATT&CK性能结果演示中展示的那样,S的开箱即用解决方案利用了更高的自动化,可能会提供比CRWD更大的可扩展性。我们认为这种更大的可扩展性在最近的2022年第二季度业绩中得到了体现,S同比增长了127%。</blockquote></p><p> <b>Key Differences Between S and CRWD</b></p><p><blockquote><b>S和CRWD之间的主要区别</b></blockquote></p><p> We’ve listed 11 aspects of endpoint protection whereupon S and CRWD differ by substantial margins. And it may seem overly biased [though we don’t have a position in S yet], but all 11 aspects are in favor of S outcompeting CRWD. We’ll elaborate on a few of these in the following sections.</p><p><blockquote>我们已经列出了端点保护的11个方面,S和CRWD有很大的不同。这可能看起来过于偏颇【尽管我们还没有在S中的地位】,但所有11个方面都有利于S超越CRWD。我们将在下面的章节中详细介绍其中的一些。</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/8e23001654d05cb1774d7adce7ed7e1c\" tg-width=\"573\" tg-height=\"253\" referrerpolicy=\"no-referrer\"><span>Source: Convequity</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:Convequity</span></p></blockquote></p><p> Brains of Software</p><p><blockquote>软件的大脑</blockquote></p><p> <b>CRWD</b>: As already alluded, the brain of CRWD is in the cloud only and utilizes EDR to understand the global landscape of threats. The very nature of this cloud-based EDR approach requires the computation of petabytes of data that quickly detects potential threats but also generates large numbers of false alerts. The notion of the false alert volumes necessitates the need for thorough investigation which is why the response time takes hours instead of seconds. Ultimately, CRWD’s approach is rather labour-intensive but is still more autonomous than legacy signature-based AV.</p><p><blockquote><b>CRWD</b>:正如已经提到的,CRWD的大脑仅在云中,并利用EDR来了解全球威胁格局。这种基于云的EDR方法的本质需要计算Pb的数据,这些数据可以快速检测潜在威胁,但也会产生大量错误警报。错误警报量的概念需要彻底的调查,这就是为什么响应时间需要几个小时而不是几秒钟。最终,CRWD的方法是相当劳动密集型的,但仍然比传统的基于签名的AV更加自主。</blockquote></p><p> <b>S</b>: The brain of S is in a hybrid form that utilizes both automation and AI in the front-end EPP and cloud-powered global intel in the back-end EDR, and blends the two harmoniously together. The storying technique applied in TrueContext ID radically reduces the number of alerts and the manual investigation for the EDR side of operations. So, as aforementioned, for the high majority of threats, this results in full automated response and recovery [system cleanup] within seconds, and results in relatively less manpower requirements [versus CRWD] for the more sophisticated attacks. Moreover, S can work offline and catch the majority of threats whereas CRWD must be connected online to work.</p><p><blockquote><b>S</b>:S的大脑是一种混合形式,在前端EPP中利用自动化和人工智能,在后端EDR中利用云驱动的全球英特尔,并将两者和谐地融合在一起。TrueContext ID中应用的故事技术从根本上减少了EDR操作方面的警报和手动调查数量。因此,如上所述,对于大多数威胁,这会在几秒钟内实现全自动响应和恢复【系统清理】,并且对于更复杂的攻击,相对于CRWD,人力需求相对较少。此外,S可以离线工作并捕获大多数威胁,而CRWD必须在线连接才能工作。</blockquote></p><p> <b>Operation of AV</b></p><p><blockquote><b>AV操作</b></blockquote></p><p> We’ve already touched on S’s software being highly autonomous while CRWD’s software requires human experts to be effective. This contrast offers an apt segue into taking a look at which approach is ultimately more effective. So, we’ll use this section to review the MITRE ATT&CK endpoint protection test results.</p><p><blockquote>我们已经提到S的软件是高度自主的,而CRWD的软件需要人类专家才能有效。这种对比提供了一个恰当的切入点,让我们来看看哪种方法最终更有效。因此,我们将使用本节来回顾米特ATT&CK端点保护测试结果。</blockquote></p><p> MITRE is an independent, federally funded, not-for-profit R&D organization that periodically performs attacks against leading security vendors’ software solutions. MITRE has long been the authority in cybersecurity testing, and in 2018, they launched the MITRE ATT&CK Evaluations, where MITRE evaluates the efficacy of cybersecurity products. S, CRWD, and PANW participated in the series of tests (2019, 2020, and 2021) and we’ll present the two most recent.</p><p><blockquote>MITRE是一个独立的、由联邦政府资助的非营利性研发组织,定期对领先的安全供应商的软件解决方案进行攻击。MITRE长期以来一直是网络安全测试的权威,2018年,他们推出了MITRE ATT&CK评估,MITRE评估网络安全产品的功效。S、CRWD和PANW参与了一系列测试(2019年、2020年和2021年),我们将介绍最近的两项测试。</blockquote></p><p> In the MITRE ATT&CK tests, vendors are assessed on how effective they are in stopping tactics and techniques. A Tactic is a bad actor’s objective – for example, to acquire a username and password, acquire remote control of the system, or exfiltrate data. A Technique is a method deployed to achieve the objective – for example, cross-site scripting [taking advantage of website vulnerabilities to lure victims into submitting their login details]. There are usually several techniques included in each tactic.</p><p><blockquote>在米特ATT&CK测试中,供应商将根据他们在阻止策略和技术方面的有效性进行评估。战术是坏人的目标——例如,获取用户名和密码、获得系统的远程控制或泄露数据。技术是为实现目标而部署的一种方法,例如,跨站点脚本【利用网站漏洞引诱受害者提交其登录详细信息】。每种战术通常都包含几种技术。</blockquote></p><p> Figure 4 - Tactics & Techniques</p><p><blockquote>图4-战术和技术</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/22780f1dd68425ed1bd3bf6ea164e17d\" tg-width=\"640\" tg-height=\"251\" referrerpolicy=\"no-referrer\"><span>Source: medium.com</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:medium.com</span></p></blockquote></p><p> Rather confusingly to the layman, MITRE presents the performance results in references to Steps and Substeps instead of Tactics and Techniques. So, for high-level knowledge purposes, Steps are closely associated with Tactics and Substeps are closely associated with Techniques. The following diagram from SentinelOne is useful to solidify the levels of detections.</p><p><blockquote>令外行人相当困惑的是,MITRE在引用步骤和子步骤而不是策略和技术时呈现了性能结果。因此,对于高层次的知识目的,步骤与战术密切相关,子步骤与技术密切相关。SentinelOne的下图有助于巩固检测水平。</blockquote></p><p> Figure 5 - Analytic Detections: Tactics/Steps and Techniques/Substeps</p><p><blockquote>图5-分析检测:策略/步骤和技术/子步骤</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/1c271214a738c15e65d44d3a2fcf7800\" tg-width=\"640\" tg-height=\"272\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne on YouTube, Convequity modification</span></p><p><blockquote><p class=\"t-img-caption\"><span>资料来源:YouTube上的SentinelOne,对流修改</span></p></blockquote></p><p></p><p> The 2020 test results [based on techniques from APT29, a hacker group linked to Russian intelligence agencies] are shown below. The first chart shown shows that S led the pack in regards to overall detections, aka Substeps. The chart shows the number of detections out of the 135 Substeps for each vendor.</p><p><blockquote>2020年的测试结果[基于与俄罗斯情报机构有联系的黑客组织APT29的技术]如下所示。显示的第一个图表显示,S在整体检测(也称为子步骤)方面领先。该图表显示了每个供应商的135个子步骤中的检测数量。</blockquote></p><p> Figure 6 – MITRE ATT&CK 2020 Performance Result: Total Detections</p><p><blockquote>图6-MITRE ATT&CK 2020性能结果:总检测量</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/f2e9e22cd5dadfe733a41b4d89f36776\" tg-width=\"541\" tg-height=\"384\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:elastic.co/blog/</span></p></blockquote></p><p> The next two charts show the Tactic and Technique detections for the MITRE AV test. As a gentle reminder, Tactics are closely associated with Steps and Techniques are associated with Substeps.</p><p><blockquote>接下来的两个图表显示了MITRE AV测试的战术和技术检测。作为一个温和的提醒,战术与步骤密切相关,技术与子步骤相关。</blockquote></p><p> Figure 7 - MITRE ATT&CK 2020 Performance Result: Tactic and Technique Detections</p><p><blockquote>图7-MITRE ATT&CK 2020性能结果:战术和技术检测</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/d3c4d692af2713c6fe0b234c68a23cec\" tg-width=\"640\" tg-height=\"284\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:elastic.co/blog/</span></p></blockquote></p><p> Observing that S had the best performance in Tactic detections and the second-best performance in Technique detections, aligns with the storing capability of TrueContext ID. A Tactic is a Step or objective, such as data exfiltration. A Technique is a Substep or method which is one of the Substeps required to achieve the Tactic, such as connecting to an external server in the exfiltration example. TrueContext ID has been designed to provide both high-level and granular detail of each attack, and therefore, it’s understandable as to why S has performed the best across Tactics and Techniques.</p><p><blockquote>观察到S在战术检测中具有最好的性能,在技术检测中具有第二好的性能,这与TrueContext ID的存储能力一致。战术是一个步骤或目标,如数据泄露。技术是子步骤或方法,其是实现策略所需的子步骤之一,例如在渗透示例中连接到外部服务器。TrueContext ID旨在提供每次攻击的高级和精细细节,因此,可以理解为什么S在战术和技术方面表现最好。</blockquote></p><p> Interestingly, the performance rankings in the following year [2021] are very similar. In the 2020 test, it looks like CRWD detected a total of c. 115 Substeps versus S’s c. 130. And in 2021 it looks like CRWD detected c. 150 versus S detecting c. 175. So, the ratio is very similar between the two rivals in both years.</p><p><blockquote>有趣的是,次年[2021年]的业绩排名非常相似。在2020年的测试中,看起来CRWD总共检测到了c。115子步骤与s的c。130.2021年,CRWD似乎检测到了c。150对S检测c。175.因此,这两个竞争对手在这两年的比率非常相似。</blockquote></p><p> Figure 8 - MITRE ATT&CK 2021 Performance Result: Total Detections</p><p><blockquote>图8-MITRE ATT&CK 2021性能结果:总检测量</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/9f3bfc1ecc4575acfb81df5fa624348e\" tg-width=\"640\" tg-height=\"320\" referrerpolicy=\"no-referrer\"><span>Source: elastic.co/blog/</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:elastic.co/blog/</span></p></blockquote></p><p> It would be hard to dispute that S has a better performing AV than CRWD based on the results presented in the previous charts. Though what creates further distance between S and CRWD are the configuration changes made by the vendors before MITRE conducted its test – which we’ll cover next.</p><p><blockquote>根据前面图表中给出的结果,很难否认S的AV性能比CRWD更好。尽管在MITRE进行测试之前供应商所做的配置更改在S和CRWD之间造成了更大的距离——我们将在接下来介绍。</blockquote></p><p> <b>Deployment</b></p><p><blockquote><b>部署</b></blockquote></p><p> Much of S’s marketing outlines how their software works straight out-of-the-box. This is a common claim in competitive software markets, though in S’s case, it does appear to be largely true.</p><p><blockquote>S的大部分营销概述了他们的软件如何开箱即用。在竞争激烈的软件市场中,这是一种常见的说法,尽管在S的案例中,这似乎在很大程度上是正确的。</blockquote></p><p> The next chart shows how many configurations changes each vendor made in preparation for the 2020 test. S didn’t change anything – their AV software was applied out-of-the-box. CRWD, on the other hand, made 25 tweaks to optimize their AV for the test. This fits in very well with the earlier discussion that CRWD is designed for enterprises with more experienced security analysts [SOC 2 and 3 analysts] – more on this later. These configuration changes also underscore what we’ve outlined in regards to S being way more automated than CRWD. CRWD’s lack of automation means it can’t work out-of-the-box with high effectiveness – the AV has been designed for heavy human involvement.</p><p><blockquote>下图显示了每个供应商在准备2020年测试时所做的配置更改。S没有改变任何东西——他们的反病毒软件是开箱即用的。另一方面,CRWD做了25次调整来优化他们的测试AV。这非常符合之前的讨论,即CRWD是为拥有更有经验的安全分析师[SOC 2和3分析师]的企业设计的——稍后将详细介绍。这些配置变化也强调了我们所概述的S比CRWD更加自动化。CRWD缺乏自动化意味着它无法高效地开箱即用——AV是为大量人工参与而设计的。</blockquote></p><p> Figure 9 - MITRE ATT&CK Configuration Changes for 2020 Test</p><p><blockquote>图9-2020年测试的MITRE ATT&CK配置变化</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/f75663784c5d8c76b727e0d5c6fe33a2\" tg-width=\"640\" tg-height=\"336\" referrerpolicy=\"no-referrer\"><span>Source: youtube.com</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:youtube.com</span></p></blockquote></p><p> So, despite CRWD making 25 tweaks to its AV software versus S’s zero tweaks, the market-leading endpoint protection provider still underperformed S by considerable margins in the MITRE test. And it’s worth reminding ourselves that S will have performed using AI and automation, whilst CRWD will have performed with heavy involvement from its own cloud-based SOC 2/3 analysts. Moreover, to add further context, this is the first test CRWD has participated in wherein it has performed acceptably well – previous tests by MITRE and NSS Labs yielded very poor results for CRWD. When you add these factors together, it really does open up a significant gap in the software capability between S and CRWD.</p><p><blockquote>因此,尽管CRWD对其反病毒软件进行了25次调整,而S的调整为零,但这家市场领先的终端保护提供商在MITRE测试中的表现仍大幅落后于S。值得提醒我们自己的是,S将使用人工智能和自动化来执行,而CRWD将在其自己的基于云的SOC 2/3分析师的大力参与下执行。此外,为了进一步补充,这是CRWD参与的第一次测试,其中它的表现还可以接受——MITRE和NSS实验室之前的测试对CRWD产生了非常差的结果。当你把这些因素加在一起时,它确实在S和CRWD之间的软件能力上打开了一个巨大的差距。</blockquote></p><p> It’s also refreshing to note that PANW also chose not to make any changes, and they achieved a top four overall total detection performance and finished in the top half in the Tactic and Technique components of the test. We’ve reiterated for a long time now that Palo Alto Networks is simply the best at cybersecurity, and considering that endpoint protection isn’t even their core/original expertise, this is a huge testament to that.</p><p><blockquote>同样令人耳目一新的是,PANW也选择不做任何改变,他们实现了前四名的总检测性能,并在测试的战术和技术组件中排名前半。我们长期以来一直重申,Palo Alto Networks是网络安全领域的佼佼者,考虑到终端保护甚至不是他们的核心/原始专业知识,这是对这一点的巨大证明。</blockquote></p><p> <b>Expertise Requirements</b></p><p><blockquote><b>专业知识要求</b></blockquote></p><p></p><p> For SMBs that don’t have a SOC [Security Operations Centre], have relatively simpler security needs, and for some reason may be less of a hacker target, then deploying CRWD in its default settings shouldn’t be much of an issue and is way better than opting for legacy AV. Indeed, a simple deployment across an all-Windows organization is very simple. Alternatively, if an all-Windows SMB has more nuanced security needs but doesn’t have a SOC, then CRWD’s MDR [Managed Detection & Response] service will be deployed and work smoothly with negligible issues. Expertise becomes a consideration in the case where an enterprise with its own SOC [and more complex requirements] and/or non-Windows operating systems (i.e., Linux and/or Mac) wants to install CRWD.</p><p><blockquote>对于没有SOC(安全运营中心)、安全需求相对简单且出于某种原因可能不太成为黑客目标的中小型企业来说,在默认设置中部署CRWD应该不是什么大问题,而且比选择传统反病毒要好得多。事实上,跨所有Windows组织的简单部署非常简单。或者,如果全Windows SMB有更微妙的安全需求,但没有SOC,那么CRWD的MDR【托管检测和响应】服务将被部署并顺利工作,问题可以忽略不计。在拥有自己的SOC【和更复杂的要求】和/或非Windows操作系统(即Linux和/或Mac)的企业想要安装CRWD的情况下,专业知识成为一个考虑因素。</blockquote></p><p> As highlighted in the previous section, to maximize CRWD and protect against a full range of sophisticated attack techniques, substantial configuration tweaks are required. SOC 2 and 3 analysts will comfortably be able to handle this, however, SOC 1 and/or IT generalists will find it difficult and are likely to require assistance or make a mistake. Additionally, a higher-level of expertise is necessary to swiftly navigate through the barrage of alerts received with CRWD. Analysts need to coordinate Falcon with Splunk’s legacy SIEM to correlate data and gain the fullest threat landscape picture [this will eventually change, however, once they fully integrate the Humio acquisition]. Again, this requires a higher-level of expertise – SOC 2 or 3.</p><p><blockquote>正如上一节所强调的,为了最大限度地提高CRWD并防范各种复杂的攻击技术,需要进行大量的配置调整。SOC 2和3分析师将能够轻松处理这一点,但是,SOC 1和/或IT通才会发现这很困难,并且可能需要帮助或犯错误。此外,需要更高水平的专业知识来快速浏览CRWD收到的大量警报。分析师需要将Falcon与Splunk的传统SIEM协调,以关联数据并获得最全面的威胁形势图[然而,一旦他们完全整合了Humio收购,这种情况最终将会改变]。同样,这需要更高水平的专业知识——SOC 2或3。</blockquote></p><p> Then if you add in non-Windows OS, deployment complicates further. Yes, in the past 12 or so months CRWD has better adapted Falcon to Linux and Mac, though a high-level of expertise is required to ensure a smooth deployment following many years of incompatibility issues.</p><p><blockquote>然后,如果您添加非Windows操作系统,部署会变得更加复杂。是的,在过去12个月左右的时间里,CRWD已经更好地将Falcon适应了Linux和Mac,尽管在经历了多年的不兼容问题后,需要高水平的专业知识来确保顺利部署。</blockquote></p><p> So, because of the config changes and the multi-OS environments, typically SOC 2 or 3 analysts are required for the CRWD enterprise use case.</p><p><blockquote>因此,由于配置变化和多操作系统环境,CRWD企业用例通常需要SOC 2或3名分析师。</blockquote></p><p> In contrast, as evident in the MITRE test, S works right out of the box and hence IT generalists can get on fine with it. TrueContext ID - the storing feature - radically reduces the volume of alerts to enable more efficient threat hunting and remediation and hence making for a more user-friendly interface for SOC 1 and IT generalists to get along with. And, S has built its Singularity Platform with Windows, Linux, and Mac in mind right from the outset [a by-product of S’s last-mover advantage and taking more time in R&D before pumping the GTM strategy], delivering feature parity across all platforms – which again, means lower expertise is required to complete a successful multi-OS environment.</p><p><blockquote>相比之下,正如在MITRE测试中显而易见的那样,S开箱即用,因此IT通才可以很好地使用它。TrueContext ID(存储功能)从根本上减少了警报的数量,以实现更有效的威胁搜索和补救,从而为SOC 1和IT通才提供了一个更加用户友好的界面。此外,S从一开始就考虑到了Windows、Linux和Mac构建了Singularity平台【这是S后发优势的副产品,在实施GTM战略之前在R&D花费了更多时间】,在所有平台上提供功能对等——这也意味着完成一个成功的多操作系统环境所需的专业知识更少。</blockquote></p><p> <b>Target Market and Pricing</b></p><p><blockquote><b>目标市场和定价</b></blockquote></p><p> As previously mentioned, CRWD and S can be easily deployed for simple use cases associated with certain SMBs. Where we view S as having a notable larger target market is in the more complicated use cases associated with certain SMBs and enterprises. Taking into account the aforementioned expertise requirements, for complex use cases, S appears as the more attractive solution – by a wide margin. In using S over CRWD, SOC two and three analysts can work with more productivity, and SOC 1 and IT generalists can deploy and manage the software with little hassle. This opens up a wider TAM for S vs. CRWD.</p><p><blockquote>如前所述,CRWD和S可以很容易地部署到与某些SMB相关的简单用例中。我们认为S拥有明显更大的目标市场的地方是与某些中小型企业和企业相关的更复杂的用例。考虑到上述专业知识要求,对于复杂的用例,S似乎是更有吸引力的解决方案——以很大的优势。在使用S over CRWD时,SOC 2和SOC 3分析师可以提高工作效率,SOC 1和IT通才可以轻松部署和管理软件。这为S与CRWD打开了更广泛的TAM。</blockquote></p><p> So, at the low-end of the market, comparing S and CRWD is trivial, because for simple use cases CRWD’s default settings are adequate. But CRWD is expensive. Our research on Reddit forums indicates that CRWD is 2x to 3x more expensive than S, and from this, we infer that CRWD is or will eventually price themselves out of the market segment in which they are most technically competitive.</p><p><blockquote>因此,在低端市场,比较S和CRWD是微不足道的,因为对于简单的用例,CRWD的默认设置就足够了。但是CRWD很贵。我们在Reddit论坛上的研究表明,CRWD比S贵2到3倍,由此我们推断,CRWD正在或最终将自己排除在技术上最具竞争力的细分市场之外。</blockquote></p><p> CRWD maximizes the land-and-expand sales model as aggressively as any other software vendor. They sell the Falcon platform in modules; implementing a bare minimum number of modules in the beginning and then aggressively upselling/cross-selling other modules. Though many of the other modules are a necessity for full protection. Usually, most clients need to bundle together NGAV which is the Falcon Prevent module, EDR which is the Falcon Insight module, and device control which is the Falcon Device Control module. However, in pursuit of greater DBNR [Dollar-based Net Retention], CRWD separated device control into an independent module.</p><p><blockquote>CRWD像任何其他软件供应商一样积极地最大化土地和扩张销售模式。他们以模块形式出售猎鹰平台;开始时实施最少数量的模块,然后积极追加销售/交叉销售其他模块。尽管许多其他模块是全面保护所必需的。通常,大多数客户端需要将NGAV(即Falcon Prevent模块)、EDR(即Falcon Insight模块)和Device Control(即Falcon设备控制模块)捆绑在一起。然而,为了追求更大的DBNR【基于美元的净保留率】,CRWD将设备控制分离成一个独立的模块。</blockquote></p><p> Figure 10 - CRWD's Falcon Platform Modules</p><p><blockquote>图10-CRWD的Falcon平台模块</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/c475e910dc1a094d382a08896b76d275\" tg-width=\"633\" tg-height=\"318\" referrerpolicy=\"no-referrer\"><span>Source: CrowdStrike</span></p><p><blockquote><p class=\"t-img-caption\"><span>资料来源:CrowdStrike</span></p></blockquote></p><p> The combined pricing is well beyond the price quote from legacy AV vendors – which is absolutely fine given CRWD is better. Though, according to Reddit forum discussions, those clients that mentioned \"SentinelOne\" to CRWD salespeople immediately received a ~50% discount.</p><p><blockquote>综合定价远远超出了传统AV供应商的报价——考虑到CRWD更好,这绝对没问题。不过,根据Reddit论坛的讨论,那些向CRWD销售人员提到“SentinelOne”的客户立即获得了约50%的折扣。</blockquote></p><p></p><p> CRWD’s module-based land-and-expand ploys are most evident in the immediate quarters post-IPO. A cynical view, but reading between the lines it looks like a nice stock-based compensation booster was at play for the year-end of FY19.</p><p><blockquote>CRWD基于模块的土地和扩张策略在IPO后的几个季度最为明显。这是一种愤世嫉俗的观点,但从字里行间来看,2019财年年底似乎有一个不错的基于股票的薪酬助推器正在发挥作用。</blockquote></p><p> Figure 11 - CRWD's DBNR</p><p><blockquote>图11-CRWD的DBNR</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/6cc506dae651f32b97fc0affb3ce4111\" tg-width=\"598\" tg-height=\"240\" referrerpolicy=\"no-referrer\"><span>Source: CrowdStrike</span></p><p><blockquote><p class=\"t-img-caption\"><span>资料来源:CrowdStrike</span></p></blockquote></p><p> In a clear attempt to differentiate and do things better than CRWD, S doesn’t sell individual modules. Instead, it sells its full Singularity Platform as bundles across three tiers – Core, Control, and Complete. It appears that on a like-for-like, S’s bundles are ~30% even after CRWD’s discounts.</p><p><blockquote>为了脱颖而出并比CRWD做得更好,S不销售单个模块。相反,它将其完整的Singularity平台作为三个层次(核心、控制和完整)的捆绑销售。即使在CRWD的折扣之后,S的捆绑包似乎也在30%左右。</blockquote></p><p> Figure 12 - S's Singularity Platform Tiered Bundles</p><p><blockquote>图12-S的奇点平台分层捆绑包</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/5c77f334f8f81a839d3022612b73ead9\" tg-width=\"639\" tg-height=\"307\" referrerpolicy=\"no-referrer\"><span>Source: SentinelOne</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:SentinelOne</span></p></blockquote></p><p> Insincere sales ploys like what CRWD has been doing only last for so long. Eventually, customers catch onto what is happening – evident by discussion on Reddit. And it feels like that day has already come, probably brought to the fore by S’s differentiated bundle pricing.</p><p><blockquote>像CRWD这样不真诚的销售策略只持续了这么久。最终,客户会意识到正在发生的事情——从Reddit上的讨论中可以明显看出这一点。感觉这一天已经到来,可能是由S的差异化捆绑定价带来的。</blockquote></p><p> To summarize, CRWD effectively competes with S on a technical basis at the lower-end of the market involving simple use cases but they are risking pricing themselves out of the market. At the higher-end of the market involving complex use cases, it looks like S is both technically better and more affordable than CRWD. Additionally, S will store logs for a maximum of 365 days whilst CRWD’s max is 90 days. All of this strongly aligns itself with S’s founder and CEO Tomer Weingarten claiming that S wins 70% of head-to-heads with CRWD.</p><p><blockquote>总而言之,CRWD在涉及简单用例的低端市场上在技术基础上与S有效竞争,但他们面临着因定价而被挤出市场的风险。在涉及复杂用例的高端市场中,S似乎在技术上比CRWD更好,而且更实惠。此外,S将最多存储365天的日志,而CRWD的最多存储90天。所有这些都与S的创始人兼首席执行官Tomer Weingarten声称S赢得了与CRWD 70%的正面交锋。</blockquote></p><p> In comparison to CRWD, not only will S’s technical superiority and competitiveness help it penetrate more of the TAM whilst also widening the TAM, being able to deploy in the cloud and on-prem further expands their customer reach vis-à-vis CRWD.</p><p><blockquote>与CRWD相比,S的技术优势和竞争力不仅有助于其渗透更多TAM,同时还扩大了TAM,能够在云端和本地部署进一步扩大了CRWD的客户覆盖范围。</blockquote></p><p> On the whole, S can target a broader market and based on its technical/performance superiority plus aggressive but transparent pricing, can outcompete CRWD in its own TAM.</p><p><blockquote>总体而言,S可以瞄准更广阔的市场,并基于其技术/性能优势加上积极但透明的定价,可以在自己的TAM中击败CRWD。</blockquote></p><p> <b>Architecture</b></p><p><blockquote><b>建筑</b></blockquote></p><p> Before we move onto valuation considerations, we’ll briefly share our views and CRWD’s and S’s software architecture. In all honesty, we can’t find much information related to who has the more modern architecture, but you’ve probably guessed already that we think S has the edge here. The cadence in which both vendors release new features and modules is testament that both operate within advanced microservice architectures. However, we assume, that as CRWD partners with a legacy vendor like Splunk for SIEM and log management, its architecture is probably semi-dated and that there has been an absence of major revamp in recent years. This line of thinking could be kind of validated by the number of years it’s taken for CRWD to overhaul its Mac and Linux sensors.</p><p><blockquote>在我们讨论估值考虑因素之前,我们将简要分享我们的观点以及CRWD和S的软件架构。老实说,我们找不到太多关于谁拥有更现代架构的信息,但您可能已经猜到我们认为S在这里有优势。两家供应商发布新功能和模块的节奏证明了两者都在高级微服务架构中运行。然而,我们假设,由于CRWD与Splunk等传统供应商合作进行SIEM和日志管理,其架构可能是半过时的,并且近年来没有进行重大改造。CRWD大修其Mac和Linux传感器所花费的时间可以验证这种想法。</blockquote></p><p> It’s interesting how in March 2021 CRWD bought Humio for $392m in cash and equity just one month after S bought Scalyr for $155m in cash and equity. This may be reading into things too much, but some may view it as a sign of desperation to shore up an aging architecture and move away from legacy SPLK.</p><p><blockquote>有趣的是,在S以1.55亿美元现金和股权收购Scalyr仅一个月后,CRWD在2021年3月以3.92亿美元现金和股权收购了Humio。这可能是对事情的解读太多了,但有些人可能会认为这是绝望的迹象,以支撑老化的架构并远离传统的SPLK。</blockquote></p><p> Any differences in the modernity of the two NGAV architectures will very likely widen in the coming quarters and years. CRWD is only 14 months older than S, but because it grew early and superfast, it will have accumulated way more technical debt. And issues that come with technical debt will only be amplified as a $60bn company like CRWD needs to continue aggressively expanding its TAM via acquisitions in order to keep the mega growth story alive.</p><p><blockquote>在未来几个季度和几年内,两种NGAV架构的现代性差异很可能会扩大。CRWD只比S大14个月,但由于它增长早且速度超快,它将积累更多的技术债务。随着像CRWD这样价值600亿美元的公司需要继续通过收购积极扩大其TAM,以保持巨大的增长故事,技术债务带来的问题只会被放大。</blockquote></p><p> As all software firms grow, they lose their nimbleness but it will happen a lot sooner to CRWD than it will to S - and this gives another upper hand to S in years to come.</p><p><blockquote>随着所有软件公司的成长,他们会失去灵活性,但CRWD会比S更快地发生这种情况——这让S在未来几年再次占据上风。</blockquote></p><p> <b>S’s Edge Summary</b></p><p><blockquote><b>S的边缘摘要</b></blockquote></p><p> At a high level, the key competitive advantages S has over CRWD can be summarized into four fundamental drivers:</p><p><blockquote>在高层次上,S相对于CRWD的关键竞争优势可以总结为四个基本驱动因素:</blockquote></p><p> <ul> <li>Better product effectiveness.</li> <li>Better user experience.</li> <li>Better pricing.</li> <li>A more scalable business model afforded by a highly automated out-the-box solution.</li> </ul> <b>Valuation Considerations</b></p><p><blockquote><ul><li>更好的产品效果。</li><li>更好的用户体验。</li><li>更好的定价。</li><li>由高度自动化的开箱即用解决方案提供的更具可扩展性的业务模式。</li></ul><b>估值考虑</b></blockquote></p><p> S’s IPO, on June 30, was the highest-valued cybersecurity IPO ever. The stock finished its IPO day 21% up, closing at $42.50/share with a LTM EV/S of 100x. At the time of writing the stock is trading at $68/share with a LTM EV/S of 163x and a NTM EV/S of 92x.</p><p><blockquote>S于6月30日进行的IPO是有史以来估值最高的网络安全IPO。该股IPO当天上涨21%,收于每股42.50美元,LTM EV/S为100倍。截至撰写本文时,该股交易价格为每股68美元,LTM EV/S为163倍,NTM EV/S为92倍。</blockquote></p><p></p><p> Below are some projections going out to FY26. FY22 revenue is anchored to management’s guidance. In the 2Q22 earnings presentation released yesterday, management also gave long-term targets that included a mature gross margin of 75%-80%, hence why we’ve made it so gross margin is 78% in FY26. We’ve used CRWD’s current TTM FCF margin as a rough long-term estimate of S’s in FY26.</p><p><blockquote>以下是对2026财年的一些预测。2022财年收入取决于管理层的指导。在昨天发布的2022年第二季度财报中,管理层还给出了长期目标,其中包括75%-80%的成熟毛利率,因此我们将2026财年的毛利率定为78%。我们使用CRWD当前的TTM FCF利润率作为2026财年S的粗略长期估计。</blockquote></p><p> Guessing the multiple declines is kind of an unchartered territory because of the unprecedented level and sustainability of multiples we’re witnessing in the COVID-era market. Some may argue a decline to a 53x EV/S by FY26 is not steep enough, and that might be right. Though in FY26 we expect revenue to be at similar levels to CRWD’s today and CRWD is currently trading at 56x EV/S. Of course, no macro assessment is being taken into account so please take this exercise with a pinch of salt.</p><p><blockquote>猜测倍数下降是一个未知的领域,因为我们在新冠时代的市场中看到了前所未有的倍数水平和可持续性。有些人可能会认为,到2026财年,EV/S下降到53倍还不够陡峭,这可能是对的。尽管我们预计2026财年的收入将与CRWD目前的水平相似,而且CRWD目前的交易价格为56倍EV/S。当然,没有考虑宏观评估,所以请对这个练习持保留态度。</blockquote></p><p> Figure 13 - Financials & Multiples Projections</p><p><blockquote>图13-财务和倍数预测</blockquote></p><p> <p class=\"t-img-caption\"><img src=\"https://static.tigerbbs.com/b47610548d3c3dd40fbf6fc5d8c66a60\" tg-width=\"640\" tg-height=\"281\" referrerpolicy=\"no-referrer\"><span>Source: Convequity</span></p><p><blockquote><p class=\"t-img-caption\"><span>来源:Convequity</span></p></blockquote></p><p> In the 4.5 years from today to the end of FY26 [fiscal year end 31stJan], if the EV reaches $68bn then S’s stock will deliver a 36% annualized return. So, yes the multiples are insanely high but because of the extreme growth that will presumably remain high for a few years, even a sharp decline in multiples can still deliver sufficient investor returns.</p><p><blockquote>从今天到2026财年结束(1月31日财年结束)的4.5年内,如果电动汽车达到680亿美元,那么S的股票将实现36%的年化回报率。因此,是的,市盈率高得离谱,但由于极端增长可能会在几年内保持高位,即使市盈率急剧下降,仍然可以为投资者带来足够的回报。</blockquote></p><p> CRWD’s LTM EV/S at the close of its IPO day [6thJune 2019] was 47x and it has peaked at c. 70x in Aug-19 and Feb-21. This highlights the richness in S’s current valuation. However, is S still worth an investment at the present time? Well, investors need to be aware of the melt-up and melt-down that has often occurred with high-growth tech IPOs, especially during the past 12-18 months. S could very well follow a similar path and climb much higher before falling down once the lockup period ends [27thDecember, 2021] and early investors can cash in some of their profits. Investors should also note that S employees are allowed to sell 15% of their shares as of 6thOctober 2021. For readers’ information, S’s number of shares in float to number of shares outstanding is just 17% - in contrast, a post lockup stock like CRWD has 86% in float.</p><p><blockquote>CRWD在IPO日(2019年6月6日)结束时的LTM EV/S为47倍,峰值为c。19年8月和21年2月70倍。这凸显了S目前估值的丰富性。然而,目前S还值得投资吗?嗯,投资者需要意识到高增长科技IPO经常发生的熔化和熔化,尤其是在过去12-18个月内。一旦禁售期结束[2021年12月27日],S很可能会遵循类似的路径,在下跌之前攀升得更高,并且早期投资者可以兑现部分利润。投资者还应注意,自2021年10月6日起,S员工可以出售15%的股份。供读者参考,S的流通股数量占已发行股数量的比例仅为17%,相比之下,CRWD等锁定后股票的流通股数量为86%。</blockquote></p><p> Therefore, high-risk tolerant and/or short-term investors may want to consider a long position right now. Longer-term investors may prefer to let the liquidation unravel post Oct-21 and then post Dec-21 before buying shares. A compromise may be to buy a fourth of a position today and opportunistically add to it in the future. Personally, we’re waiting for a correction before opening a position. If the stock corrects c. 25% we’ll probably add half of the total planned allocation and then wait to see what happens after the lockup.</p><p><blockquote>因此,高风险承受能力和/或短期投资者现在可能需要考虑多头头寸。长期投资者可能更愿意让清算在10月21日之后结束,然后在12月21日之后再购买股票。折中的办法可能是今天买入四分之一的头寸,并在未来机会主义地增加。就我个人而言,我们正在等待调整后再建仓。如果股票修正c。25%我们可能会增加计划分配总额的一半,然后等着看锁定后会发生什么。</blockquote></p><p> At first glance S’s extremely negative operating and FCF margins are alarming, but what investors should bear in mind is that S has the edge in technical and performance superiority and therefore they need to capitalize on this edge in the fastest way possible. CRWD is just 14 months older than S but has over 7x more ARR [Annual Recurring Revenue], which illuminates the differences in market approach. CRWD hit the market early and aggressively whilst S spent many years with their primary focus in R&D before focusing on sales and marketing [S&M]. Now S has a refined and market-leading product they need to maximize the GTM strategy as much as they can and catch up the market leader.</p><p><blockquote>乍一看,S极负的营业利润率和自由现金流利润率令人震惊,但投资者应该记住的是,S在技术和性能优势方面具有优势,因此他们需要以最快的方式利用这一优势。CRWD仅比S大14个月,但ARR(年度经常性收入)却高出7倍以上,这说明了市场方法的差异。CRWD很早就积极地进入了市场,而S在专注于销售和营销之前,花了很多年的时间主要专注于R&D【S&M】。现在,S拥有了一款精致且市场领先的产品,他们需要尽可能地最大化GTM战略并赶上市场领导者。</blockquote></p><p> Figure 14 - 1Q22 Margins</p><p><blockquote>图14-2022年第一季度利润率</blockquote></p><p> <img src=\"https://static.tigerbbs.com/f13e4a5a906b763afaa3476b59045597\" tg-width=\"187\" tg-height=\"81\" referrerpolicy=\"no-referrer\"></p><p><blockquote></blockquote></p><p> The current gross margin doesn’t exactly indicate a profitable long-term business model. However, investors should bear in mind that S’s competitiveness, especially in offering 365-day log storage, is a big suppressant at the moment. When S captures a larger share of the market, builds a solid reputation, and fully integrates Scalyr’s novel way of ingesting and storing log data, S can command a greater premium and simultaneously lower cost of revenue, and hence gross margin will rise accordingly. Interestingly, 2Q22 gross margin has already jumped c. 800 basis points since 1Q22, and no doubt the integration of Scalyr will have contributed to this. Throw into the mix that S will more than likely follow CRWD in shifting from cloud to colocation infrastructure once they reach a certain scale, the mature end-state gross margin for S will be close to 80%, in our opinion.</p><p><blockquote>目前的毛利率并不完全表明有利可图的长期商业模式。然而,投资者应该记住,S的竞争力,尤其是在提供365天日志存储方面,目前是一个很大的抑制因素。当S占据更大的市场份额,建立稳固的声誉,并完全集成Scalyr摄取和存储日志数据的新颖方式时,S可以获得更大的溢价,同时降低收入成本,因此毛利率将相应上升。有趣的是,2022年第二季度的毛利率已经跃升了c。自2022年第一季度以来已上涨800个基点,毫无疑问,Scalyr的整合将对此做出贡献。我们认为,一旦达到一定规模,S很可能会跟随CRWD从云转向托管基础设施,S的成熟最终状态毛利率将接近80%。</blockquote></p><p> Irrespective of the trading tactics, we think S has a strong chance to prove to be a good investment, even at the current multiple levels. We’ll list the pros to consider:</p><p><blockquote>无论交易策略如何,我们认为S很有可能被证明是一项不错的投资,即使在当前的多个层面上也是如此。我们将列出需要考虑的优点:</blockquote></p><p></p><p> <ul> <li>Currently, S has very low penetration - FY21 [fiscal year ending 31stJan] generated $93m of revenue and $161m of ARR [Apr-21] - in a market estimated to be worth between $20bn and $30bn by 2025.</li> <li>Similar to what CRWD has done, S will acquire more talent, expand its product’s capabilities, and expand into new markets - the IPO proceeds will go toward these objectives. This will expand an already large TAM for S.</li> <li>As we’ve presented in this report, S is the technical leader in the endpoint protection market. Technical leadership combined with mega aggressive S&M expenditure [110% of revenue vs CRWD’s IPO year of 69% of revenue] will very likely be highly effective.</li> <li>Given the relatively low revenue base ($93m for FY21) and the autonomous, out-the-box nature of S’s AV, we would not be surprised if they regularly exceeded analyst consensus growth expectations (91% for FY22). From c. $100m in FY18, CRWD has grown c. 100% and this is with an AV solution that needs to be customized for many customers. Therefore, NTM growth of 100% is more probable than not, in our opinion – especially, with the S&M aggressiveness.</li> </ul> Of course, stocks such as S pose substantial risks for investors, so we’ll outline some of the cons to consider:</p><p><blockquote><ul><li>目前,S的渗透率非常低——2021财年(截至1月31日的财年)创造了9300万美元的收入和1.61亿美元的ARR【21年4月】——预计到2025年,市场价值将在200亿至300亿美元之间。</li><li>与CRWD所做的类似,S将获得更多人才、扩展其产品功能并扩展到新市场——IPO收益将用于实现这些目标。这将扩展S已经很大的TAM。</li><li>正如我们在本报告中所介绍的,S是终端保护市场的技术领导者。技术领先地位与大规模积极的S&M支出相结合(占收入的110%,而CRWD IPO年度占收入的69%)很可能会非常有效。</li><li>鉴于S的收入基础相对较低(2021财年为9300万美元)以及S的自动驾驶、开箱即用的特性,如果它们经常超出分析师一致的增长预期(2022财年为91%),我们不会感到惊讶。从c。2018财年,CRWD增长了1亿美元。100%,这是一个需要为许多客户定制的反病毒解决方案。因此,在我们看来,NTM增长100%的可能性更大——尤其是在S&M咄咄逼人的情况下。</li></ul>当然,S等股票给投资者带来了巨大的风险,因此我们将概述一些需要考虑的缺点:</blockquote></p><p> <ul> <li>S is a company with fast-growing revenue but also growing losses. EBIT margin for FY20 and FY21 was -161% and -124%. FCF margin for FY20 and FY21 was -102% and -78%. So, it’s clear that cash flows in any DCF valuation are far into the future which makes the stock very vulnerable to changes in inflation and interest rate expectations – which is happening with frequency at present.</li> <li>Given the large losses, all of the stock’s future trajectory is dependent on the company beating revenue growth expectations. Consequently, any quarterly revenue misses will have a severe impact on the share price and it could take the stock a long time to recover.</li> <li>S’s technical superiority might not be insurmountable – we believe it's the best but groundbreaking is a stretch too far. Endpoint protection is a highly competitive market abundant with innovation, so it’s a possibility S could eventually lose a degree of its product leadership.</li> <li>CRWD may up the ante with ‘smoke and mirrors’ tactics and even more aggressive S&M that specifically aims to<i>legally</i>defame S.</li> </ul> There are certainly a few pros and cons to consider. In our opinion, the optimal approach to gaining exposure to S is to<b>1</b>) wait for a correction,<b>2</b>) open a ¼, a 1/3, or a ½ of the total eventual position subject to the magnitude of the correction,<b>3</b>) add during risk-off episodes during the next several months, and<b>4</b>) leave some capital spare to buy some more after the effects of the lockup expiry have been fully reflected.</p><p><blockquote><ul><li>S是一家收入快速增长但亏损也在不断增加的公司。2020财年和2021财年的息税前利润率分别为-161%和-124%。2020财年和2021财年的自由现金流利润率分别为-102%和-78%。因此,很明显,任何DCF估值中的现金流都是遥远的未来,这使得股票非常容易受到通胀和利率预期变化的影响——这种情况目前经常发生。</li><li>鉴于巨额亏损,该股未来的所有轨迹都取决于该公司超出收入增长预期。因此,任何季度收入低于预期都会对股价产生严重影响,并且该股可能需要很长时间才能恢复。</li><li>S的技术优势可能并非不可逾越——我们相信它是最好的,但开创性太过分了。终端保护是一个竞争激烈、创新丰富的市场,因此S最终有可能失去一定程度的产品领先地位。</li><li>CRWD可能会通过“烟雾和镜子”策略以及更激进的S&M来加大赌注,专门旨在<i>合法地</i>诽谤S。</li></ul>当然有一些利弊需要考虑。我们认为,接触S的最佳方法是<b>1</b>)等待回调,<b>2</b>)打开受校正幅度影响的总最终位置的1/4、1/3或1/2,<b>3</b>)在接下来几个月的避险期间添加,以及<b>4</b>)在禁售期到期的影响充分体现后,留出一些资本闲置来购买更多。</blockquote></p><p> The conundrum, as is with all pioneering software stocks, is that investors are usually forced to pay a hefty premium in order to participate in future price appreciation. This is because these types of stocks have a tendency to remain elevated for a long time. However, on the flip-side, S has not yet made it in the Global MSCI indices, therefore, bouts of risk-off sentiment have the potential to knock down the share price considerably more than stocks such as Cloudflare(NYSE:NET), Okta(NASDAQ:OKTA), Twilio(NYSE:TWLO), and Palantir(NYSE:PLTR). With this in mind, opportunities to buy big dips are likely but sustained elevated multiples and/or multiple expansion is also a strong possibility. Hence, the optimal approach, in our opinion, is to add a fraction after a correction [or even now for the highly risk-tolerant] and complete the position in the months ahead.</p><p><blockquote>与所有先锋软件股一样,难题在于投资者通常被迫支付高额溢价才能参与未来的价格升值。这是因为这些类型的股票往往会长期保持高位。然而,另一方面,S尚未进入全球MSCI指数,因此,一轮又一轮的避险情绪对股价的打击可能远远超过Cloudflare(NYSE:NET)等股票。、Okta(纳斯达克股票代码:OKTA)、Twilio(纽约证券交易所股票代码:TWLO)和Palantir(纽约证券交易所股票代码:PLTR)。考虑到这一点,逢低买入的机会是可能的,但持续升高的倍数和/或倍数扩张也是一个很大的可能性。因此,我们认为,最佳方法是在调整后增加一部分(甚至现在对于高风险承受能力强的人来说),并在未来几个月完成头寸。</blockquote></p><p> <b>Conclusion</b></p><p><blockquote><b>结论</b></blockquote></p><p> This report was not intended to bash CRWD’s technology because obviously it's extremely sophisticated and great at stopping threats. However, comparing to CRWD does highlight a degree of superiority in S’s approach to AV. And most importantly, from an investment perspective, S’s out-of-the-box solution certainly makes its business appear more scalable than CRWD. And this is exciting when considering CRWD’s super growth in spite of each deployment requiring a good dose of configuration tweaking and training.</p><p><blockquote>这份报告无意抨击CRWD的技术,因为显然它非常复杂,在阻止威胁方面非常出色。然而,与CRWD相比,确实突出了S的AV方法的一定程度的优越性。最重要的是,从投资角度来看,S的开箱即用解决方案无疑使其业务看起来比CRWD更具可扩展性。尽管每次部署都需要大量的配置调整和培训,但考虑到CRWD的超级增长,这是令人兴奋的。</blockquote></p><p> The valuation is mega rich but investors need to accept that the premium is for a game-changing technical leader in a high-growth and very large market. Upside growth surprises could very well materialize given the scalability of S’s out-the-box solution.</p><p><blockquote>估值非常高,但投资者需要接受这样一个事实,即溢价是针对一个高增长且非常大的市场中改变游戏规则的技术领导者。鉴于S开箱即用解决方案的可扩展性,上行增长惊喜很可能会实现。</blockquote></p><p></p>\n<div class=\"bt-text\">\n\n\n<p> 来源:<a href=\"https://seekingalpha.com/article/4454383-why-sentinelone-is-better-than-crowdstrike\">Seeking Alpha</a></p>\n<p>为提升您的阅读体验,我们对本页面进行了排版优化</p>\n\n\n</div>\n</article>\n</div>\n</body>\n</html>\n","type":0,"thumbnail":"","relate_stocks":{"S":"SentinelOne, Inc","CRWD":"CrowdStrike Holdings, Inc."},"source_url":"https://seekingalpha.com/article/4454383-why-sentinelone-is-better-than-crowdstrike","is_english":true,"share_image_url":"https://static.laohu8.com/e9f99090a1c2ed51c021029395664489","article_id":"1111681724","content_text":"Summary\n\nSentinelOne is technically better than CrowdStrike according to the performance results of the MITRE ATT&CK Evaluation.\nSentinelOne leverages a highly autonomous, out-the-box solution that's proving to deliver a more scalable business model than CrowdStrike’s – evident in 2Q22 results.\nSentinelOne has a significant last-mover advantage and is using it to target CrowdStrike's weak spots.\n\nSundry Photography/iStock Editorial via Getty Images\nAbout this Report\nSince its June 19 IPO, CrowdStrike's(NASDAQ:CRWD)market cap has soared sixfold as the company has experienced near triple-digit revenue growth thanks to its aggressive marketing of its highly effective and differentiated endpoint protection solution. Sentinel(NYSE:S)is the new kid on the block with even faster growth – more than doubling annual revenues YoY in 2Q22 [released after market close yesterday]. S also claims NGAV (Next-Gen Antivirus) superiority and goes head-to-head with CRWD in ultra-aggressive marketing.\nGiven S’s sky-high valuation of 92x NTM EV/S at the time of writing, it's difficult to rationalize an investment - by pretty much all measures the stock is insanely overvalued. Therefore, this report is largely about outlining why we believe S is technically superior to CRWD, and if you as investors are convinced, then you can speculate on your own growth and stock price trajectories using CRWD’s recent history as an anchor. We provide some financials and multiples projections in the Valuation Considerations section toward the end of the report.\nWe should make clear that any criticism of CRWD is in direct comparison to S. CRWD are still way better than legacy AV vendors – there's no denying that. And hopefully, this report may serve as somewhat of a framework for evaluating other EPP/EDR vendors that may catch your attention.\nThe Evolution of AV Industry\nThere are quite a few acronyms connected to the antivirus [AV] software industry to become familiar with before delving into what CRWD and S actually. The AV industry began life using signature databases followed by two decades of using signature databases with various tweaks. Then around 2011, EPP [Endpoint Protection] and EDR [Endpoint Detection & Response] became popular, ushering in the era of NGAV [Next-Gen Antivirus]. XDR [Extended Detection and Response] is often referred to as the second wave of NGAV that correlates broader and disparate data sources to enhance the detection of threats, and improve investigation and responses. The following diagram - from SentinelOne with additional annotation by ourselves – provides a useful high-level view of where the AV industry has been and where it is today. We’ll elaborate on this diagram in the following sections.\nFigure 1 - Evolution of the AV Industry\nSource: SentinelOne presentation, Convequity modification\nSignature-Based AV\nIn 1987, the late John McAfee released the first commercial AV [antivirus] software to be installed on desktops. It was a signature-based AV, which means it would check the signature of all inbound files to see if they matched a known malicious signature in the database. If there was a match then the AV would block and delete the file.\nMost cyber-attacks involve the hacker attempting to land a malicious file on a user’s device. The file contains a virus that, when triggered with a click by the user, installs itself onto the device. From there the virus can do various things, though usually, the main objective is to ascertain the device’s network connections and send itself to critical systems of an organization.\nEvery file has a unique signature that looks like a random combination of letters and numbers. The combination of letters and numbers is produced by a hashing algorithm. For example, a file containing only the text of “We built this city!” and the hashing was based on the SHA256 hash algorithm (one of the most secure and efficient hashes), the signature will be the following:\nc0fed07bbfcd9ea317d495d0c9b43021ac839f699cff44f3d3bf60993df66467\nThe hashing algorithm converts a file with any amount of content to a fixed-length signature – in the case of the SHA256 hashing algorithm, it is 64 characters long, also known as 64 bytes because 1 character equals 1 byte.\nIt’s also worth noting that changing 1 character or even flipping 1 bit [8 bits in 1 byte] from 0 to 1 or vice versa, will completely change the signature. Removing the exclamation mark so the text reads “We built this city” produces this 64-byte signature:\n1b12cb77bb08ac8c826795eab8389346b1f36c9f20b7841f7552d12c7fbf4c27\nVisit this website to hash your own input or alternatively you can get the hash for any file you upload.\nThroughout the 1990s it became apparent that signature-based AV had some fundamental shortcomings. Here are some of them:\n\nCybercriminals can change one line of code to completely change the signature of the virus, and as a result, evade detection. This puts the hacker vs AV battle economics firmly in the favor of the former, because it takes a lot of time and computing resources to detect and confirm a new virus variant.\nAs the number of malicious files grows, so does the signature database. The database resides on the endpoint so as it grows it consumes more disk space, more CPU, and more memory.\nImmediately after the AV is installed it becomes out of date because there's a continual creation of new viruses and variants of existing viruses. In essence, even the best signature-based AV provides < 100% protection.\n\nTo compensate for the < 100% protection, existing and new AV vendors came to the market with tweaks and variations of the signature-based model.\nDuring the 1990s and 2000s, the early attempts to make up for the weaknesses of signature-based AV included:\n\nFirewall vendors such as Check Point Software(NASDAQ:CHKP), F5 Networks(NASDAQ:FFIV), and Fortinet(NASDAQ:FTNT)leveraged their dominant status within the corporate network to improve signature-based AV solutions. They used their deep packet inspection capabilities at the gateway of the network to inspect inbound data packets transmitting the malicious files as well as outbound connections triggered by the virus. This added more context to help sniff out the malicious inbound files and attempts to exfiltrate data.\nBit9, founded in 2003, (later renamed Carbon Black and now acquired by VMware) introduced app whitelisting, whereby only authorized apps are allowed to run. This turned out to be highly restrictive and unproductive as apps change and upgrade rapidly.\nFireEye(NASDAQ:FEYE), founded in 2004, introduced sandboxing, whereby an unknown suspicious app or file would be executed in an isolated environment and monitored closely for any malicious activity. Although game-changing at the time, its effectiveness didn’t last long because hackers found ways to detect the sandbox environment to then trigger the virus into stealth mode and continue the attack at a later point in time.\n\nCollectively, these attempts, while lacking sustainability, did an alright job at filling in the gaps, and generally speaking, provided adequate protection during the 1990s and 2000s.\nThings changed, however, at the dawn of the iPhone in 2007. As the attack surface expanded so did the attack cadence, and computing experienced an exponential rise in the variety of viruses and the signatures connected to those viruses. The number of forms in which a virus would reside pre-execution also proliferated – scripts (code)began appearing in website photos, PDF add-ons, Excel VBA, and many other forms, waiting to be triggered.\nOn the whole, signature-based AV has proven not to scale very well and in the modern computing landscape does not provide adequate protection.\nNext-Gen AV\nFrom 2007 to 2013, a new wave of AV startups emerged with a novel approach to AV. Some Next-Gen AV [NGAV] startups focused on the EPP [Endpoint Protection] – still aiming to perform the prevention, detection, and response on the end-user device itself, but by using static AI techniques to obviate the need for a signature database. Other NGAV startups focused on the EDR [Endpoint Detection and Response] side - whereby most of the protection was delivered via the cloud and therefore the EPP software component could be lightweight and serve merely as a sensor rather than an agent that can perform the full requirements of AV.\nThere are pros and cons to singularly focusing on either EPP or EDR. EPP avoids the shortcomings of signature databases, however, by running static AI on the endpoint without the big picture from the cloud, it's less flexible and less effective over the long term. EDR maintains the complete global threat picture because it’s powered by the cloud, but the downside is the deluge of data is overwhelming for security analysts and leads to many false alerts.\nAs the shortcomings of EPP and EDR became increasingly apparent, NGAV vendors began to shift along the EPP/EDR spectrum to improve their products. The screenshot taken from S’s demo presentation summarizes the direction the vendors and the market moved from 2014 through to 2019.\nFigure2- Market Shifts: EPP vs EDR\nSource: youtube.com\nXDR [Extended Detection & Response], first coined by Nir Zuk of Palo Alto Networks(NYSE:PANW)in 2018, is now the latest technology that leading vendors are striving toward. It blends EPP and EDR together whilst also adding SOAR [Security Orchestration, Automation & Response], SIEM [Security Information & Event Management], and NTA [Network Traffic Analysis]. The objective of XDR is to collect and correlate data from endpoints, network points, servers, cloud workloads, and emails to enhance detection capabilities and improve protection whilst also increasing productivity and lowering the overall cost of security software ownership.\nCrowdStrike Intro\nCRWD, founded in 2011, came to the market with EDR, which at the time was a radical approach to AV. Instead of destroying malicious files with AV software residing on the device, CRWD destroyed them from the cloud.\nThey achieved this by having a super lightweight sensor with no database [consuming only 35 MB of storage space whereas signature-based AV can consume 4GB] installed on the endpoint. This sensor continually collects the logs (activities) related to the files on the device (i.e., what files are downloaded, open, from where, how, what time, what recent patches have been made?) and sends this telemetry data to the CRWD cloud. CRWD analysts collect this data from all CRWD devices and check it against a giant signature database in the cloud looking for matches in techniques. For example, the CRWD database contains a previous technique whereby opening a file from IP address 1.1.1.1 executed XXX.exe which was a piece of malware. As CRWD analysts recognize this technique being used again, they will block it, gather more intel, delete the file from the cloud, and share the insight across all endpoints.\nHowever, it should be noted that while CRWD can detect a potential virus within seconds, it doesn’t complete its response and eliminate the threat until hours later. The complex nature of EDR delivers a high number of false alerts that need to be investigated by a client organization's analysts and CRWD's analysts alike. Therefore, CRWD does take considerably longer to completely eliminate the threat. However, they're able to contain the spread of the threat until a full investigation is complete. S, on the other hand, can detectandrespond within seconds thanks to its greater degree of automation and hybrid EPP/EDR approach.\nThe key benefit of this approach is that there are no constraints on the size of the database, as it’s located in a centralized cloud. Moreover, this EDR approach obviates the need to periodically push out software updates to the endpoints to include the latest signature database, again because the database is located in the cloud. The other benefit is that the aggregated threat hunting ensures new viruses and variants and attack methods are identified faster. In essence, this AV model makes the front-end software simple and light [collecting evidence] and makes the back-end operations complex, detailed, and shared across all devices - generating insights for all. The essence of EDR is to restrain from doing early prevention, and instead wait, observe, and collect more intel regarding the threats, and respond accordingly. And this approach inspired the name of CRWD’s flagship platform Falcon.\nSentinelOne Intro\nS, founded in 2013, is the youngest among established NGAV vendors, and this gives it a great last-mover advantage. Instead of heavily focusing on EDR or EPP, S has utilized them both to cover all major aspects of the endpoint security to deliver the so-called XDR. Similar to CRWD, S deploys a lightweight software agent with no database on the endpoint [200 MB of disk space]. It does more than CRWD’s sensor, however. It runs static AI to establish baseline file and device behavior in which to identify anomalous activity, relating to when the file was received and how long the file was open, for example. If the file passes the rigors of static AI analysis, the user is allowed to use the file but the agent will continue to monitor closely. The agent will apply a more dynamic AI to detect any suspicious lateral movement emanating from the file – e.g., when Word opened it triggered PowerShell to open, or a command is triggered to reach out to the Internet. At any point the agent determines there's malicious activity, it will kill the virus and clean up the environment. It's this level of autonomous capability in the EPP that differentiates S from other NGAV vendors.\nDespite the sophistication of such AI-powered detection methods, some types of malwares can still evade detection. Polymorphic malware variants change their own features, such as file names and hashes, to bypass detection methods. Techniques such as code obfuscation make malicious code hard to find and/or understand. Therefore, some threats manage to bypass the front-end, or EPP, defenses, necessitating the need for EDR.\nSimilar to CRWD, S utilizes back-end, or EDR, for deeper visibility threat hunting. The data collected is used by both S’s own analysts for global threat hunting,andits clients’ analysts working in Security Operation Centers [SOC]. On the EDR side, compared to CRWD the key differentiator is that S uses a \"story\" technique to add more context relevancy which leads to fewer alerts for analysts to handle. S have named this ‘story’ technique TrueContext ID.\nTaken from an S demo presentation, the screenshot below compares TrueContext ID to previous context-building techniques - Indicators of Compromise [IOC] and Indicators of Attack [IOA] – and the more typical existing EDR solutions – Tactics, Techniques & Procedures [TTP]. The slide uses the analogy of piecing together the description of a person to illustrate piecing together the description of a malicious action.\nFigure 3 - Comparing TrueContext ID to Typical EDR Methods\nSource: youtube.com\nIOCs look like random descriptors that would need substantial effort to comprehend. IOAs are slightly more organized but still require effort to form the full picture. TTPs actually describe the bad action and offer useful context but don’t explain what happened before that led to the bad action. TrueContext ID takes it a whole level further by not just describing the traits of the bad action but also puts together a story of the events that led to the bad action – the DNA strand implies it knows everything about a given action.\nFor example, there has been a connection made to an external FTP server [a server for transferring files] >>> this links back to some registry files that were archived in a new hard drive location >>> this links back to an unusual command-line execution in PowerShell >>> it transpires that the opening of PowerShell was triggered by the opening of an Office document >>> deeper analysis indicates the document contained a brand-new unknown virus >>> did the user single or double click it or did it download automatically? >>> where did it come from? >>> did it come from an email or a USB drive? >>> is the email address and source IP address associated with previous malicious activity? >>> or, when was the USB drive inserted on the device?\nThe above example shows a bad actor attempting to transfer a copy of the critical OS files [registry files], perhaps to learn more about the target organization in order to plan a devastating future attack, or something more imminent. TrueContext ID connects all the data points from the static and dynamic AI detection methods and synthesizes them with its own globally collated intelligence to string together a timeline of sequential events. And this is presented to SOC analysts either in tabular or graphical form. Putting together a chain of events like this ensures only relevant context is presented, which radically reduces the number of alerts and enables swift investigation and remediation.\nCRWD investors and advocates may be somewhat confused as to why S’s storing techniques are a technical competitive advantage. Indeed, CRWD has an event timelining feature that is core to their EDR solution – they refer to it as \"maps.\" However, generally, a client organization’s SOC analysts need to be tier 2 or 3 certified for using CRWD’s Falcon EDR solution – one reason for this being the high number of false alerts that an analyst needs to navigate, which is far easier for the more experienced.\nIf a client organization doesn’t have a SOC team and hence cannot conduct the threat investigation on CRWD and leverage its EDR component, then they can just run it and let it handle things by the default settings or use the MDR [Managed Detection & Response] option whereupon CRWD experts will do the legwork. But when it comes to SOC operations, S’s storing technique appears to have an edge over CRWD because it radically reduces the alerts and false positives and, on the whole, makes life easier for SOC analysts.\nTo summarize, S can deliver fully automated detection, response, and system recovery all within the EPP software itself, but also has the EDR-based TrueContext ID technology that can catch more sophisticated attacks and help SOC analysts triage with far fewer false positive alerts. With this in mind, it appears that S has the edge over CRWD on both the EPP and EDR sides of the market. Moreover, as we’ll show in the presentation of MITRE ATT&CK performance results, S’s out-of-the-box solution that leverages greater automation is likely to offer greater scalability than CRWD’s. We think this greater scalability is shining through in the recent 2Q22 results whereby S generated 127% YoY growth.\nKey Differences Between S and CRWD\nWe’ve listed 11 aspects of endpoint protection whereupon S and CRWD differ by substantial margins. And it may seem overly biased [though we don’t have a position in S yet], but all 11 aspects are in favor of S outcompeting CRWD. We’ll elaborate on a few of these in the following sections.\nSource: Convequity\nBrains of Software\nCRWD: As already alluded, the brain of CRWD is in the cloud only and utilizes EDR to understand the global landscape of threats. The very nature of this cloud-based EDR approach requires the computation of petabytes of data that quickly detects potential threats but also generates large numbers of false alerts. The notion of the false alert volumes necessitates the need for thorough investigation which is why the response time takes hours instead of seconds. Ultimately, CRWD’s approach is rather labour-intensive but is still more autonomous than legacy signature-based AV.\nS: The brain of S is in a hybrid form that utilizes both automation and AI in the front-end EPP and cloud-powered global intel in the back-end EDR, and blends the two harmoniously together. The storying technique applied in TrueContext ID radically reduces the number of alerts and the manual investigation for the EDR side of operations. So, as aforementioned, for the high majority of threats, this results in full automated response and recovery [system cleanup] within seconds, and results in relatively less manpower requirements [versus CRWD] for the more sophisticated attacks. Moreover, S can work offline and catch the majority of threats whereas CRWD must be connected online to work.\nOperation of AV\nWe’ve already touched on S’s software being highly autonomous while CRWD’s software requires human experts to be effective. This contrast offers an apt segue into taking a look at which approach is ultimately more effective. So, we’ll use this section to review the MITRE ATT&CK endpoint protection test results.\nMITRE is an independent, federally funded, not-for-profit R&D organization that periodically performs attacks against leading security vendors’ software solutions. MITRE has long been the authority in cybersecurity testing, and in 2018, they launched the MITRE ATT&CK Evaluations, where MITRE evaluates the efficacy of cybersecurity products. S, CRWD, and PANW participated in the series of tests (2019, 2020, and 2021) and we’ll present the two most recent.\nIn the MITRE ATT&CK tests, vendors are assessed on how effective they are in stopping tactics and techniques. A Tactic is a bad actor’s objective – for example, to acquire a username and password, acquire remote control of the system, or exfiltrate data. A Technique is a method deployed to achieve the objective – for example, cross-site scripting [taking advantage of website vulnerabilities to lure victims into submitting their login details]. There are usually several techniques included in each tactic.\nFigure 4 - Tactics & Techniques\nSource: medium.com\nRather confusingly to the layman, MITRE presents the performance results in references to Steps and Substeps instead of Tactics and Techniques. So, for high-level knowledge purposes, Steps are closely associated with Tactics and Substeps are closely associated with Techniques. The following diagram from SentinelOne is useful to solidify the levels of detections.\nFigure 5 - Analytic Detections: Tactics/Steps and Techniques/Substeps\nSource: SentinelOne on YouTube, Convequity modification\nThe 2020 test results [based on techniques from APT29, a hacker group linked to Russian intelligence agencies] are shown below. The first chart shown shows that S led the pack in regards to overall detections, aka Substeps. The chart shows the number of detections out of the 135 Substeps for each vendor.\nFigure 6 – MITRE ATT&CK 2020 Performance Result: Total Detections\nSource: elastic.co/blog/\nThe next two charts show the Tactic and Technique detections for the MITRE AV test. As a gentle reminder, Tactics are closely associated with Steps and Techniques are associated with Substeps.\nFigure 7 - MITRE ATT&CK 2020 Performance Result: Tactic and Technique Detections\nSource: elastic.co/blog/\nObserving that S had the best performance in Tactic detections and the second-best performance in Technique detections, aligns with the storing capability of TrueContext ID. A Tactic is a Step or objective, such as data exfiltration. A Technique is a Substep or method which is one of the Substeps required to achieve the Tactic, such as connecting to an external server in the exfiltration example. TrueContext ID has been designed to provide both high-level and granular detail of each attack, and therefore, it’s understandable as to why S has performed the best across Tactics and Techniques.\nInterestingly, the performance rankings in the following year [2021] are very similar. In the 2020 test, it looks like CRWD detected a total of c. 115 Substeps versus S’s c. 130. And in 2021 it looks like CRWD detected c. 150 versus S detecting c. 175. So, the ratio is very similar between the two rivals in both years.\nFigure 8 - MITRE ATT&CK 2021 Performance Result: Total Detections\nSource: elastic.co/blog/\nIt would be hard to dispute that S has a better performing AV than CRWD based on the results presented in the previous charts. Though what creates further distance between S and CRWD are the configuration changes made by the vendors before MITRE conducted its test – which we’ll cover next.\nDeployment\nMuch of S’s marketing outlines how their software works straight out-of-the-box. This is a common claim in competitive software markets, though in S’s case, it does appear to be largely true.\nThe next chart shows how many configurations changes each vendor made in preparation for the 2020 test. S didn’t change anything – their AV software was applied out-of-the-box. CRWD, on the other hand, made 25 tweaks to optimize their AV for the test. This fits in very well with the earlier discussion that CRWD is designed for enterprises with more experienced security analysts [SOC 2 and 3 analysts] – more on this later. These configuration changes also underscore what we’ve outlined in regards to S being way more automated than CRWD. CRWD’s lack of automation means it can’t work out-of-the-box with high effectiveness – the AV has been designed for heavy human involvement.\nFigure 9 - MITRE ATT&CK Configuration Changes for 2020 Test\nSource: youtube.com\nSo, despite CRWD making 25 tweaks to its AV software versus S’s zero tweaks, the market-leading endpoint protection provider still underperformed S by considerable margins in the MITRE test. And it’s worth reminding ourselves that S will have performed using AI and automation, whilst CRWD will have performed with heavy involvement from its own cloud-based SOC 2/3 analysts. Moreover, to add further context, this is the first test CRWD has participated in wherein it has performed acceptably well – previous tests by MITRE and NSS Labs yielded very poor results for CRWD. When you add these factors together, it really does open up a significant gap in the software capability between S and CRWD.\nIt’s also refreshing to note that PANW also chose not to make any changes, and they achieved a top four overall total detection performance and finished in the top half in the Tactic and Technique components of the test. We’ve reiterated for a long time now that Palo Alto Networks is simply the best at cybersecurity, and considering that endpoint protection isn’t even their core/original expertise, this is a huge testament to that.\nExpertise Requirements\nFor SMBs that don’t have a SOC [Security Operations Centre], have relatively simpler security needs, and for some reason may be less of a hacker target, then deploying CRWD in its default settings shouldn’t be much of an issue and is way better than opting for legacy AV. Indeed, a simple deployment across an all-Windows organization is very simple. Alternatively, if an all-Windows SMB has more nuanced security needs but doesn’t have a SOC, then CRWD’s MDR [Managed Detection & Response] service will be deployed and work smoothly with negligible issues. Expertise becomes a consideration in the case where an enterprise with its own SOC [and more complex requirements] and/or non-Windows operating systems (i.e., Linux and/or Mac) wants to install CRWD.\nAs highlighted in the previous section, to maximize CRWD and protect against a full range of sophisticated attack techniques, substantial configuration tweaks are required. SOC 2 and 3 analysts will comfortably be able to handle this, however, SOC 1 and/or IT generalists will find it difficult and are likely to require assistance or make a mistake. Additionally, a higher-level of expertise is necessary to swiftly navigate through the barrage of alerts received with CRWD. Analysts need to coordinate Falcon with Splunk’s legacy SIEM to correlate data and gain the fullest threat landscape picture [this will eventually change, however, once they fully integrate the Humio acquisition]. Again, this requires a higher-level of expertise – SOC 2 or 3.\nThen if you add in non-Windows OS, deployment complicates further. Yes, in the past 12 or so months CRWD has better adapted Falcon to Linux and Mac, though a high-level of expertise is required to ensure a smooth deployment following many years of incompatibility issues.\nSo, because of the config changes and the multi-OS environments, typically SOC 2 or 3 analysts are required for the CRWD enterprise use case.\nIn contrast, as evident in the MITRE test, S works right out of the box and hence IT generalists can get on fine with it. TrueContext ID - the storing feature - radically reduces the volume of alerts to enable more efficient threat hunting and remediation and hence making for a more user-friendly interface for SOC 1 and IT generalists to get along with. And, S has built its Singularity Platform with Windows, Linux, and Mac in mind right from the outset [a by-product of S’s last-mover advantage and taking more time in R&D before pumping the GTM strategy], delivering feature parity across all platforms – which again, means lower expertise is required to complete a successful multi-OS environment.\nTarget Market and Pricing\nAs previously mentioned, CRWD and S can be easily deployed for simple use cases associated with certain SMBs. Where we view S as having a notable larger target market is in the more complicated use cases associated with certain SMBs and enterprises. Taking into account the aforementioned expertise requirements, for complex use cases, S appears as the more attractive solution – by a wide margin. In using S over CRWD, SOC two and three analysts can work with more productivity, and SOC 1 and IT generalists can deploy and manage the software with little hassle. This opens up a wider TAM for S vs. CRWD.\nSo, at the low-end of the market, comparing S and CRWD is trivial, because for simple use cases CRWD’s default settings are adequate. But CRWD is expensive. Our research on Reddit forums indicates that CRWD is 2x to 3x more expensive than S, and from this, we infer that CRWD is or will eventually price themselves out of the market segment in which they are most technically competitive.\nCRWD maximizes the land-and-expand sales model as aggressively as any other software vendor. They sell the Falcon platform in modules; implementing a bare minimum number of modules in the beginning and then aggressively upselling/cross-selling other modules. Though many of the other modules are a necessity for full protection. Usually, most clients need to bundle together NGAV which is the Falcon Prevent module, EDR which is the Falcon Insight module, and device control which is the Falcon Device Control module. However, in pursuit of greater DBNR [Dollar-based Net Retention], CRWD separated device control into an independent module.\nFigure 10 - CRWD's Falcon Platform Modules\nSource: CrowdStrike\nThe combined pricing is well beyond the price quote from legacy AV vendors – which is absolutely fine given CRWD is better. Though, according to Reddit forum discussions, those clients that mentioned \"SentinelOne\" to CRWD salespeople immediately received a ~50% discount.\nCRWD’s module-based land-and-expand ploys are most evident in the immediate quarters post-IPO. A cynical view, but reading between the lines it looks like a nice stock-based compensation booster was at play for the year-end of FY19.\nFigure 11 - CRWD's DBNR\nSource: CrowdStrike\nIn a clear attempt to differentiate and do things better than CRWD, S doesn’t sell individual modules. Instead, it sells its full Singularity Platform as bundles across three tiers – Core, Control, and Complete. It appears that on a like-for-like, S’s bundles are ~30% even after CRWD’s discounts.\nFigure 12 - S's Singularity Platform Tiered Bundles\nSource: SentinelOne\nInsincere sales ploys like what CRWD has been doing only last for so long. Eventually, customers catch onto what is happening – evident by discussion on Reddit. And it feels like that day has already come, probably brought to the fore by S’s differentiated bundle pricing.\nTo summarize, CRWD effectively competes with S on a technical basis at the lower-end of the market involving simple use cases but they are risking pricing themselves out of the market. At the higher-end of the market involving complex use cases, it looks like S is both technically better and more affordable than CRWD. Additionally, S will store logs for a maximum of 365 days whilst CRWD’s max is 90 days. All of this strongly aligns itself with S’s founder and CEO Tomer Weingarten claiming that S wins 70% of head-to-heads with CRWD.\nIn comparison to CRWD, not only will S’s technical superiority and competitiveness help it penetrate more of the TAM whilst also widening the TAM, being able to deploy in the cloud and on-prem further expands their customer reach vis-à-vis CRWD.\nOn the whole, S can target a broader market and based on its technical/performance superiority plus aggressive but transparent pricing, can outcompete CRWD in its own TAM.\nArchitecture\nBefore we move onto valuation considerations, we’ll briefly share our views and CRWD’s and S’s software architecture. In all honesty, we can’t find much information related to who has the more modern architecture, but you’ve probably guessed already that we think S has the edge here. The cadence in which both vendors release new features and modules is testament that both operate within advanced microservice architectures. However, we assume, that as CRWD partners with a legacy vendor like Splunk for SIEM and log management, its architecture is probably semi-dated and that there has been an absence of major revamp in recent years. This line of thinking could be kind of validated by the number of years it’s taken for CRWD to overhaul its Mac and Linux sensors.\nIt’s interesting how in March 2021 CRWD bought Humio for $392m in cash and equity just one month after S bought Scalyr for $155m in cash and equity. This may be reading into things too much, but some may view it as a sign of desperation to shore up an aging architecture and move away from legacy SPLK.\nAny differences in the modernity of the two NGAV architectures will very likely widen in the coming quarters and years. CRWD is only 14 months older than S, but because it grew early and superfast, it will have accumulated way more technical debt. And issues that come with technical debt will only be amplified as a $60bn company like CRWD needs to continue aggressively expanding its TAM via acquisitions in order to keep the mega growth story alive.\nAs all software firms grow, they lose their nimbleness but it will happen a lot sooner to CRWD than it will to S - and this gives another upper hand to S in years to come.\nS’s Edge Summary\nAt a high level, the key competitive advantages S has over CRWD can be summarized into four fundamental drivers:\n\nBetter product effectiveness.\nBetter user experience.\nBetter pricing.\nA more scalable business model afforded by a highly automated out-the-box solution.\n\nValuation Considerations\nS’s IPO, on June 30, was the highest-valued cybersecurity IPO ever. The stock finished its IPO day 21% up, closing at $42.50/share with a LTM EV/S of 100x. At the time of writing the stock is trading at $68/share with a LTM EV/S of 163x and a NTM EV/S of 92x.\nBelow are some projections going out to FY26. FY22 revenue is anchored to management’s guidance. In the 2Q22 earnings presentation released yesterday, management also gave long-term targets that included a mature gross margin of 75%-80%, hence why we’ve made it so gross margin is 78% in FY26. We’ve used CRWD’s current TTM FCF margin as a rough long-term estimate of S’s in FY26.\nGuessing the multiple declines is kind of an unchartered territory because of the unprecedented level and sustainability of multiples we’re witnessing in the COVID-era market. Some may argue a decline to a 53x EV/S by FY26 is not steep enough, and that might be right. Though in FY26 we expect revenue to be at similar levels to CRWD’s today and CRWD is currently trading at 56x EV/S. Of course, no macro assessment is being taken into account so please take this exercise with a pinch of salt.\nFigure 13 - Financials & Multiples Projections\nSource: Convequity\nIn the 4.5 years from today to the end of FY26 [fiscal year end 31stJan], if the EV reaches $68bn then S’s stock will deliver a 36% annualized return. So, yes the multiples are insanely high but because of the extreme growth that will presumably remain high for a few years, even a sharp decline in multiples can still deliver sufficient investor returns.\nCRWD’s LTM EV/S at the close of its IPO day [6thJune 2019] was 47x and it has peaked at c. 70x in Aug-19 and Feb-21. This highlights the richness in S’s current valuation. However, is S still worth an investment at the present time? Well, investors need to be aware of the melt-up and melt-down that has often occurred with high-growth tech IPOs, especially during the past 12-18 months. S could very well follow a similar path and climb much higher before falling down once the lockup period ends [27thDecember, 2021] and early investors can cash in some of their profits. Investors should also note that S employees are allowed to sell 15% of their shares as of 6thOctober 2021. For readers’ information, S’s number of shares in float to number of shares outstanding is just 17% - in contrast, a post lockup stock like CRWD has 86% in float.\nTherefore, high-risk tolerant and/or short-term investors may want to consider a long position right now. Longer-term investors may prefer to let the liquidation unravel post Oct-21 and then post Dec-21 before buying shares. A compromise may be to buy a fourth of a position today and opportunistically add to it in the future. Personally, we’re waiting for a correction before opening a position. If the stock corrects c. 25% we’ll probably add half of the total planned allocation and then wait to see what happens after the lockup.\nAt first glance S’s extremely negative operating and FCF margins are alarming, but what investors should bear in mind is that S has the edge in technical and performance superiority and therefore they need to capitalize on this edge in the fastest way possible. CRWD is just 14 months older than S but has over 7x more ARR [Annual Recurring Revenue], which illuminates the differences in market approach. CRWD hit the market early and aggressively whilst S spent many years with their primary focus in R&D before focusing on sales and marketing [S&M]. Now S has a refined and market-leading product they need to maximize the GTM strategy as much as they can and catch up the market leader.\nFigure 14 - 1Q22 Margins\n\nThe current gross margin doesn’t exactly indicate a profitable long-term business model. However, investors should bear in mind that S’s competitiveness, especially in offering 365-day log storage, is a big suppressant at the moment. When S captures a larger share of the market, builds a solid reputation, and fully integrates Scalyr’s novel way of ingesting and storing log data, S can command a greater premium and simultaneously lower cost of revenue, and hence gross margin will rise accordingly. Interestingly, 2Q22 gross margin has already jumped c. 800 basis points since 1Q22, and no doubt the integration of Scalyr will have contributed to this. Throw into the mix that S will more than likely follow CRWD in shifting from cloud to colocation infrastructure once they reach a certain scale, the mature end-state gross margin for S will be close to 80%, in our opinion.\nIrrespective of the trading tactics, we think S has a strong chance to prove to be a good investment, even at the current multiple levels. We’ll list the pros to consider:\n\nCurrently, S has very low penetration - FY21 [fiscal year ending 31stJan] generated $93m of revenue and $161m of ARR [Apr-21] - in a market estimated to be worth between $20bn and $30bn by 2025.\nSimilar to what CRWD has done, S will acquire more talent, expand its product’s capabilities, and expand into new markets - the IPO proceeds will go toward these objectives. This will expand an already large TAM for S.\nAs we’ve presented in this report, S is the technical leader in the endpoint protection market. Technical leadership combined with mega aggressive S&M expenditure [110% of revenue vs CRWD’s IPO year of 69% of revenue] will very likely be highly effective.\nGiven the relatively low revenue base ($93m for FY21) and the autonomous, out-the-box nature of S’s AV, we would not be surprised if they regularly exceeded analyst consensus growth expectations (91% for FY22). From c. $100m in FY18, CRWD has grown c. 100% and this is with an AV solution that needs to be customized for many customers. Therefore, NTM growth of 100% is more probable than not, in our opinion – especially, with the S&M aggressiveness.\n\nOf course, stocks such as S pose substantial risks for investors, so we’ll outline some of the cons to consider:\n\nS is a company with fast-growing revenue but also growing losses. EBIT margin for FY20 and FY21 was -161% and -124%. FCF margin for FY20 and FY21 was -102% and -78%. So, it’s clear that cash flows in any DCF valuation are far into the future which makes the stock very vulnerable to changes in inflation and interest rate expectations – which is happening with frequency at present.\nGiven the large losses, all of the stock’s future trajectory is dependent on the company beating revenue growth expectations. Consequently, any quarterly revenue misses will have a severe impact on the share price and it could take the stock a long time to recover.\nS’s technical superiority might not be insurmountable – we believe it's the best but groundbreaking is a stretch too far. Endpoint protection is a highly competitive market abundant with innovation, so it’s a possibility S could eventually lose a degree of its product leadership.\nCRWD may up the ante with ‘smoke and mirrors’ tactics and even more aggressive S&M that specifically aims tolegallydefame S.\n\nThere are certainly a few pros and cons to consider. In our opinion, the optimal approach to gaining exposure to S is to1) wait for a correction,2) open a ¼, a 1/3, or a ½ of the total eventual position subject to the magnitude of the correction,3) add during risk-off episodes during the next several months, and4) leave some capital spare to buy some more after the effects of the lockup expiry have been fully reflected.\nThe conundrum, as is with all pioneering software stocks, is that investors are usually forced to pay a hefty premium in order to participate in future price appreciation. This is because these types of stocks have a tendency to remain elevated for a long time. However, on the flip-side, S has not yet made it in the Global MSCI indices, therefore, bouts of risk-off sentiment have the potential to knock down the share price considerably more than stocks such as Cloudflare(NYSE:NET), Okta(NASDAQ:OKTA), Twilio(NYSE:TWLO), and Palantir(NYSE:PLTR). With this in mind, opportunities to buy big dips are likely but sustained elevated multiples and/or multiple expansion is also a strong possibility. Hence, the optimal approach, in our opinion, is to add a fraction after a correction [or even now for the highly risk-tolerant] and complete the position in the months ahead.\nConclusion\nThis report was not intended to bash CRWD’s technology because obviously it's extremely sophisticated and great at stopping threats. However, comparing to CRWD does highlight a degree of superiority in S’s approach to AV. And most importantly, from an investment perspective, S’s out-of-the-box solution certainly makes its business appear more scalable than CRWD. And this is exciting when considering CRWD’s super growth in spite of each deployment requiring a good dose of configuration tweaking and training.\nThe valuation is mega rich but investors need to accept that the premium is for a game-changing technical leader in a high-growth and very large market. Upside growth surprises could very well materialize given the scalability of S’s out-the-box solution.","news_type":1,"symbols_score_info":{"S":0.9,"CRWD":0.9}},"isVote":1,"tweetType":1,"viewCount":1815,"commentLimit":10,"likeStatus":false,"favoriteStatus":false,"reportStatus":false,"symbols":[],"verified":2,"subType":0,"readableState":1,"langContent":"EN","currentLanguage":"EN","warmUpFlag":false,"orderFlag":false,"shareable":true,"causeOfNotShareable":"","featuresForAnalytics":[],"commentAndTweetFlag":false,"andRepostAutoSelectedFlag":false,"upFlag":false,"length":29,"xxTargetLangEnum":"ORIG"},"commentList":[],"isCommentEnd":true,"isTiger":false,"isWeiXinMini":false,"url":"/m/post/881368624"}
精彩评论