Last week, CrowdStrike held its yearly user conference, Fal.Con, in Las Vegas. The conference comes just two short months after CrowdStrike issued a config update that took down 8.5 million Windows endpoints, which disrupted air travel, hospitals, and media outlets while impacting many other industries. Despite the incident (or perhaps because of it), the event was well attended, with over six thousand attendees, surpassing CrowdStrike’s initial expectations.

Needless to say, expectations for this event were high after a muted message at Black Hat USA. Here are the top things you need to know coming out of Fal.Con 2024:

• No more apologies but a much-needed “thank you.” CrowdStrike CEO and Founder George Kurtz kicked off the event with a big thank-you to customers and partners for their support following the incident. Many customers we talked to were grateful for this — apologies had already been given, and the time for them had passed. Customers instead wanted to see what changes would be made moving forward. Comparing the July 19 outage to the 1982 Tylenol drug tampering crisis as a disaster that spurred needed industry change, George announced a new framework called “resilient by design” as a follow-up to the incident. CrowdStrike, however, has yet to provide detail on how the company plans to operationalize it or how it will affect the roadmap moving forward.
• Satya Nadella made a surprise (virtual) entrance during George Kurtz’s keynote. A surprise guest at CrowdStrike’s event was new “crisis buddy” Microsoft CEO Satya Nadella, who videoconferenced into George’s keynote to talk about how Microsoft is partnering with CrowdStrike on ensuring that an incident like July 19 does not happen again. This comes just after Microsoft hosted its Windows Endpoint Security Ecosystem Summit to bring together industry leaders to discuss what comes next for endpoint security applications operating in the kernel. One of the takeaways from the summit is that Windows is going to prioritize hooks into the kernel so that more capability can be developed in userland, which will help to reduce some risk. It’s a difficult balance, however, since Microsoft has an endpoint security product that also operates in the kernel (and is a direct competitor to CrowdStrike). Microsoft will need to balance the push and pull of regulatory hurdles, customer concerns, and partners moving forward as it attempts to transition security vendors out of the kernel as much as possible.
• “SPM all the things” has gone too far with detection posture management. At Black Hat USA this year, many vendors moved to “SPM all the things” with application security posture management (ASPM), data SPM (DSPM), cloud SPM (CSPM), Kubernetes SPM (KSPM), and identity SPM (ISPM) … and on and on. Now, CrowdStrike is piling on the SPM bandwagon by announcing detection posture management. While an important capability, it would be far more aptly named detection coverage, as that is what it ultimately is: a way to visualize coverage of your detection surfaces with more advanced MITRE ATT&CK heatmaps and other views. This highlights the importance of detection engineering, which Forrester sees many organizations adopting.
• Day one lacked a big splash, and day two showcased less flashy features. In a surprising choice for day one announcements, CrowdStrike focused on less interesting — but necessary — business enhancements: 1) Falcon Flex, a consumption model for flexible subscription spending allocations, and 2) CrowdStrike Financial Services, a financing arm for customers and partners. Announcements related to procurement and billing are certainly not the type of day 1 announcements you’d expect to see from one of the more innovative cybersecurity players.

  On day two, CrowdStrike highlighted identity protection advances by showing integrations with cloud-based identity providers based on the emerging OpenID shared signals framework as well as the “coming soon” announcement of Falcon Privileged Access to enforce just-in-time access for privileged administrator roles. CrowdStrike also announced Project Kestrel, which allows users to make custom views for dashboarding, a necessary feature enhancement as the vendor takes on the security information and event management market. Much of President Mike Sentonas’ day two presentation, however, focused on CrowdStrike’s platform story, without much emphasis on this year’s innovations.

• Despite their importance, the biggest innovations were relegated to day three. On the last day (after many attendees had gone home), CrowdStrike CTO Elia Zaitsev led the closing keynote in which CrowdStrike announced some serious innovations, all focused on improving analyst experience. These include AI-generated parsers, automated triage with Charlotte AI, and predictors of attack in exposure management. AI-generated parsers are the most interesting innovation, as many organizations have been working on this effort since generative AI capabilities hit the mainstream.
• Famous Chollima gets its 15 minutes, and IR services gets … 5? Two sessions and a significant portion of day two’s keynote were devoted to North Korean threat actor Famous Chollima, the group behind KnowBe4’s infiltration and infiltrations at over 100 other largely US-based tech companies. It also gave CrowdStrike’s threat hunting, threat intelligence, and incident response (IR) services offerings a spotlight in an otherwise largely product-focused agenda. Incident readiness and response services discussions were limited to a handful of track sessions, with no new offerings or enhancements announced.

Lastly, it’s important that we call out that the keynotes displayed a shocking lack of diversity: Every keynote featured one or more white males, and not a single keynote involved a woman or a person of color. For an industry that has long struggled with diversity, it’s not a surprise. But for a company that is one of the largest and most widely discussed leaders in the industry, it is a disappointment.

For any questions about the conference, the outage, or other security and risk topics, request an inquiry or guidance session with a Forrester analyst.