SentinelOne CEO: Cybersecurity shouldn't require constant updates

In the wake of the CrowdStrike outage, SentinelOne CEO Tomer Weingarten tells CRN that the frequency of updates from the vendor ‘calls into question pretty much the entire premise of next-generation protection.’

SentinelOne CEO: Cybersecurity shouldn't require constant updates

The unprecedented IT outage caused by a faulty CrowdStrike update a week ago has raised questions about the frequency of the vendor's updates to its Falcon platform, SentinelOne CEO Tomer Weingarten told CRN.

Weingarten, who is also a co-founder of SentinelOne, a top rival of CrowdStrike, spoke Thursday with CRN in his first interview since the massive July 19 outage.

Among other things, the outage has brought scrutiny to "the frequency of updates that was happening [with CrowdStrike] — which calls into question pretty much the entire premise of next-generation protection," Weingarten said. "Why do you need to constantly update the protection? Is it not effective without constant updates?"

Ultimately, he said, "you've been promised next-generation protection. But you actually got something that has pretty significant risk attached to it."

The CrowdStrike update sent 8.5 million Windows devices into a "blue screen of death," leading to massive impacts for air travel, health care and business. Experts have called it the largest IT outage of all time, and one estimate suggested the direct financial loss to U.S. Fortune 500 companies could total $5.4 billion.

According to Weingarten, the widely felt incident "calls into question how you think about protection."

"For us—and we've said it for many, many years—we actually believe that the best system is one that doesn't need frequent updates," he said. "The best system is one that has the algorithms baked in — embedded AI that can evolve [and] doesn't need an update every time there's a new attacker or new variant out there."

In other words, a security tool shouldn't need to receive an update whenever something changes in the threat landscape, according to Weingarten.

"If your system is effective, is generic enough, and is built with true technology inside of it—you don't need all these updates," he said. "I really don't believe that the future of cybersecurity is delivering more and more updates. It's about building a more-resilient system embedded on the device."

In response to Weingarten's comments, CrowdStrike said in a statement Friday that its Falcon platform utilizes "advanced AI and machine learning algorithms," which provide "dynamic threat detection and response."

"While these sophisticated algorithms offer strong protection without constant updates, the rapidly evolving cybersecurity landscape necessitates regular updates to Behavioral AI and threat intelligence," CrowdStrike said in the statement provided to CRN. "Our periodic updates are a proactive measure to ensure comprehensive security for all our customers. Content updates are routine for the cyber security industry."

In CrowdStrike's "Preliminary Post Incident Review" post Wednesday, the vendor specified that the update that led to the outage involved what's known as "rapid response content," which is used as part of performing "behavioral pattern-matching operations" to thwart future cyberattacks.

The defective content in question had been stored within a "proprietary" binary file and was "not code or a kernel driver," CrowdStrike said.

The disruptions from the outage dragged on into this week in part because of the need for IT teams to manually fix many of the affected Windows servers and PCs. CrowdStrike disclosed in the preliminary review post that a bug in its validation process for security configuration updates to its Falcon platform resulted in the outage.

The company said that 97 per cent of Windows sensors for Falcon were online as of Thursday.