CrowdStrike survey says Microsoft customers ‘losing trust’; Microsoft calls report ‘self-serving’

A new survey commissioned by cybersecurity firm CrowdStrike uncovered disturbing trends when it comes to ransomware breaches, supply chain attacks, and incident detection times — while the company says the survey also found an erosion of trust in “legacy” vendors including Microsoft.

In response, Microsoft provided a statement to VentureBeat characterizing the CrowdStrike report as “self-serving market research” and an attack on the company. Microsoft said it is actively “protecting both our customers and the wider industry,” including through such efforts as disrupting the activities of state-sponsored attackers.

Along with inflaming the running dispute between the two competing security industry titans, the CrowdStrike-commissioned survey released today also pointed to a number of worsening issues within the cybersecurity space.

According to the survey, organizations have gotten much slower at detecting cyber incidents in 2021, especially in the U.S. Meanwhile, supply chain attacks have now affected more than three-fourths of businesses, the survey found. And on ransomware, more than half of businesses said they actually don’t have a “comprehensive” strategy to defend against ransomware attacks — even as the breaches have increased and ransom payments have surged in 2021.

A backdrop to these issues is that vulnerabilities associated with “legacy” vendors such as Microsoft are on the rise, said Michael Sentonas, CrowdStrike’s chief technology officer, in an interview with VentureBeat.

“People are just getting exhausted from having to constantly run to patch. And their problem is getting worse,” Sentonas said.

‘Losing trust’?

The report — the 2021 CrowdStrike Global Security Attitude Survey — was conducted in recent months by research firm Vanson Bourne, and surveyed 2,200 senior IT decision makers and IT security professionals.

It’s the fourth such survey commissioned by CrowdStrike, but the first to specifically mention Microsoft — a rival firm that has ramped up its security efforts substantially in recent years. The past year has seen CrowdStrike and Microsoft increasingly battling for customers, and top CrowdStrike executives including CEO George Kurtz have brought a series of criticisms against Microsoft on security.

In the new survey from CrowdStrike, one question asked respondents about their view of “legacy” vendors including Microsoft. In response, 63% of respondents said they’re “losing trust” in such vendors, according to CrowdStrike. Microsoft was the only vendor mentioned by name in the survey question.

The finding “clearly demonstrates the need for a holistic approach when it comes to defending against software supply chain attacks,” the CrowdStrike report said. “Technology giants such as Microsoft are not immune to this form of cyberattack, and rather they are the gateway onto the network for millions of organizations around the globe. If they do not hold themselves accountable, then many others could suffer.”

‘Self-serving’ research?

In a response to CrowdStrike’s report and Sentonas’ comments, Microsoft said in a statement to VentureBeat that “this week we announced the result of a sustained effort to proactively take down nation-state attack infrastructure, protecting both our customers and the wider industry.”

The statement referred to Microsoft’s disclosure Monday that its Digital Crimes Unit had removed important infrastructure used by a hacking group based in China.

“We believe this is more valuable to our customers than self-serving market research that attacks other security vendors,” Microsoft said in the statement provided to VentureBeat.

Microsoft also said that its platforms and security teams prevented more than 70 billion cyber attacks during the past year, helping to protect its nearly 650,000 security customers.

In a June response to previous accusations from CrowdStrike, Microsoft’s corporate vice president of communications, Frank Shaw, said on LinkedIn that the company believes security is a “team sport,” and that “fellow defenders must work together to make the world a safer place.”

Supply chain and ransomware attacks

In terms of supply chain security, the CrowdStrike survey found that 77% of organizations have now experienced a supply chain attack. And nearly half — 45% — had suffered a supply chain attack during the previous 12 months.

In the area of ransomware, a number of findings in the survey point to worsening trends:

• 66% of respondents said their organization had experienced a ransomware attack in the previous 12 months, up from 56% in the 2020 report


• 33% of respondents acknowledged they’ve suffered multiple ransomware attacks during the past 12 months, up from 24% in the 2020 report


• The average ransomware payment surged by about 63% in 2021 — reaching $1.79 million, up from $1.1 million in 2020


• Nearly all companies who paid a ransom — 96% — were forced to pay additional extortion fees on top of the initial ransom payment

Perhaps most alarmingly, 57% of respondents said their business “did not have a comprehensive ransomware defense strategy in place,” CrowdStrike said.

Slower response times

Another troubling finding in the survey is that worldwide, organizations now report an average of 146 hours before a cyber incident is even detected. That’s up significantly from 2020, when the survey found an average of 117 hours for incident detection.

The situation is even worse in the U.S., according to the CrowdStrike report. U.S. organizations reported an average of 165 hours before a cyber incident was detected — up from 97 hours in 2020.

Sentonas said there’s no question that when it comes to cyber incident detection, “this isn’t easy.”

“There are so many adversaries. There are so many attacks. The infrastructure that we use is very complex. And here we are, nearly two years into a global pandemic, and security professionals are working from home and trying to manage remote organizations. You put it all together, and it’s not easy. And I don’t want to suggest in any way that it is,” he said. “But the challenge here is that when we look at some of these statistics, they are getting worse. And U.S. organizations are worse at detection compared to the rest of the world.”

Possible reasons for that may be that U.S. organizations often have larger networks than than companies globally, and may have a larger proportion of users that are continuing to work from home, according to Sentonas. Sixty-nine percent of respondents in the survey attributed a cyber incident in their organization to having staff that was working remotely.

Still, the average time for detection “needs to come back the other way,” Sentonas said. “You need to be able to accelerate your detection time.”

Growing vulnerabilities

The survey decided to focus more on “legacy” vendors such as Microsoft this year in part because of how Microsoft has been implicated in major cyber incidents over the past year, such as the SolarWinds supply chain breach, according to Sentonas.

Additionally, the number of vulnerabilities reported by Microsoft for its various platforms has seen a “staggering” increase in recent years, he said. A report from BeyondTrust found a 181% increase in Microsoft vulnerabilities between 2016 and 2020 — and a 48% increase in 2020 alone from the year before. A total of 1,268 Microsoft vulnerabilities were discovered in 2020, according to the report.

CrowdStrike’s survey contends that due to this frequency of vulnerability issues, paired with high-profile incidents such as SolarWinds, there is a “crisis of trust in legacy IT vendors, such as Microsoft.”

Similar phrasing had previously been used by CrowdStrike CEO Kurtz in discussing Microsoft. During CrowdStrike’s quarterly investor call in March, Kurtz said that there is a “crisis of trust within the Microsoft customer base” in the wake of the SolarWinds attack and the Microsoft Exchange zero day vulnerabilities that were revealed that same month.

‘Weaknesses’ exploited

The SolarWinds incident involved malicious code inserted into the software supply chain for the company’s Orion network monitoring solution, which was then distributed to thousands of customers, including numerous federal agencies. However, a “significant” number of customers that were affected in connection with the attack weren’t actually SolarWinds customers, Sentonas noted.

“What we saw was the threat actor in this particular case took advantage of weaknesses in [Microsoft’s] Windows authentication architecture. They were able to get in and then start to move laterally throughout the organization,” he told VentureBeat. “This was because of issues having to do with the authentication architecture around [Microsoft’s] Active Directory and Azure Active Directory, and the way it is configured.”

Another CrowdStrike executive who has criticized Microsoft on security in the past is James Yeager, the company’s vice president of public sector, who wrote in a LinkedIn post in June that Microsoft is “incapable” of protecting even its own infrastructure.

Shaw’s LinkedIn post was a response to this post from Yeager. In the post, Shaw wrote that “we fundamentally believe that security is a team sport and fellow defenders must work together to make the world a safer place.”

“It’s unfortunate to see some vendors attempt to further their position via innuendo and inaccurate accusations rather than seeking ways to contribute collaboratively,” Shaw wrote in the post. “Every day Microsoft handles authentication for more than 425 million users and delivers protection with 2.5 billion detections blocking 6 billion threats annually — all while contributing massive amounts of data to the defender community. That’s the definition of a trusted and proven security leader, by any measure.”

Tools and expertise

Altogether, the issues of worsening attacks and response times partly relate to the security tools in use by companies — but it’s potentially even more important to focus on the “tradecraft” that adversaries are using, Sentonas said.

A recent report from CrowdStrike’s Falcon OverWatch threat hunting team found that nearly 70% of the intrusions that were investigated did not use any malware at all, he noted. “So if your strategy is to go and get the best anti-malware capabilities, and 70% of the time the adversary is not using malware — well, what then?” Sentonas said. “That’s why we say, you need to have the right tools — but you also need to understand the right tradecraft.”

In other words, “you need to know what to look for,” he said. “How are the adversaries actually getting on the network? What techniques are they using to try to get inside? And once they’re inside, how do they move laterally?”

Accomplishing this is partly about having the right instrumentation — which provides the telemetry to see what attackers are doing, according to Sentonas. But the other part is having the ability to spot the indicators of compromise, he said.

“And if you don’t,” Sentonas said, “then you need to work with an organization that has the ability to do that for you.”