CISO Explains Switch from Microsoft to CrowdStrike for Cybersecurity

“The reality is that Microsoft’s revenue stream doesn’t depend on my security success.”

The CISO of a major insurance company recently switched from Microsoft to CrowdStrike for endpoint and identity security following a ransomware incident that Microsoft Defender failed to block. The following Q&A explains what happened, the fallout with Microsoft and how CrowdStrike delivered the protection, consolidation and support the CISO needed.

Describe your security posture before the incident.

I joined the company as CISO a few years ago. When I looked at our overall security posture, I knew some improvements were needed. Mainly, the organization was heavily invested in Microsoft E5 licensing, which was intended to fix fragmentation in our security stack, but came at a cost when the incident unfolded.

What happened?

We had a major issue with some malware. Effectively, an email-borne threat came in. Microsoft Defender Online missed it and the end user clicked it, which downloaded an obfuscated PowerShell script that initiated a ransomware attack. We narrowly avoided disaster thanks to a last line of defense, but we almost had a very serious situation on our hands.

How did Microsoft miss it?

That was the first problem we looked into. We found alerts in the console — which strengthened as the attack unfolded — but we couldn’t figure out why Defender didn’t block it. We went to Microsoft for help and after about 10 calls their response was, “Why did your user click the link?” Not helpful. After more back and forth, they sent us some generic policy recommendations, which were confusing due to overlap in policies across multiple Microsoft tools. They effectively agreed and said they’d look into it. Meanwhile, after trying their recommendations, we did a red team exercise to simulate the attack. Again, Defender failed to block it. Clearly, the policy changes Microsoft recommended did nothing to improve our security posture. Moreover, why had they waited until we were breached to make those recommendations?

That must have been frustrating.

Yes, but not surprising. When I stepped back and looked at it more holistically, I realized their response was lackluster from a security perspective because the revenue they get from security is such a small part of their overall business. I’ve been down this road many times with Microsoft tools. The reality is that Microsoft’s revenue stream doesn’t depend on my security success. And that’s the real problem: It makes no material difference to them whether or not we remain a customer, which shows in their support.

So how did you come to CrowdStrike?

I started getting an extreme amount of pressure from our board and executive leadership. There’s only so many times I could tell them Microsoft isn’t responding, they’re not giving us root-cause analysis and they can’t tell us what’s wrong despite us proving it twice. I checked around with my CISO peers and many echoed the same problems with Microsoft: missed attacks, poor support, confusing policies, etc. The majority of them strongly recommended CrowdStrike, so we started down that path.

Tell me about the early days with CrowdStrike.

Things felt different right away. We did a proof of concept with CrowdStrike across a section of our user population and found it was a light touch that we could deploy without a reboot. Moreover, we were finally getting the strong protection we needed across our endpoint and identity environments from one unified agent, platform and console. From there, it was an easy decision. We deployed the CrowdStrike Falcon® platform, displacing Microsoft as our front line of defense.

How was deployment?

Very smooth. CrowdStrike told us we could deploy as fast as we wanted to, so we deployed it within a quarter, which is moving at light speed for our industry.

Are you getting the support you need from CrowdStrike?

Absolutely. The CrowdStrike account team has been integrated from the start. We meet with them regularly, as opposed to the Microsoft team, who would only show up on QBRs, then focus on licensing and headcount — not how they can help us. Conversely, CrowdStrike asks how we’re doing, what threats and behavior we’re seeing, where they can improve, etc. Plus, if I send a message to the CrowdStrike team, they get back to me with a solution the same day — not two quarters later saying they’re still trying to figure things out.

Any other differences you want to highlight to help others in your position?

It’s refreshing to have CrowdStrike with us at the table trying to solve our security challenges — not asking why our user behavior is so poor. That’s really the journey that drove us away from Microsoft: their systemic failure to stop the breach, their lack of support from the account team and the final insult in that relationship — six months after the incident, they touted as a win that they were still working on root-cause analysis. By that point, we had already moved on.

Final thoughts?

When you look at both companies, the difference is clear. CrowdStrike is motivated to invest in security, stay on top of threats, partner in our success and offer a clear path to consolidation. Put simply, we feel more confident with CrowdStrike. Rather than wasting time trying to figure out why our security tools failed, we can focus more on real threats and be more proactive.

Additional Resources