The Washington PostDemocracy Dies in Darkness

Leading security companies Mandiant and CrowdStrike vow to collaborate

The arrangement, announced Thursday, aims to improve cooperation in probing and preventing computer hacks

(Gabby Jones/Bloomberg News)

Two of the most prominent U.S. cybersecurity companies have struck a deal to work more closely together, extending a trend of cooperation among companies and government agencies battling sophisticated spying operations, ransomware and the potential for disruptive or destructive attacks amid rising global conflict.

Mandiant, which is best known for leading investigations of breaches such as the ransomware attack that shut down Colonial Pipeline last year, will begin deploying protection tools from CrowdStrike as it advises customers on their defenses and responds to incidents, the two chief executives told The Washington Post. The deal is to be announced Thursday.

Both companies are famed for identifying and analyzing the most dangerous hacking groups, especially those connected to government agencies in Russia, China, Iran and North Korea, sometimes down to the real names and photos of military officers behind the keyboard.

Three cybersecurity companies to offer free protection to U.S. hospitals and utilities

But while Mandiant stresses high-end consulting work, especially after it spun off from security software vendor FireEye, CrowdStrike gets more than 90 percent of its revenue from selling tools to detect and respond to incidents, assess vulnerabilities and control access to customer networks.

CrowdStrike has handled investigations into major hacks, such as the Russian breach of the Democratic National Committee ahead of the 2016 election, and is the world’s largest provider of what are known as endpoint detection devices, with a 14 percent share of the market, according to market research firm IDC. Its revenue has grown 75 percent in the past year.

“There could be some overlap, but at the end of the day, we want to have our technology in as many places as possible,” CrowdStrike chief executive George Kurtz said in an interview ahead of Thursday’s announcement.

“Our consultants are excited about it,” Mandiant CEO Kevin Mandia told The Post. “When you’re responding to a breach, you’re like a doctor. You don’t care who else is helping the patient.”

Google agreed last month to buy Mandiant for $5.4 billion, and it was a key early investor in CrowdStrike, but both sides said they had been talking about increased collaboration before the latest deal.

The cybersecurity industry has been one of the most successful in the past decade in terms of stock and revenue growth, although breaches have been getting worse.

One of the many challenges has been splintered responders. Companies like Mandiant, which are valued for what they have learned about hacking adversaries, can be reluctant to share that intelligence.

Scores of information-sharing alliances have sprung up in the past decade. But many companies withhold some of the most valuable information, and many in the industry complain that the U.S. government has rarely provided much that wasn’t already known in the private sector.

That landscape has improved remarkably in the past few years. The Cybersecurity and Infrastructure Agency now lists what software is actively being exploited in real time, and government officials are in direct contact with the leaders of hacked companies from the beginning.

The U.S. government spent billions on a system for detecting hacks. The Russians outsmarted it.

The officials work with the commercial companies on the response, and multiple security firms work together on the most important cases, such as the attacks that corrupted software from the network management company SolarWinds to gain access to the systems of 18,000 companies and government agencies more than a year ago. Even though SolarWinds customers included the National Security Agency, Mandiant was first to realize its network had been breached and sound the alarm.

“Virtually every single breach, we see the FBI, we see CISA, there’s intelligence shared, there’s daily meetings on major cases,” Mandia said, adding that he immediately shares information with CrowdStrike, Microsoft and others.

“The new and novel and impactful can’t be kept in a club,” he said. “We have a damn war going on right now.”

Both CEOs said they believed that Russia has been holding off from a major cyberstrike that could hit the United States, perhaps seeking a time of maximum social or political impact.

“The biggest question everyone has is what will trigger Russia to hit the button, and what is the outcome — is it delete everything in multiple countries, or is it a precision strike?” Mandia said.

Kurtz said he was most concerned about supply chain attacks, like the one that leveraged SolarWinds, and something against the financial sector, where Russia is now less involved.

But he said he thinks some options available to the Russian government can be used only once before the technique is exposed and can be countered, and so it waits.

The big one, he said, “is going to be reserved for more levels of escalation.”