From Endpoint to Cloud, CoreWeave Consolidates Security Stack With CrowdStrike
If you haven’t yet heard of CoreWeave, you will soon. Founded in 2017, the New Jersey-based specialized cloud provider offers a high-performance, fully-managed, Kubernetes-native cloud platform that is designed for large, GPU-accelerated workloads. Customers use the CoreWeave cloud for pixel streaming, metaverse, visual effects — all sorts of cutting-edge stuff.
In the early days, CoreWeave handled cloud security in-house. But as the company signed bigger and bigger clients, their risk profile changed. Around the same time, CoreWeave began offering online signups, allowing anyone with a valid credit card to get an account. It became clear they needed to scale their cloud security infrastructure.
CoreWeave soon hired Matt Bellingeri as CISO. Bellingeri successfully used CrowdStrike in his previous role, but things were different this time: instead of protecting endpoints, Bellingeri also needed to protect a high-performance cloud infrastructure — from application development and testing through run time.
No Performance Slowdowns
Bellingeri had one non-negotiable item in the proof of concept (POC) with CrowdStrike: performance.
“We’re selling high-powered compute as a product, so when milliseconds count and customers are paying by the hour for the latest and greatest GPUs, any degradation to performance caused by our security platform is a nonstarter,” explained Bellingeri.
Working alongside CoreWeave Engineering VP Peter Salanki, Bellingeri rolled out the CrowdStrike Falcon® agent on 10% of CoreWeave’s worker nodes using a Kubernetes DaemonSet, which automatically deploys a sensor container for every new worker node and protects that node and all containers running on it — including customer containers.
They watched for performance issues while probing the platform for vulnerabilities.
“We observed no impact to performance and CrowdStrike caught everything we threw at it … I was quite impressed,” said Salanki. “The fact that CrowdStrike worked so well made us lose interest in testing anything else further.”
After the POC, CoreWeave licensed CrowdStrike without further evaluating any other platforms. Within three weeks, they smoothly rolled it out to the rest of their cluster worker nodes.
Full Visibility From Cloud to Endpoint
CoreWeave now uses a suite of CrowdStrike products and services, including CrowdStrike Falcon® Cloud Security, CrowdStrike Falcon® Insight for endpoint detection and response, and CrowdStrike® Falcon OverWatch™ for managed threat hunting — all on the unified CrowdStrike Falcon® platform.
The biggest thing CoreWeave lacked prior to implementing CrowdStrike was visibility into their cloud hosted assets. With CrowdStrike Falcon® Cloud Security with Containers, they get real-time visibility into cloud workloads, containers and Kubernetes, enabling faster and more accurate detection, response, threat hunting and investigation.
“CrowdStrike is the star of the show in our security operations center,” said Bellingeri. “Our detections dashboard shows us anything CrowdStrike deems malicious, be it a cloud worker node or endpoint, giving us end-to-end visibility and protection.”
The alerts added confidence and saved time. CoreWeave was previously inundated by false positives. But after CrowdStrike’s support team helped them clean up their rulesets, false positives dropped by 100x, according to Bellingeri.
“CrowdStrike saves us hundreds of hours a year in unnecessary triage,” said Bellingeri. “For a lot of alerts, CrowdStrike kills the process before we can even get to our keyboards.”
CoreWeave uses Falcon OverWatch to augment their security staff. This ensures somebody is watching for anomalous behavior 24/7, be it CoreWeave staff or CrowdStrike staff. Bellingeri noted that because Falcon OverWatch analysts see so many incidents across so many attack vectors, he has high confidence in their alerts.
“The leads we get from Falcon OverWatch are different from anything else. When Falcon OverWatch sends us an alert, we drop everything to investigate it,” said Bellingeri.
Consolidating the Security Stack
Cloud security is always changing, so CoreWeave uses CrowdStrike Falcon® Spotlight as one of their ways to assess vulnerabilities on a weekly basis. This added intelligence helps Bellingeri and his team shore up any weaknesses and fully exploit their CrowdStrike modules.
They also look at threat intelligence on advanced persistent threats (APTs). According to Bellingeri, CoreWeave isn’t technically responsible for securing what their clients put in the cloud, but if he can help coach customers into being more secure, everybody wins.
“We use CrowdStrike research to determine if any of our customers are vulnerable to APTs. We then work proactively with those customers to make sure they have the right defenses in place, improving both their security posture and ours,” said Bellingeri.
From intelligence to endpoint to cloud, every CrowdStrike module that CoreWeave uses is part of the CrowdStrike Falcon® platform, allowing CoreWeave to consolidate their security stack.
“Having a single pane of glass for all our security tools is huge for us,” said Bellingeri. “We’re currently testing the CrowdStrike file integrity monitoring module … the fact that we can go right to the CrowdStrike store, enable a 30-day trial and deploy it within minutes drastically reduces our time to value.”
Security That Scales
CoreWeave revenue grew 450% from 2021 to 2022, demonstrating how a company that delivers massive computing scale can also scale as a business. Their launch partnership with NVIDIA, which gives CoreWeave early access to the world’s highest performing GPUs, is expected to only accelerate this growth.
Bellingeri views CrowdStrike as a key partner in the company’s future.
“In our business, it only takes one breach to lose your customer’s trust, especially as a growing cloud competitor to the big three,” concluded Bellingeri. “CrowdStrike gives us high confidence in our security with zero impact to performance … the value is priceless.”