Paris-based HarfangLab wants to differentiate itself from its endpoint security rivals. CSO Anouck Teiller explains how the company responds to the needs of European organizations and why openness in cybersecurity is crucial.
HarfangLab’s differentiation from the likes of CrowdStrike or SentinelOne can be explained in three ways. Two of them are technical. First, unlike many competitors who process data in their own cloud, HarfangLab can operate entirely within the customer environment. “We can deploy on-premise, as well as in the public cloud or through our own OVHcloud environment,” Teiller explains. This approach allows HarfangLab to meet specific regulations, trust requirements and/or existing customer practices.
Second, above all, HarfangLab strives for transparency. Teiller emphasizes that “endpoint security solutions are deeply nested in IT systems. Usually their software is a black box.” At HarfangLab, all detection rules are open, available and customizable. This gives security professionals more control and confidence in the system they are using. A REST API is available so users themselves can add integrations with their existing tooling. Anyone needing help in this area can always contact HarfangLab, too.
European vision
The final aspect of HarfangLab which sets it apart from the competition is the fact that it is entirely European. Not only does this ensure that data stays on the continent, but Teiller argues that her company also broadly shares the same values as Brussels regulators. The message is clear: GDPR compliance and modest, manageable data collection from customers come naturally. Those who do not want HarfangLab collecting any data can easily agree on this. In addition, the four founders have combined experience from various French military branches and the nation’s cybersecurity agency ANSSI. Such resumes give the aforementioned promises some much-needed heft.
All this still cannot be substantiated without transparency. HarfangLab’s open approach offers significant advantages, Teiller says. It gives analysts the control they need to tailor the solution to the customer’s specific IT environment. “Every customer is specific,” Teiller emphasizes. This flexibility allows HarfangLab to serve everyone from small businesses to large government ministries, without the product necessarily being set up for one end of the scale or the other. Scalability and flexible deployment have been key to HarfangLab’s premise from the get go.
While no customer is exactly the same, there are similarities. Again, Teiller outlines a three-fold split: firstly, there are very mature organizations, secondly parties that require some startup help and finally customers with a lack of expertise who also can consult an MSSP. The last group obviously requires the most attention to get started and can turn to MSSPs for the daily running of the tooling. Organizations that do engage an MSSP can purchase HarfangLab from more than 50 different partners of the company.
Well kernel mode
Endpoint security has become increasingly relevant. The truth remains that cyber threats are increasing and their effects are far-reaching. Attackers will enter organizations through the outer capillaries of IT systems and are regularly barely detectable. The conclusion made by endpoint vendors is that monitoring is required to delve to the deepest levels of IT systems, otherwise hackers have free rein in such realms.
This brings us to the infamous CrowdStrike incident of July 19, 2024. Organizations worldwide had to shut down work due to a failed update to a Channel File, which is a CrowdStrike Falcon Sensor configuration which updates it to utilize the most up-to-date threat intelligence. Windows PCs bluescreened to save themselves as CrowdStrike’s software introduced a kernel mode-level bug, which can topple an IT system with the most minor problems. It was a painful and very costly mistake, but CrowdStrike has maintained that this deep level of OS access is simply required to get endpoint security right.
HarfangLab also runs at the kernel mode level for the exact same reason. It cannot be denied that HarfangLab’s solution therefore has a huge responsibility to keep systems running. However, there is a crucial difference in HarfangLab’s setup: customers can already decide when updates are performed (which CrowdStrike introduced after the July 19th incident). They also always have the chance to roll out an update gradually and hit the brakes if something doesn’t go to plan. “If we didn’t have kernel-level access, we wouldn’t be able to see those cyber threats at that level,” Teiller explains. She emphasizes that HarfangLab follows strict rules to use this level of access responsibly. Microsoft, which as a Windows owner has complete control over the OS, must tolerate competition in this space – its own security suite relies on kernel-level access all the same.
Federated security platform
A trend within cybersecurity in a general sense is so-called “platformization”. We have already discussed this extensively and asked a multitude of experts in the field for their input. What’s HarfangLab view?
First of all, Teiller thinks there are simply too many agents active on endpoints. “There needs to be a rationalization of endpoint agents. They collectively degrade performance and use too much memory and CPU time.” HarfangLab’s agent is therefore designed to do as much work as possible with as small a footprint as possible. This does require collaboration with other parties so that work is not duplicated.
The Open XDR Platform was founded in 2021 by several French companies, including HarfangLab. It’s a collective of integrations between security players. You may not have heard of them all, but they all integrate. Teiller says that it was an important step to make these various tools plug-and-play, collectively representing almost all security interests. Still, this is only a starting point.
Indeed, HarfangLab is committed to foster European cooperation, aimed at creating an integrated security platform. Open XDR Platform can count as its reference point. The company is already working with Austria’s Ikarus, which provides everything from mail security to antivirus. The list of managed options already includes the EPP tool HarfangLab Guard. “We are certain that the security playing field can be thought out most meaningfully at the European level,” Teiller said.
Steering lacking
Cooperation is already taking place, sometimes even beyond Europe. Consider HarfangLab’s active stance when it comes to contributing to the MITRE framework and sharing its threat intelligence. Customer incidents are also regularly worth reporting to the outside world so that everyone learns from them. Says Teiller, “If there is a vulnerability or an attack technique, within 24 hours an attacker is actively exploiting it.” This motivates vendors to go public with their knowledge.
According to Teiller, today’s regulation aren’t always what’s behind real improvements in the level of cybersecurity inside companies. Unfortunately, it’s often the case that a company’s preparedness only improves when it has faced a ransomware attack or a data breach. It’s important to not wait for an attack like this, Teiller highlights.
HarfangLab does want more guidance through regulators. It was the first to receive an ANSSI certificate in 2020, which requires rigorous testing for vulnerabilities, encryptions and keeping software development safe on a daily basis. This certificate was renewed in 2024. The ANSSI certification is also recognized by the German BSI. However, customers in Germany are not so keen yet; they rely on their national agency for guidance. In 2018, the European Union’s ambition was to build on the EU Cybersecurity Act, but Teiller notes that little has actually changed in this area. A European certificate is not coming anytime soon.
Conclusion: an open plan
HarfangLab has cultivated a character of its own. In a crowded playing field, that is an advantage. Still, from European regulations, there could very much be an even stricter view to promote endpoint security on EU values. For example, Lenovo and Dell signed deals with SentinelOne and CrowdStrike, respectively, to provide pre-installed EDR tooling for enterprises. Teiller sees this as a worrisome development that will have a negative impact on customers. “The risk with these OEM integrations is that it gives customers vendor lock-in,” she said. One does not have to choose HarfangLab, but the choice should be there to make in the first place, she argues.
Admittedly, HarfangLab does not yet have the universal profile of the larger U.S. players. It also has plenty of European competition, such as Sophos, ESET and Bitdefender, to name a few. But by giving control to security professionals, HarfangLab has a chance of adoption in more ways than one. The tools are modular and, as mentioned, updateable when convenient.
Also read: WatchGuard accelerates growth in MDR market through acquisition of ActZero