CrowdStrike was brought before a US Congressional Committee on September 24 to explain why its cybersecurity solution triggered one of the largest IT outages ever seen. A senior official told Congress that the company was “deeply sorry” that a flawed update pushed out to its market-leading Falcon endpoint detection and response (EDR) software in July caused widespread disruption across airlines, banking systems, healthcare, manufacturing, government services, and more.
The financial cost is still being counted, but it’s estimated that the outage caused more than $500 billion in direct losses at Fortune 500 companies with only around 10-20 percent of these losses likely to be covered by insurers. Delta, for example, was forced to ground more than 7,000 flights in the aftermath, incurring losses of $500 million. The risk of lawsuits being launched against CrowdStrike by companies impacted in this way remains very real.
In its appearance before Congress, CrowdStrike sought to reassure lawmakers that it was acting on the “lessons learned” from the incident so such an outage could never occur again.
But the uncomfortable truth is: it almost certainly will. Here’s why.
A crisis waiting to happen
The update that CrowdStrike pushed out to its Falcon EDR software on July 19 was nothing special. In fact, CrowdStrike revealed to Congress that it issues 10 to 12 similar updates every single day. We can assume that the majority of the other “Magic Quadrant” EDR vendors employ similar levels of constant updating.
These constant updates are pushed out to devices with little or no warning – and come with the risk of corrupting the devices they are loaded on. A minor issue may result in false positives that cause disruption. But in the case of the July 19 CrowdStrike incident, users on Windows machines suddenly found themselves facing the “blue screen of death” and were forced to reboot in safe mode to remove and fix.
Until there is a fundamental rethink in these update processes, we only have CrowdStrike’s word that the likelihood of it happening again is reduced.
Up to now, this risk has been justified by the EDR industry. That’s because they’re always one step behind the bad guys. To block an attack, a cybersecurity vendor first needs to be aware of it. As a result, vendors that use this model are permanently in reactive mode. To minimize the impact on customers, they must continue to increase the number of updates as soon as a way to block them is found. And as the number of attacks continues to grow, so must the number of updates.
The irony of the July 19 incident was that, even though it wasn’t a cyberattack, the blast impact was far worse than any attack in recent memory. It could be classified as an unintentional supply chain attack. This type of attack came to the fore with the SolarWinds attack of 2020 and there have been hundreds of “intentional” supply chain attacks in the period since.
How can I trust what my vendor is sending me?
The end customers of these cloud-based cybersecurity solutions, fearful of a repeat of July 19, can no longer be confident that the updates they receive from their vendor are fully tested and suitable for all their devices. Those with critical infrastructure, for example, cannot risk accepting an update that has the potential to bring their systems down without validating it first. This could mean staging an update on a testbed or limiting the update to non-critical devices to check for the blue screen of death.
But resorting to manual validation processes requires time and human resources. It also means putting tools in place to prevent automatic updates and waiting to see if the update runs smoothly elsewhere before installing. This can be challenging because EDR vendors often make it difficult to intercept such updates. The manual approach also undermines the central value proposition of a product such as CrowdStrike: if you’re not taking the updates, then your risk of sustaining an attack increases substantially over time. In a world where today’s cybercriminals – often nation-state-backed – are harnessing AI to launch increasingly sophisticated attacks with increasing frequency, guarding only against last week’s attacks leaves you vulnerable.
Moving beyond the patch-and-update model
How can companies protect themselves? The answer lies in adopting a more generic approach to cybersecurity, which doesn’t require an update to stop each new form of attack. This type of solution is able to observe the processes and code used as they execute in memory, and uniquely detect – and block – the vast array of generic attack techniques.
Lightweight agents on each device integrated at ring zero of the OS kernel provide the visibility to intercept such attack techniques without ever needing an update. This means protection from zero-day attacks on day zero, not shortly thereafter. It is a complement to existing solutions, rather than a replacement. But it can also detect and stop EDR vendor updates from loading on critical devices, and hold them back until approved if necessary.
The CrowdStrike outage serves as a stark reminder of the risks posed by the current state-of-the-art EDR industry model for staying protected. And until alternative solutions are put in place, it is only a matter of when – not if – such an outage will happen again.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro