Crowdstrike and Microsoft discussion starters - July 19th.
A perspective on the business interruption that occurred today, impacting operations globally.
First, it is essential to emphasis that this was not a cyberattack, was not caused by a threat actor, and did not compromise confidential information, based on the current information available. However, the incident did affect system availability, one of our core security principles and cybersecurity incident criteria: Confidentiality, Integrity, and Availability.
While such occurrences are rare, they highlight the growing complexity and risks associated with centralized infrastructure and remote computing. At approximately 1 AM on July 19th, a CrowdStrike channel update rendered computing equipment (servers and workstations) unusable, freezing systems at the Microsoft Windows boot-up stage (blue screen). This incident likely resulted from inadequate testing or deployment processes before releasing content updates. Industry speculation include potential failures within the CI/CD (Continuous Integration and Continuous Delivery/Deployment) pipeline/process among other faults. Balancing the timely release of threat blockers with appropriate testing is a critical risk-and-reward consideration.
The situation was exacerbated by the presence of Microsoft BitLocker encryption on workstations, which, while protecting the systems, hindered alternative recovery processes without the decryption key. These keys are securely managed by system administrators, requiring skilled IT professionals to recover and apply corrective measures.
This incident underscores the need to explore zero-dollar retainers for IT services, enabling firms with Subject Matter Experts (SMEs) to support help desk recovery efforts effectively. It also highlights the importance of robust Business Continuity Planning (BCP) and Out Of Band (OOB) communication capabilities, ensuring business resilience and risk mitigation.
In light of these events, revisiting contract management and Service Level Agreements (SLAs) with partners and supply chain entities to understand obligations. As a leading entity in the Endpoint Detection and Response (EDR) security space, CrowdStrike's influence is far-reaching. As an alternative, switching to a different EDR platform involves significant reconfiguration, software installation, and upskilling of Security and IT teams. Weighing the change impact, balancing benefits with overall risk against is not a trivial effort.
The validation of root causes and other lessons will unfold, along with potential SEC filings, negligence lawsuits, and other ramifications. It is imperative that we, as an industry, demand better performance and reliability from CrowdStrike and our partners.
No comments:
Post a Comment