The Case Towards Abandoning CrowdStrike Publish-Outage

COMMENTARY

The now-infamous July CrowdStrike outage sparked world chaos and numerous conversations about vendor safety. Regardless of the trade noise and myriad headlines concerning the outage — and its potential value of greater than $5 billion to Fortune 500 firms alone — there’s a larger image we should take into account. And that’s how, as an trade, we perceive the dangers concerned and reply to main outages and different cybersecurity crises. 

Whereas the CrowdStrike outage was a freak accident, it is seemingly not the final time we’ll witness this type of meltdown from a significant expertise supplier. As our digital ecosystems turn out to be additional interconnected and enterprises more and more put their belief in singular distributors, enterprise leaders must grapple with the inevitability of comparable occasions, whether or not from a easy outage or a malicious hack. In each case alongside that spectrum, nonetheless, these leaders should keep away from knee-jerk reactions that would in the end do extra hurt than good. Blindly switching to a brand new vendor or making drastic adjustments to IT and safety processes may introduce safety holes that exacerbate vulnerabilities in a corporation’s general safety posture, quite than bettering it.  

As an alternative of instantly leaping ship, listed below are the three issues firms ought to do within the wake of a CrowdStrike-like occasion to make sure enterprise continuity and excessive operational requirements.  

1. Assess Distributors’ General Reliability and Danger

Switching distributors after an incident is not as easy — or as helpful — as it might appear. Earlier than switching, companies should consider each the prevailing and potential vendor, and assess every vendor’s general reliability and danger. As an illustration, Resilience buyer information reveals that regardless of the July incident, CrowdStrike Falcon is extremely efficient. It has the bottom proportion of fabric claims of endpoint detection and response (EDR) distributors in Resilience’s portfolio, with fewer than 3% of shoppers with Falcon experiencing a cyber-insurance declare with losses. After all, no firm can — or ought to — declare the power to keep away from 100% of incidents, however in these sorts of deliberations, it is important to place a vendor’s long-term monitor file into perspective. On the flip aspect, nonetheless, if a vendor reveals a constant historical past of outages or vulnerabilities (as has VPN supplier Ivanti, of late), poor efficiency or communication, and lengthy delays in remediation, an incident might be the useful forcing consider contemplating the advantages of making an attempt one thing new.  

It is also vital to notice the prices of switching distributors that transcend sticker value, comparable to implementation time, workers coaching prices, and adjusting workflows to include the brand new system and meet enterprise wants. These third-party danger issues have to be thought-about, with management weighing the enterprise interruption prices of an outage with the prevailing vendor towards the whole prices that include making a swap.  

2. Keep away from Radical Modifications to the Replace Course of

This explicit outage raised the problem of replace cadence and testing frequency, with many arguing that the affected organizations ought to have taken a extra cautious, thorough strategy to testing the replace earlier than rolling it out. However delaying updates is a calculated danger, and never essentially one that almost all firms ought to be taking. Antivirus and EDR signatures are designed to counter quick-breaking, rising threats towards current methods, so when you can determine to attend to permit the days or perhaps weeks it might take to completely take a look at the replace, you might be leaving your methods susceptible to new exploits within the course of. Menace actors solely develop quicker and extra subtle of their approaches, so fast safety updates are extra essential than ever. The danger of taking further precautions in testing will not be price it for each firm, particularly since most updates occur seamlessly. In any case, a part of the rationale CrowdStrike made headlines was as a result of the outage was so out of the abnormal. 

In an ideal world, the place dangerous actors weren’t a constant menace and replace processes took no additional time, following the everyday greatest follow of testing each replace that comes from each vendor is likely to be possible. However in the true world, adjustments to the replace course of are more likely to decelerate your defenses. In the end, there isn’t any one-size-fits-all reply, and the very best strategy will depend upon the precise group and its danger tolerance.  

3. Do not Panic

It is tempting to liken incidents like CrowdStrike to pure disasters (comparable to catastrophic hurricanes), however that oversimplification distracts from the guts of the problem. Whereas many insurers use this analogy to explain cyber occasions, it is neither correct nor helpful, because it turns into an apples-to-oranges comparability that frames cyber incidents or outages as one-sided and world-ending. However the actuality is way completely different. There is no tangible approach for people to forestall or mitigate the depth of class hurricanes or tornadoes, however there are definitely easy, actionable steps we are able to take to mitigate the monetary impression of an outage or counteract the unfavourable results of a possible assault. This consists of implementing correct cyber hygiene, transferring monetary danger via cyber insurance coverage, and having an in depth cybersecurity motion plan within the occasion of an assault or outage. It is not solely possible however important that firms take these steps to stay operable and functioning within the midst of an incident.  

In brief, decision-makers throughout the board cannot permit themselves to make reactive or fear-based selections on their safety posture immediately following a cyber incident. These knee-jerk reactions may result in higher problems and introduce a bunch of latest vulnerabilities simply ready to be exploited. As an alternative, leaders should deal with understanding the foundation explanation for the incident, studying from it, and making risk-driven selections that mitigate the best monetary loss and enhance their group’s general cyber resilience. This consists of taking a proactive strategy and incorporating third-party danger administration into enterprise continuity planning. That approach, you can keep away from catastrophic interruptions to your day-to-day enterprise and keep continuity and resilience within the face of a cyber incident.