The recent Microsoft Windows outage brought about by a CrowdStrike update has invariably sparked conversations among MSSPs, MSPs and the wider cybersecurity world around cyber resilience and the incident’s massive operational, financial and legal impact.
Andrew Douthwaite, chief technology officer for VirtualArmour, a UK-based MSSP, offered MSSP Alert his perspective on the incident that brought the “blue screen of death” to 8.5 million Windows machines on July 19. He believes that the incident has brought to light the fact that the reliance on a single vendor has the potential to “really cripple your organization” — not just over an issue involving inferior code that paralyzed Windows operating systems but also in the event of a hacking incident.
“Obviously, this has been shaking the industry, so now everyone will be checking their policies, procedures, software development lifecycle and how they operate within that and how release work, quality control and everything alongside that,” he said.
Douthwaite discussed the need for “defense in depth,” describing it as a combination of different security layers as well as different vendors.
“That where you see true XDR (eXtended detection and response) players moving in that world as a being a central point for all kinds of logs and visibility,” he said. “Next-generation SIEM (security and event management) is where you get your visibility. That’s where you can pull everything together, correlate it all, normalize the data and look at al in one kind of default format.”
And that’s where an MSSP like VirtualArmour would come in, says Douthwaite, offering 24/7 monitoring investigation and support for whole or parts of environments as well as actual infrastructure.
Making Cyber Resilience a Priority
Cyber resilience is about much more than just having the best tools. It means ensuring that the failure of any one tool still allows the organization to maintain an adequate security posture and operational availability. For MSSPs, this solution clearly lies in tool redundancy. But how can MSSPs accomplish tool redundancy when security tools turn out to be even more compellingly complementary than expected?
“I think a lot of Security Teams, in terms of resilience, are looking at how they access machines, when they are actually offline?” Douthwaite said. “How do we access them if they are remote, in a data center or anywhere without physical access? How do we access them to apply a fix if Active Directory is down due to the same issue? The gap here appears to be in the QA process. This didn’t hit a niche set of operating systems. This was Windows and not a specific version of Windows either.”
For CrowdStrike’s part, he believes there are “a hell of a lot of lessons” to be learned.
“Actually, CrowdStrike itself kicked in and stopped the device management tools from removing the bad file because it’s part of the CrowdStrike package,” Douthwaite said.
He added, “The gap that’s missing for me is where’s the QA (quality assurance) process really? It didn’t just hit a very niche kind of set or operating systems. It hit almost every Windows operating system that wasn’t built within that time period.
Ultimately, it was Fenix24, a cyber disaster recovery firm within Chattanooga, Tennessee-based Conversant Group, that created an alternative scripted solution to assist companies affected by the CrowdStrike outage. The Windows scripts effectively forced the reboot of machines into Safe Mode and then removed the problematic file.
CrowdStrike detailed its recovery efforts, and other technical details surrounding the outage in the Root Cause Analysis (RCA) [us-east-2.protection.sophos.com].
Financial and Legal Implications
CrowdStrike said it will give bespoke customer commitment packages that total up to about $60 million. The credits are not necessarily directly due to losses clients might have suffered during the outage, according to a company spokesperson. The company also cut its guidance for full-year earnings by about $86 million to $109 million. But that still leaves CrowdStrike expecting to make $3.9 billion on the year.
Credits alone won’t placate affected parties, as law firm Bronstein, Gewirtz & Grossman LLC a has notified investors that a class action lawsuit has been filed against CrowdStrike Holdings, Inc., according to a press statement. The lawsuit seeks to recover damages against defendants for alleged violations of the federal securities laws on behalf of all persons and entities that purchased or otherwise acquired CrowdStrike securities between November 29, 2023, and July 29, 2024.
Adam Meyers, senior vice president for counter adversary operations at CrowdStrike, will testify before the House Homeland Security Cybersecurity and Infrastructure Protection subcommittee on September, Reuters reported. The outage led to worldwide flight cancellations and impacted industries around the globe including banks, healthcare, media companies and hotels chains, and also disrupted internet services.