What has since become known as the CrowdStrike Outage manifested itself as a breakdown of Windows. Suddenly, roughly 8.5 million Windows devices showed the “blue screen of death” on a single morning. No one understood how a computer that no one had changed could suddenly collapse. Of course, those devices had been changed – silently, behind the scenes by an automatic update.
The incident
The worldwide outage occurred on July 19, 2024, due to an error in a rapid response content configuration update to CrowdStrike’s Falcon platform. This update inadvertently caused widespread system failures, particularly impacting Windows-based systems. The error was non-malicious but resulted in severe disruptions in sectors including healthcare, aviation, finance, and government operations.
Impact on industries
- Healthcare: Hospitals and healthcare systems were among the hardest hit. The outage disrupted electronic health records (EHRs), delayed surgeries, and hindered emergency services. Healthcare providers had to resort to manual processes, significantly slowing down operations and affecting patient care. The American Hospital Association (AHA) reported that the outage’s full impact on hospitals and health systems might not be known for weeks.
- Aviation and Transportation: Airlines and transportation networks faced operational disruptions, including delays and cancellations. The aviation industry, which relies heavily on real-time data for flight operations, experienced significant setbacks, impacting passengers and logistics.
- Finance: Financial institutions reported issues with transaction processing and cybersecurity monitoring. The downtime posed risks for potential breaches and financial losses, prompting urgent responses to secure systems and restore normalcy.
- Government Services: Various government agencies experienced disruptions in their IT services, impacting public services and critical infrastructure. The incident highlighted the vulnerability of public sector systems to technology failures.
Immediate response and remediation
CrowdStrike, in collaboration with Microsoft, initiated a rapid response to mitigate the outage’s impact. The remediation process included:
- Manual System Restorations: Organizations had to manually restore millions of computers, a time-consuming and labor-intensive task.
- Special Updates: Microsoft and CrowdStrike provided targeted updates to aid in system recovery.
- Continuous Support: Both companies committed significant resources to assist affected industries, prioritizing critical sectors like healthcare.
John Riggi, AHA’s national advisor for cybersecurity and risk, praised the collective efforts to restore hospital systems but acknowledged the ongoing challenges in fully assessing and rectifying the outage’s impact.
Broader implications
The CrowdStrike outage underscored several critical issues in the cybersecurity landscape:
- Dependency on Single Providers: The incident highlighted the risks associated with relying on a single cybersecurity provider. Organizations are now reconsidering their cybersecurity strategies to include multiple vendors and layered security solutions to mitigate such risks.
- Need for Robust Backup Systems: The outage emphasized the importance of having robust backup and disaster recovery plans. Businesses are increasingly focusing on ensuring they have reliable backups and rapid recovery mechanisms in place.
- Enhanced Monitoring and Testing: There is a growing recognition of the need for enhanced monitoring and rigorous testing of updates before deployment. This incident has prompted many organizations to review their update deployment processes to prevent similar occurrences.
- Investment in Cyber Resilience: Companies are likely to increase investments in cyber resilience, including more comprehensive incident response plans and regular drills to prepare for potential outages.
Examine the wider market
The CrowdStrike outage has highlighted the critical importance of robust and reliable cybersecurity solutions. However, it also provides a wake-up call for businesses that rely on strong brands, expecting them to be the most reliable systems available.
This incident, together with other failures by highly respected brands, such as SolarWinds, shows that cybersecurity professionals can’t rely on any specific division of suppliers. This can be a liberating realization because it removes the bar to acceptance and encourages buyers to consider the industry disruptors for the innovations that they can offer.
CrowdStrike fundamentals
CrowdStrike is an endpoint protection system with cloud-based coordination. The company gained press attention in 2017 from the work of its threat research division, and that boosted the marketing effort of its new cybersecurity package.
CrowdStrike created an on-device anti-malware package, called Falcon Prevent, that used anomaly-based detection, which was the emerging thing of the time. The company’s cage-shaking move was to add on a cloud-based coordinator for on-device units. This stitched together a company-wide security system without needing to manage network security.
Competitors to consider
In the wake of the CrowdStrike outage, many businesses are exploring alternative cybersecurity solutions to ensure greater resilience and reliability. Here are some key competitors:
CrowdStrike vs. Perimeter 81
Perimeter 81 is an innovator and illustrates how quickly the cybersecurity issue has evolved since the days when CrowdStrike was the new kid on the block back in 2017. Perimeter 81 is a cloud-based connection protection system with a firewall front end on the cloud and a lightweight access app on each endpoint. Perimeter 81 made a market breakthrough in 2022 with its Zero Trust Access service.
Perimeter 81 fundamentals:
The origins of Perimeter 81 is a VPN service. It provides an endpoint access app that sets up one end of a secure connection, with the other end being managed by a VPN server. The VPN server acts as a hub, forwarding traffic from one VPN link to another. The VPN server acts as a front for the business, and all traffic from outside has to pass through that server in order to get to an endpoint or service within the system. This is the location of malware analysis. Perimeter 81 integrates application access into its system connection app for users.
Summary:
- Developed from VPN technology: This system blocks any traffic from getting onto a network other than through the VPN server
- Off-site security operations with an on-device access unit: The core unit of CrowdStrike Falcon installs on endpoints and the cloud unit is a coordinator
- Network protection: CrowdStrike Falcon focuses on endpoint protection
- Integrated application access control: CrowdStrike added on a separate unit for this through acquisition
- Malware scanning at a cloud-based gateway: CrowdStrike performs malware scanning on each device
The cybersecurity industry has moved on since CrowdStrike Falcon was first planned. The Perimeter 81 strategy of loading all assessments and controls onto a cloud-based unit is now the industry norm.
CrowdStrike vs. Cloudflare
Cloudflare created an innovative service to deal with distributed denial of service (DDoS) attacks. Denial of service was first formulated in 1997, but DDoS became a much bigger threat because false convection requests come from many different sources. Those “attackers” are actually infected computers, called zombies, that get coordinated into a botnet. Cloudflare provided a barrier to access, dropping fake traffic and passing through the genuine requests.
Cloudflare fundamentals:
Cloudflare’s cloud-based traffic management system effectively provided a cloud firewall service, which has evolved into an entire industry sector. You will also see systems dubbed Firewall-as-a-Service (FWaaS) – these are also descended from the Cloudflare strategy. The dedicated IP service of Perimeter 81 is also based on the original Cloudflare system. Cloudflare has added complementary services that it can implement on its cloud server while processing. This extends to SSL certificate provision, connection encryption, malware, spam, and phishing blockers, data loss prevention, a Web application firewall (WAF), and a secure Web gateway (SWG).
Summary:
- A proxy service: Stands between a business’s network and the wider internet
- Examines passing traffic: CrowdStrike performs its scans on endpoints within the network
- Blocks malicious traffic patterns: CrowdStrike’s strategy to address network attacks is to keep its endpoint protection working in isolation
- Strong marketing to new businesses: Offers a free plan including a free SSL certificate, marketed through Web hosting providers
- Can create a secure virtual network: CrowdStrike also offers a SASE package
Over the years, the disruptor brand, Cloudflare, has become mainstream as other cybersecurity providers mimic its delivery model. This company works in partnership with major Web hosting services to offer a free package to the owners of new websites.
CrowdStrike vs Trend Micro
According to the 2023 IDC Worldwide Cloud Workload Security Market Shares report, Trend Micro was the largest selling cloud-based cybersecurity platform in the world for the fifth year running in 2022. So, this is a more popular security system than any other product in this list report, including CrowdStrike. Trend Micro is an XDR platform. That means “extended detection and response” which means it uses AI and interfaces to third-party tools to extend the typical endpoint detection and response strategy. This is very similar to the CrowdStrike Falcon Insight XDR package.
Trend Micro fundamentals:
Trend Micro dominates the market through marketing excellence. There isn’t really anything about their product that distinguishes it from the pack. It deploys a dual-level system with endpoint protection units and a central cloud-based coordinator. There are many rival systems, including CrowdStrike Falcon Insight XDR, that do exactly the same thing.
Summary:
- A hybrid solution: Combines an endpoint-resident unit and a cloud-based threat hunting service
- Central coordination for responses: CrowdStrike Falcon Insight XDR does the same thing
- An impressive cybersecurity research team: CrowdStrike provides threat intelligence as a paid extra
- Machine learning baseline for anomaly detection: CrowdStrike Falcon Prevent also has this
- Protects Windows and Linux endpoints plus cloud services: CrowdStrike offers a separate package for cloud protection
Trend Micro provides the closest competitor to CrowdStrike#’s main product, which is the Falcon platform. CrowdStrike provides cloud security as a separate product to its endpoint protection system.
CrowdStrike vs. Rapid7
Rapid7 is a cloud-based platform of cybersecurity services that keeps expanding. The core of the platform is a SIEM service that is also referred to as an XDR. The platform implements all of its work on the cloud platform and only provides data collectors for endpoints. This is a less intrusive solution than CrowdStrike Falcon Prevent but is easier to defeat than the CrowdStrike system because all an intruder needs to do is disconnect the device from the network and all protection is lost.
Rapid7 fundamentals:
The Rapid7 platform started with its cloud-based SIEM tool and then expanded. The tool has never been as strong at on-device security as CrowdStrike. However, the two companies have implemented very similar expansion strategies, adding on new features, such as vulnerability management, cloud security, security orchestration, automation, and response, and application security testing.
Summary:
- A SIEM service: Collects log files and also activity summaries prepared by its own agents
- A vulnerability scanner and attack surface manager: Matches CrowdStrike Falcon Exposure Management
- Cloud protection through data collection from cloud systems: Similar to CrowdStrike Falcon Cloud Security
- A threat intelligence feed: Competes with CrowdStrike Falcon Overwatch
- Security orchestration, automation, and response (SOAR): Equals CrowdStrike Falcon Fusion SOAR
One area where Rapid7 and CrowdStrike are weak is in the field of network security through firewalls. Neither company is interested in producing such a product, and both rely on their customers buying their firewalls from other providers.
CrowdStrike vs. Fortinet
Fortinet is a firewall brand. The company’s unique selling point is that it designed its own chips for its hardware firewalls. These make the equipment faster at processing traffic than all competition. The company resisted the move to the cloud for a long time because they don’t have that hardware advantage there. Now the company offers a cloud firewall and also provides complementary services that can act on traffic as it passes through, whether the device or the cloud server.
Fortinet fundamentals:
Fortinet customers can buy the FortiGate hardware firewall or the equivalent FWaaS on the cloud. Fortinet offers additional services that can be hosted on the same device as the firewall. Products include virtual networks, such as SASE and software-defined WANs (SD-WANs). Other services include DNS filtering, URL filtering, malware detection, an intrusion prevention system (IPS), and IoT detection.
Summary:
- An exceptional hardware firewall: FortiGate is an award-winning specially designed physical firewall
- Additional security services: These can all be loaded on the FortiGate appliance
- A cloud option: All of Fortinet’s products are now also available on the cloud
- A SIEM and a SOAR: Competes with CrowdStrike Falcon Insight and Falcon Fusion
- Virtual network management: SASE and SD-WAN options
Fortinet offers a lot of services that CrowdStrike doesn’t have, particularly its core product, the FortiGate firewall. There are products where the two brands overlap, notably SIEM and SOAR services.
CrowdStrike vs. ThreatLocker
ThreatLocker is riding a wave of two of the latest trends in cybersecurity: zero trust access and Allowlisting. The company produces a package called ThreatLocker Protect that includes three security services. These are the Allowlisting service, Application Fencing, and Network Control. CrowdStrike doesn’t have any services that match these tools. This is a cloud-based platform and its controls on resources remove the need for security monitoring.
ThreatLocker fundamentals:
The fundamental strategy of ThreatLocker is to block everything by default. It blocks software from running, it blocks users from accessing applications, and it blocks traffic from crossing the network. The administrator then allows specific users access to specific resources.
Summary:
- Blocks all software from running: Malware and user-installed utilities are just dead files
- The administrator creates an allowlist: Listed software is able to run
- Application fencing: The permitted software can only access certain resources
- Network access control: The system generates access control lists to block unauthorized traffic
- Blocks USB devices: Can permit specific devices for use by specific users on specific computers
ThreatLocker isn’t the only system that implements Allowlisting but it is probably the best available right now. This strategy completely removes the need to worry about malware, so you don’t need antivirus systems such as CrowdStrike Falcon Prevent.
CrowdStrike vs. Sophos
Sophos has been around since 1985, so its great innovation was the antivirus system. Sophos didn’t invent antivirus, it just entered the already established market. So, Sophos has been around for a lot longer than CrowdStrike, but its growth has been a lot slower. Sophos and CrowdStrike are like the turtle and the hare. CrowdStrike got a massive amount of free publicity in 2017 from its work identifying attacks on Sony and the Democratic Party. Sophos has always had to pay for its advertising and that has been a drag on growth.
Sophos fundamentals:
UK-based Sophos entered into an antivirus market that was dominated by US brands. The company carved itself a niche by focusing on supplying mid-sized companies. Slowly but surely, the company established brand recognition and managed to stay profitable. The entire antivirus market went through massive investment drives into AI. This created the Next-Gen Antivirus package, and Sophos managed to find the money to stay in that race. The company now also offers email security, firewalls, zero trust network access, and mobile security as well as its next-gen AV.
Summary:
- Endpoint protection and response: Delivered from the cloud and implemented through an agent
- An XDR: Competes with CrowdStrike Falcon Insight XDR
- Network security and SD-WAN service: Not offered by CrowdStrike
- A hardware firewall: Like FortiGate, this can also host additional security services
- Security awareness training: Competes with CrowdStrike University
Sophos steadily grew its brand through a reputation of reliability. Its EDR package protects computers running Windows, macOS, and Linux.
Source link