As a former FBI Special Agent in the Los Angeles Cybercrime Squad, I’ve seen my fair share of faulty software updates. However, the recent global technology disruption caused by a faulty CrowdStrike software update has really captured the world’s attention. The shock and awe that such a well-respected cybersecurity vendor has caused a major security incident has brought to light a previously overlooked area of third-party risk.
Given the reputation and trust placed in CrowdStrike, many companies automatically allowed its software update package to be installed on their systems without fully considering the possibility of a defect. As a result, no CISO expected the update to cause a global technology outage, resulting in systemic disruption to interconnected systems.
The consequences of the CrowdStrike incident were particularly severe for banks, hospitals, retailers and airlines.
Interestingly, some companies with outdated systems were not affected by the faulty update, while others with top-notch systems suffered outages for a few days or more. This is not a story of old technology versus new technology, as some articles have implied. Rather, it is a stressful story that argues for the need for a risk-based approach to minimize the possibility and impact of a faulty software update.
Know your supplier
CrowdStrike has been criticized for its automatic update process and for not staggering or scheduling the release to limit the potential for large-scale disruption. However, the company is not alone in taking this approach: many other security vendors also offer real-time, automatic updates to protect customers against a new cyber threat.
While CrowdStrike’s update was flawed, the incident nonetheless highlights the importance of balancing innovation across the IT systems landscape with more diligent management of third-party vendors. CISOs are reminded to foster secure innovation by collaborating with technology peers across the organization and forging strong partnerships with the company’s third-party vendors. The two priorities are not mutually exclusive, but rather intertwined.
Collaboration with technology peers enables better understanding, minimizing, and mitigating risks, ensuring the company can continue to innovate without increasing cyber risk to the business. Partnerships with critical third-party vendors provide greater assurance that vendors are prepared to respond at scale when the next unexpected disruption occurs. Understanding which vendors are distributed across a large portion of the corporate infrastructure and production environments (especially those that receive regular updates) can streamline software replacement processes with new and improved versions.
Controlling the unknown
CrowdStrike’s real-time, automated updates put these processes to the test. While immediate updates allow systems to quickly identify and neutralize threats, they also carry the risk of causing a complete system outage and subsequent business disruption. On the other hand, delaying updates by a day or two may mean missing out on the “latest and greatest” features right away, but it gives time to identify and address potential flaws first. The point here is that one is not better, but rather that both updates serve specific needs and purposes.
To determine which update is best from a security standpoint, CISOs should identify which systems require real-time updates and which can allow for deferred updates. High-risk systems that are externally facing may require near real-time updates that help identify and block zero-day attacks. Lower-risk systems located deeper in the infrastructure with additional layers of security between them and external attacks can be configured for deferred software updates of 4, 8, or 24 hours, allowing updates to settle a bit before updating more critical systems.
A faulty update issued by a cybersecurity vendor, among other things, is also a powerful reminder of the need to leave no stone unturned in managing third-party vendors. All vendors should be required to undergo ongoing legal, commercial and technological reviews and independent audits.
CISOs should require regular confirmation of their cybersecurity certifications and SOC 2 and ISO 27001 compliance and look for supporting evidence that they have patched a cited vulnerability or implemented a comprehensive update.
Another takeaway from the incident is the comparative value of decentralized management of network security versus a centralized model. The centralized approach is said to offer more consistency in security protocols and threat detection, but the downside is that when the central server is breached, the technologies connected to it go down with the ship.
On the other hand, the decentralized approach makes it harder for hackers to compromise an entire platform. By distributing data across many endpoints, if one point is attacked or suffers a faulty update, the rest of the ship moves on, increasing organizational resilience. However, decentralization alone is not a panacea. Information security teams must still prioritize mission-critical systems and software, which consequently guides the assessment and remediation of related risks.
The high visibility of the CrowdStrike incident provides CISOs with a valuable opportunity to learn from the misfortunes of others, collaborate with peers on technology leadership teams, and partner with enterprise vendors to be better prepared and respond to similar events in the future.
We list the best network monitoring tools.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here:
