Global IT outages on Friday were blamed on a faulty update from CrowdStrike and the impact hit banks, airlines and a host of other companies. But the real hit--beyond CrowdStrike's stock price--was to the platformization play being pitched by cybersecurity vendors.
First, the news. Reddit threads, X posts and various corporate accounts are showing the Blue Screen of Death (BSOD), CrowdStrike support messages and unhappy IT admins. The outage is so bad that CrowdStrike CEO George Kurtz had to play IT admin.
In a post on X, Kurtz said:
"CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers."
By the way, the replies are a gem.
Once the dust settles and IT admin tears dry, the real pain is going to be to the cybersecurity platformization argument. You know the one. Cybersecurity vendors tell CIOs they need to be on one platform to consolidate budget, discounts are handed out and we all go on our secure way with AI-driven solutions.
Palo Alto Networks started this platformization play to battle with CrowdStrike, which is taking budget and a platform.
- CrowdStrike, Palo Alto Networks duel over platforms vs. bundles
- CrowdStrike delivers strong Q1 amid cybersecurity platform debate
- Palo Alto Networks launches platform deals as it aims for cybersecurity share
- Palo Alto Networks Q3 solid, says customers into platform play
The problem with consolidated platforms is that they also serve as single points of failure. The fact that CrowdStrike can push a Friday (!!) update and bring down transportation and financial systems is a bit alarming. Monoculture was seen as a threat to security and now you can put platformization in the mix.
Here's the good news: This CrowdStrike fiasco wasn't a cyberattack. Rest assured; cybercriminals are taking notes.
Constellation Research’s take
Constellation Research analyst Chirag Mehta recapped the fallout from the CrowdStrike outage.
Response from CrowdStrike
CrowdStrike’s response to the recent disruption reads more like a message from an IT administrator than a CEO. George neither explicitly took full responsibility nor apologized for the lapse in care. This lack of accountability is likely to result in angry customers and potential lawsuits, as the disruption has caused significant business continuity challenges.
Platformization and Single Point of Failure
The platformization strategy, where an organization controls the platform and confines others to operate within it, has its risks. It can create a single point of failure (SPOF). Palo Alto’s recent push towards platformization may attract more scrutiny, as customers are wary of being locked into a single platform that could become a SPOF.
EDR/MDR Vendors are Now Spooked
Other EDR and MDR vendors are fortunate that they were not affected this time. They now can evaluate the depth of their integration with operating systems, the methods of air-gapping their updates, and their deployment processes. Overconfidence can be dangerous.
Microsoft Can’t Catch a Break
Although this incident is not technically Microsoft's fault from a Windows or Defender perspective, the company is now entangled in it. Microsoft has been feverishly working to improve its security reputation, but this situation highlights inherent flaws in Windows' architecture and the level of kernel access required by third-party products like CrowdStrike. It serves as a reminder of the large attack surface of Windows, especially older, unpatched versions. It may be time for OS vendors to rethink their core architectures.
Handling Single Points of Failure
Firewall vendors are well aware of the critical importance of their software. A faulty update or poorly managed DDoS attack can shut down entire networks. Cloud providers excel at managing updates and securing environments against DDoS attacks. They often emphasize the security of their distributed cloud infrastructure, which is harder to bring down. Cloud providers, responsible for their own environments, have developed sophisticated practices for testing updates, deploying quickly, isolating incidents, and rolling back changes. I would expect them to talk up their security, especially Google who has growth ambitions in cybersecurity. This will also make it clear why Google is after Wiz who has an agentless approach for cloud security.
Agentless Approach Gets Spotlight
This incident highlights the potential of an agentless approach in various cybersecurity domains, where modifications to the underlying operating system are avoided. This is particularly relevant in OT security within sectors like healthcare, transportation, and aviation, where proprietary devices should not be altered. For instance, the FDA prohibits third-party agents on most healthcare devices to ensure their integrity and functionality.
CrowdStrike Again?
CrowdStrike seems to gain attention for all the wrong reasons. The last time the average person heard about CrowdStrike was during the 2016 presidential campaign when Trump mentioned it in the context of Hillary Clinton’s emails. Despite building a substantial clientele among Fortune 500 companies, CrowdStrike learned today that this prominence can be a double-edged sword.