Can the cybersecurity industry stop history repeating?

CrowdStrike was brought earlier a US Congressional Committee connected September 24 to explicate why its cybersecurity solution triggered 1 of nan largest IT outages ever seen. A elder charismatic told Congress that nan institution was “deeply sorry” that a flawed update pushed retired to its market-leading Falcon endpoint discovery and consequence (EDR) package successful July caused wide disruption crossed airlines, banking systems, healthcare, manufacturing, authorities services, and more.

The financial costs is still being counted, but it’s estimated that nan outage caused much than $500 cardinal successful nonstop losses astatine Fortune 500 companies pinch only astir 10-20 percent of these losses apt to beryllium covered by insurers. Delta, for example, was forced to crushed much than 7,000 flights successful nan aftermath, incurring losses of $500 million. The consequence of lawsuits being launched against CrowdStrike by companies impacted successful this measurement remains very real.

In its quality earlier Congress, CrowdStrike sought to reassure lawmakers that it was acting connected nan “lessons learned” from nan incident truthful specified an outage could ne'er hap again.

But nan uncomfortable truth is: it almost surely will. Here’s why.

A situation waiting to hap

The update that CrowdStrike pushed retired to its Falcon EDR package connected July 19 was thing special. In fact, CrowdStrike revealed to Congress that it issues 10 to 12 akin updates each azygous day. We tin presume that nan mostly of nan different “Magic Quadrant” EDR vendors employment akin levels of changeless updating.

These changeless updates are pushed retired to devices pinch small aliases nary informing – and travel pinch nan consequence of corrupting nan devices they are loaded on. A insignificant rumor whitethorn consequence successful mendacious positives that origin disruption. But successful nan lawsuit of nan July 19 CrowdStrike incident, users connected Windows machines abruptly recovered themselves facing nan “blue surface of death” and were forced to reboot successful safe mode to region and fix.

Until location is simply a basal rethink successful these update processes, we only person CrowdStrike’s connection that nan likelihood of it happening again is reduced.

Up to now, this consequence has been justified by nan EDR industry. That’s because they’re ever 1 measurement down nan bad guys. To artifact an attack, a cybersecurity vendor first needs to beryllium alert of it. As a result, vendors that usage this exemplary are permanently successful reactive mode. To minimize nan effect connected customers, they must proceed to summation nan number of updates arsenic soon arsenic a measurement to artifact them is found. And arsenic nan number of attacks continues to grow, truthful must nan number of updates.

The irony of nan July 19 incident was that, moreover though it wasn’t a cyberattack, nan blast effect was acold worse than immoderate onslaught successful caller memory. It could beryllium classified arsenic an unintentional proviso concatenation attack. This type of onslaught came to nan fore pinch nan SolarWinds onslaught of 2020 and location person been hundreds of “intentional” proviso concatenation attacks successful nan play since.

How tin I spot what my vendor is sending me?

The extremity customers of these cloud-based cybersecurity solutions, fearful of a repetition of July 19, tin nary longer beryllium assured that nan updates they person from their vendor are afloat tested and suitable for each their devices. Those pinch captious infrastructure, for example, cannot consequence accepting an update that has nan imaginable to bring their systems down without validating it first. This could mean staging an update connected a testbed aliases limiting nan update to non-critical devices to cheque for nan bluish surface of death.

But resorting to manual validation processes requires clip and quality resources. It besides intends putting devices successful spot to forestall automatic updates and waiting to spot if nan update runs smoothly elsewhere earlier installing. This tin beryllium challenging because EDR vendors often make it difficult to intercept specified updates. The manual attack besides undermines nan cardinal worth proposition of a merchandise specified arsenic CrowdStrike: if you’re not taking nan updates, past your consequence of sustaining an onslaught increases substantially complete time. In a world wherever today’s cybercriminals – often nation-state-backed – are harnessing AI to motorboat progressively blase attacks pinch expanding frequency, guarding only against past week’s attacks leaves you vulnerable.

Moving beyond nan patch-and-update model

How tin companies protect themselves? The reply lies successful adopting a much generic attack to cybersecurity, which doesn’t require an update to extremity each caller shape of attack. This type of solution is capable to observe nan processes and codification utilized arsenic they execute successful memory, and uniquely observe – and artifact – nan immense array of generic onslaught techniques.

Lightweight agents connected each instrumentality integrated astatine ringing zero of nan OS kernel supply nan visibility to intercept specified onslaught techniques without ever needing an update. This intends protection from zero-day attacks connected time zero, not soon thereafter. It is simply a complement to existing solutions, alternatively than a replacement. But it tin besides observe and extremity EDR vendor updates from loading connected captious devices, and clasp them backmost until approved if necessary.

The CrowdStrike outage serves arsenic a stark reminder of nan risks posed by nan existent state-of-the-art EDR manufacture exemplary for staying protected. And until replacement solutions are put successful place, it is only a matter of erstwhile – not if – specified an outage will hap again.

We've featured nan champion encryption software.

This article was produced arsenic portion of TechRadarPro's Expert Insights transmission wherever we characteristic nan champion and brightest minds successful nan exertion manufacture today. The views expressed present are those of nan writer and are not needfully those of TechRadarPro aliases Future plc. If you are willing successful contributing find retired much here: https://www.techradar.com/news/submit-your-story-to-techradar-pro