CISO: Why we will probably stick with CrowdStrike

CrowdStrike has to take 99% of the blame, but it could happen to others too

CISO: Why we will probably stick with CrowdStrike

Image:
CISO: Why we will probably stick with CrowdStrike

The failed CrowdStrike update last week caused worldwide havoc. Havoc for hundreds of thousands of customers, for those who rely on their services, and for CrowdStrike itself, which saw its stock plummet as a result of the biggest IT outage of all time.

There have been arguments on social media over the technical causes of the issue, and the company's very survival has been the subject of much online conjecture.

However, CrowdStrike's competitors have been notably quiet on the issue, conscious, perhaps, that it could have happened to them.

A chief information security officer (CISO) at a well-known insurance intermediary and CrowdStrike customer, who asked not to be identified, told Computing, that while Windows crashes had made for a busy weekend, the fact the company is "cloud first" with few standalone devices had made mitigation relatively straightforward. CrowdStrike provided prompt notification and clear instructions, the CISO said.

The company is considering its options, but will probably retain the security vendor.

"My conclusion is we should stay with CrowdStrike for three reasons," the CISO said.

"Number one, they're the best at what they do. Number two, had we gone to somebody else and this happened, we'd have been in the same position anyway.

"Three, if we went somewhere else and this happened, would we get the same sort of transparency and immediate remediation that we got from CrowdStrike? In my opinion, no we wouldn't because CrowdStrike have got such an important set of clients, they have to be faster and they have to be quick with their remediation."

The impact of the outage was disproportionate to the number of devices affected (only around 1% of Windows machines went down) owing to the nature of its customers, which include many Fortune 500 and large public sector organisations, the CISO pointed out.

The CISO refused to speculate on the causes of the mega-outage, indicating that some of the commentary on social media is dubious at best.

"I think we have to reserve judgment until CrowdStrike come out and tell us. They will be honest. They promise transparency, and they have to be transparent because of the customers they have."

Microsoft, despite being the target of criticism of its third-party code signing procedures and controls around kernel access, was not the guilty party here. Effective endpoint detection and response (EDR) will probably always require kernel access and that's the case for some type of access to the kernel on Apple and Linux devices as well, the CISO said.

"The truth is, as other people have said, Windows is actually quite a secure environment nowadays. And it really takes a big quality control mistake to do what CrowdStrike did. CrowdStrike has to take 99% of the blame here."

Can customers claim on cyber insurance?

News is starting to emerge of efforts to launch class action lawsuits against CrowdStrike, the CISO was in little doubt that the company would survive, given its customer base and market share. Alternatives include SentinelOne, Microsoft Defender and "a host of smaller players", but they are not exactly equivalent, and could be more expensive.

"Microsoft does do the EDR if you pay for the licences and the infrastructure and assign the right licencing. It takes the telemetry from the Defender product and puts the EDR on top, but you have to pay for that."

So, will organisations that lost business in the outage be able to claim for those losses on their cyber insurance? This depends on the individual policy, but the CISO thought it unlikely in most cases, as this was not a cyberattack. However, they may be able to claim on business disruption policies, depending on restrictions within the policy, and whether organisations feel it's worth claiming.

In terms of agreements from the vendor, CrowdStrike provides warrantees against getting hacked, but not against going down. However, many of its customers are Fortune 500, so they may well have individual SLAs in place. "As an American firm, these agreements are usually pretty watertight," the CISO said.