Understanding the CrowdStrike incident
On July 19, 2024, Austin-based cybersecurity company CrowdStrike experienced a significant incident. A major update was released in their Falcon Sensor security software, resulting in over 8.5 million Windows operating systems to crash1 and users facing the blue screen of death (BSOD).2 This is a stop error screen that prevents any other actions and caused Microsoft Windows to shut down.
This incident was not caused by cybercriminals or malicious insiders, but by a logic error in the Falcon Sensor update. Although CrowdStrike rapidly provided a fix, the restoration required a manual process, resulting in a time-consuming effort to bring systems back up.
The disruption impacted several industries including banking, hospitality, manufacturing, retail, and others. About 25% of Fortune 500 companies, amongst many others, experienced disruptions. Several major airlines were amongst those impacted. Of the over 10,000 flights cancelled worldwide, over 5,000 were Delta flights, reportedly costing them nearly $500 million.3
The total loss of the CrowdStrike outage is estimated to be at $5.4 billion,4 and the incident has been called one of the largest IT outages in history.5 The disruptions continued for much of the following week due to the manual restoration process. Although organizations worked to restore critical systems within a few days, it is estimated that it could take months for all systems to recover.
Unlike the SolarWinds attack of 2020, the CrowdStrike outage was caused by a faulty update versus the work of a sophisticated cybercriminal organization. While the incident had a different cause, the financial impacts can be compared to the cost of a cyberattack. Currently, the average cost of a cybersecurity breach is at $4.88 million,6 with average recovery costs (excluding cost of a ransom payment) estimated at $2.73 million7 per incident.
Lessons from the CrowdStrike incident
This event highlighted the vulnerabilities that can arise even from routine software updates and the potential consequences of such incidents on a global scale. It also underscored the importance of robust testing and deployment procedures for software updates, particularly those that are widely used in critical infrastructure and enterprise environments.
While organizations like CrowdStrike need to take this into consideration prior to pushing out releases, organizations can prepare to help address and mitigate the impacts to their operations. This is not a single-threaded approach, instead requiring organizations to consider layers in their overall security strategy.
Here are a few recommendations:
Develop and maintain a risk management plan. These may be in the form of incident response or disaster recovery and business continuity plans. Planning for incidents, whether caused by malicious actors or faulty updates, can be a very similar process. If your organization already has a risk management plan in place, familiarize yourself with the details in the case of an incident.
Rehearse incidents and resolutions. The risk management plan must be effectively communicated and understood by the appropriate stakeholders. Drills or tabletop exercises (TTX) are very effective rehearsal methods, allowing organizations to test and validate their plans in a controlled, low-risk environment.
Perform regular backups. Backing up data and updating systems can limit the risk of data loss. Regularly assessing your security measures and backing up data can limit the risk of loss and data corruption. It is recommended to keep backups off-site or in the cloud as on-premises backups could be compromised.
Conduct plan patch management. Yes, this outage was caused by a faulty release, but systems and applications are still the most secure when updated regularly. According to Google Mandiant, 33% of all security breaches resulted from the exploitation of unpatched vulnerabilities.8
The question becomes how soon you push out a critical patch. Leading practices say they should be released within 2 weeks to 30 days. If you can run the patch in a development environment first, you can see what impacts the update has on your environment prior to pushing out to production.
Work with a trusted partner. In the complex world of maintaining confidentiality, availability, and integrity of your systems, there is value in engaging a trusted cybersecurity partner. Work with someone who can continue to advise on resilience and improve your cybersecurity maturity. This can pay dividends in developing an effective strategy to address and mitigate risks, whether caused by malicious actors or issues in system updates.
Be proactive to protect your organization
CAI offers end-to-end cybersecurity services that can help your organization assess your system vulnerabilities and start proactively planning for a cyber incident. Our team can help you navigate the complex environment of evolving cybersecurity threats, cyber solutions, and find the right tools for your organization. We also offer ongoing cyber advisory solutions to help provide support following an implementation. Start proactively protecting your organization by connecting with our cyber experts.
Endnotes
- The aftermath of Crowdstrike: Re-evaluating the importance of severity classifications, Cliffe Dekker Hofmeyr, July 31, 2024. https://www.cliffedekkerhofmeyr.com/en/news/publications/2024/Practice/Corporate/combined-corporate-commercial-and-Technology-Communications-alert-31-July-2024-the-aftermath-of-crowdstrike-re-evaluating-the-importance-of-severity-classifications. ↩
- What is the blue screen of death (BSOD)?, Tech Target, https://www.techtarget.com/searchwindowsserver/definition/blue-screen-of-death-BSOD. ↩
- Delta CEO says CrowdStrike-Microsoft outage cost the airline $500 million, CNBC, July 31, 2024. https://www.cnbc.com/2024/07/31/delta-ceo-crowdstrike-microsoft-outage-cost-the-airline-500-million.html. ↩
- CrowdStrike’s Impact on the Fortune 500, Parametrix, https://cdn.prod.website-files.com/64b69422439318309c9f1e44/66a24d5478783782964c1f6f_CrowdStrikes%20Impact%20on%20the%20Fortune%20500_%202024%20_Parametrix%20Analysis.pdf. ↩
- “Fact Sheet: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence.” The White House, October 30, 2023. https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence/. ↩
- IBM Ponemon Institute Cost of a Data Breach Report 2024, https://www.ibm.com/security/data-breach. ↩
- Sophos – The State of Ransomware 2024, https://news.sophos.com/en-us/2024/04/30/the-state-of-ransomware-2024/. ↩
- Patching Insights from Kevin Mandia of Google’s Mandian, Action1, April 24, 2023. https://www.action1.com/patching-insights-from-kevin-mandia-of-mandiant/. ↩