Lessons learned from the CrowdStrike outage

In the weeks after the CrowdStrike outage that resulted in grounded airplanes and major work disruptions across the globe, cybersecurity has been in the spotlight for organizations, service providers, and individuals alike. How can one small configuration error disrupt so many businesses and cost millions of dollars in damage?

Businesses today are likely to invest more in building redundancy and failover mechanisms in their cybersecurity infrastructure to prevent similar disruptions. This could include comprehensive security strategies and improved incident response planning. The incident has also led to a greater emphasis on building resilient systems that can continue to function even if a critical security provider experiences issues.

What is the current scenario?

The incident indicated that there would be increased scrutiny and potential regulatory changes focusing on service availability and cybersecurity practices. Regulators might be imposing stricter requirements to ensure that essential cybersecurity services have robust contingency plans. Therefore, it comes as no surprise that a senior CrowdStrike executive has been called to testify to Congress (the House Homeland Security Committee) towards the end of September.

Andrew Garbarino, who is the chairman of the subcommittee on Cybersecurity and Infrastructure Protection, said in a statement that the hearing will be “an important opportunity to learn more about what steps the company has taken in the aftermath of the outage to ensure it doesn’t happen again.” Despite the outage not being a malicious attack or a ransomware situation, Garbarino said that it was quite likely that threat actors watched the event and “learned how a faulty software update can trigger cascading effects on our critical infrastructure.”

The outage also indicated that the cybersecurity industry might experience shifts in public perception, with increased focus on the reliability and robustness of security solutions. This could drive innovation and improvements in the sector as companies strive to avoid similar issues. The global cybersecurity community is quite likely to see increased collaboration on best practices for resilience and incident management.

One such collaborative event has been organized by Microsoft and CrowdStrike itself. On September 10, 2024, Microsoft will host the Windows Endpoint Security Ecosystem Summit at their headquarters in Redmond, Washington. This event will bring together Microsoft, CrowdStrike, and other leading partners in endpoint security to engage in discussions focused on enhancing resilience and safeguarding critical infrastructure for their shared customers. The goal of this event is to identify and commit to specific actions that will bolster security and resilience.

Important cloud security lessons for MSPs and MSSPs

Here are some key learnings from this incident that Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) should keep in mind:

Complete visibility is critical

Outages can significantly impact MSPs/MSSPs by disrupting their visibility into customers’ systems. When these outages occur, service providers might lose access to critical data and monitoring capabilities, particularly if their endpoint detection and response (EDR) solutions are disabled. This lack of visibility can severely impair their ability to detect and respond to cyberattacks in real time.

Without functioning EDR tools, MSSPs may be unable to identify security breaches or ongoing threats, leaving their clients vulnerable to potential damage. The disruption can also hinder incident response efforts, delaying the containment and remediation of security incidents. Consequently, this could undermine the trust between MSSPs and their clients, highlighting the need for robust contingency plans and redundant systems to maintain continuous protection and oversight, even during service interruptions.

Agentless systems are a better approach

Agent-based systems, which rely on software installed directly on endpoint servers, are particularly vulnerable. If a problem occurs with the agent itself—whether due to a bug, a failed update, or a conflict with other software—it can disrupt the entire security monitoring and response framework. This type of disruption was evident, demonstrating how even well-established vendors are not immune to such issues.

In contrast, agentless systems work without installing software directly on endpoints, reducing the risk of such disruptions. This approach could potentially offer a more resilient solution, minimizing downtime and maintaining continuous protection by avoiding the pitfalls associated with agent-based update mechanisms. Implementing agentless updates could therefore be a strategic move to enhance reliability and security.

Fool-proof cloud security policies are a must

During emergencies, adherence to security best practices can often slip, leaving individuals and organizations exposed to increased risk. In high-pressure situations, people are more likely to bypass standard security protocols or overlook cautionary measures, making them prime targets for social engineering attacks. Cybercriminals exploit these vulnerabilities by posing as IT staff or trusted authorities, often under the guise of delivering urgent updates or critical information.

For example, attackers may craft convincing emails or messages that appear to come from legitimate IT personnel, urging recipients to share credentials or access to critical cloud resources or click on malicious links. These deceptive communications exploit the urgency and stress of the situation, compelling individuals to act quickly without verifying the authenticity of the request. As a result, malicious software can be inadvertently installed, compromising SaaS applications or cloud assets. Such tactics highlight the importance of maintaining vigilance and verifying the source of any urgent communication, even during crises. MSPs and MSSPs need to establish clear procedures for handling emergency alerts to mitigate the risk of breaches.

In conclusion

The CrowdStrike outage highlighted the critical need for MSPs and MSSPs to enhance visibility and vigilance in their cloud and SaaS security practices. When outages disrupt key security services, they may lose sight of potential threats and vulnerabilities, emphasizing the importance of maintaining comprehensive visibility into their cloud and SaaS environments. Ensuring continuous monitoring and real-time alerts is essential to promptly detect and address issues. MSPs/MSSPs must also be vigilant in managing their own infrastructure, implementing rigorous security protocols, and preparing strong incident response plans. By maintaining a proactive stance on security posture, MSPs/MSSPs can better safeguard their cloud, minimize downtime, and protect their clients from emerging threats and disruptions.