Cybersecurity expert and legendary FBI Counterintelligence operative Eric O’Neill shared his insights Friday about the CrowdStrike incident, which crippled businesses and industries all over the world:
- “CrowdStrike is a world leader in cybersecurity threat research, incident response, and remediation of cyberattacks. According to CrowdStrike, they monitor over 30 billion endpoint events daily from millions of sensors in 176 countries, and they continue to grow. A shrinking number of companies deploy the same quality of cloud-enabled threat intelligence services to threat hunting endpoint detection and response (EDR) sensors on client machines. The industry has consolidated through mergers and acquisitions, narrowing vendor choices to a few key companies. The most prominent and widely deployed protection surface is CrowdStrike. For instance, my former company, Carbon Black, was first acquired by VMWare and then recently by Broadcom, which also owns Symantec, a direct competitor. This consolidation removed a key player in EDR protection.
- EDR sensors protect endpoints (like Windows computers) from external cyberattacks. These sensors are deployed on devices and communicate with the cloud to receive rapid updates and intelligence, hunting threats in real time. As the number, severity, and complexity of cyberattacks from nation-states and cybercriminals have grown, threat intelligence technology has become more sophisticated and integrated. Unfortunately, what seemed like a configuration error in an update caused Windows systems to enter a boot loop, leading to the infamous blue screen of death. This reboot loop prevents users from accessing their systems, complicating the fix process. IT professionals now face the arduous task of manually repairing each affected computer, akin to recovering from a ransomware attack, which will be time-consuming. Many organizations are considering restoring from backup as they would in a ransomware scenario.
- Initial reports indicate that CrowdStrike is at fault. Much like Microsoft, CrowdStrike is too big to fail. The company is a cybersecurity icon relied upon by the largest market share of cybersecurity customers. I suspect CrowdStrike will issue a detailed report explaining how this happened and the steps they will take to prevent it in the future. However, companies worldwide are losing millions as IT professionals scramble to manually reboot computers. I expect many calls for compensation from CrowdStrike.
- One way to view this is like a large-scale ransomware attack. I’ve talked to several CISOs and CSOs who are considering triggering restore-from-backup protocols instead of manually booting each computer into safe mode, finding the offending CrowdStrike file, deleting it, and rebooting into normal Windows. Companies that haven’t invested in rapid backup solutions are stuck in a catch-22.
- Quality control for patches is critical for every company deploying to customers and partners. The world was on notice after the SolarWinds attack, where Russian cyber spies infiltrated the patch update process to send a Trojan update to SolarWinds customers. Following that attack, a Russian cybercrime syndicate deployed a similar attack against Kaseya’s customers. Every company should have learned the lesson about controlling updates, especially CrowdStrike, which was called in to solve both the SolarWinds and Kaseya cyberattacks.
- I hope this doesn’t undermine confidence in cloud-based security solutions. As cybercrime and espionage become more sophisticated and leverage top-tier AI for attacks, rapid deployment of intelligence from the cloud is the only effective response. Consumers have two options: rely on cloud-based technologies or air-gap their systems and dust off their old typewriters.
- I don’t think this requires regulation. This incident appears to be a severe failure of quality control, not a malicious act. While there will be damages assessed, regulation is unnecessary; the market will drive customers to other vendors or reassure them about CrowdStrike. However, better regulation of cybersecurity investment and best practices is critical. The United States has reacted poorly in this crucial arena of critical infrastructure. If the US Government needs to bail out CrowdStrike, which I believe is too big to fail, then taxpayers will bear the burden.”