A Wrap-Up of 07-19

Executive Summary

• An update to the Crowdstrike Falcon EDR solution caused BSOD issues on millions of Windows devices, disrupting multiple industries and highlighting the dilemma of balancing critical security updates with thorough testing.
• The incident underscores the importance of NIS2 and DORA compliance to ensure robust cybersecurity measures, supply chain monitoring, and disaster recovery plans to prevent disruptions and ensure business continuity.
• Asset and risk management is critical to quickly categorize and prioritize remediation efforts based on the impact and complexity of disruptions, ensuring effective and targeted security measures.
• Agentless NDR solutions should support EDR solutions in critical environments.

Intro

A faulty update published by CrowdStrike caused massive global IT outages last Friday, affecting numerous industries and critical infrastructures. Approximately 8.5 million Windows devices worldwide were impacted, according to Microsoft. Airports, banks, healthcare facilities, and government institutions were significantly affected, with the full extent of the consequences still unknown. Cybercriminals attempted to exploit the situation following the incident.

The update caused BSOD (Blue Screen of Death) issues during booting on thousands of Windows computers globally, disrupting banks, airlines, TV stations, supermarkets, and many other businesses. Logistics and airlines had to cancel their core service of transporting people and goods, while banks were faced with problems such as restricted access to online banking, outages of mobile banking apps, and failed transactions at ATMs and cash register systems.

An Obvious Dilemma

Switching off essential security updates vs. testing all updates before installing them in your own IT environment: On the one hand, the company might not be comprehensively protected, and checking every update could consume too many resources. On the other hand, a mishap like the one with CrowdStrike could occur, potentially paralyzing the company. A recommendation might be to switch off automatic updates for critical IT infrastructure if possible. Establish test environments and thoroughly test updates before deploying them in the live productive environment. In the case of CrowdStrike, delaying the implementation of the update would have been a sensible approach.

NIS2 & DORA

This recent global IT outage caused by a CrowdStrike software update highlights the urgent need for robust cyber security measures. Adhering to the Network and Information Systems Directive 2 (NIS2) guidelines, which include rigorous testing, rapid incident response and continuous monitoring, can significantly improve resilience and prevent such disruptions. Let's learn from this incident and build a more secure digital future.

This recent incident is a powerful reminder of why regulations such as the Digital Operational Resilience Act (DORA) and NIS2 are crucial to the EU's digital landscape. In an increasingly complex digital world, compliance with these regulations is not just about compliance, but also about ensuring the resilience and stability of our networked systems. Let's use this incident as an impetus to strengthen our IT governance practices and internalize the spirit of DORA and NIS2. This incident makes it clear why these provisions from DORA and NIS2, in particular, are so important for the EU's digital landscape.

Focus on the Supply Chain

NIS2 and DORA both emphasize the need for robust risk management and supply chain monitoring to ensure that suppliers and third-party providers implement appropriate cybersecurity measures.

• NIS2 calls for the inclusion of security requirements in supplier contracts and continuous monitoring of the supply chain, as well as mandatory reporting of security incidents.
• DORA places particular emphasis on ICT risk management, outsourcing rules and the regular review and testing of IT systems.

Focus on Business Continuity

The CrowdStrike incident demonstrates the need for NIS2 facilities to focus not only on prevention, but also on rapid disaster recovery. When a BSOD (Blue Screen of Death) occurs remotely, a technician must be physically on site, which can significantly increase recovery time. Despite the attention to the cause and responsibility of the outage, there has been little talk about how organizations have managed the crisis.

Many organizations rely too heavily on a single IT system or solution and should constantly ask themselves: what is critical to the operation of our business, and what do we do if it is no longer available tomorrow?

How DORA Would Have Worked

As DORA will come in place very soon, we should speak about, how DORA regulations could have helped financial institutions to better manage the incident. For example, DORA emphasizes the need for system redundancy and disaster recovery plans. Institutions that are DORA compliant would have provided alternative systems to maintain critical operations during the outage. In addition, DORA requires strict monitoring of third-party vendors such as CrowdStrike, including rigorous testing protocols for software updates, which may have prevented the widespread disruption. Finally, DORA calls for cybersecurity practices, such as continuous vulnerability assessments, incident response plans.

The CrowdStrike deployment error, which made Windows systems inaccessible, also emphasizes the importance of compliance with DORA and NIS2 for software manufacturers: and employee training, which are critical to minimizing the impact of outages. These measures emphasize the need for robust operational resilience.

EDR in Trouble

Endpoint Detection and Response (EDR) is for sure an important component of cyber security, but is not enough on its own to protect organizations from software supply chain issues. EDR solutions like CrowdStrike Falcon focus on endpoints such as computers and mobile devices, while the software supply chain includes many other components such as networks, servers and cloud services. The complexity of the supply chain, which includes many different actors and systems, means that attacks can occur at many different points, not all of which EDR can cover.

In addition, EDR cannot always detect zero-day vulnerabilities, as these are previously unknown and have no signatures that could identify EDR systems. Problems with drivers or other software components can be hidden deep in the supply chain and not be detected by EDR systems. Because EDR is reactive and only detects threats after they have already occurred, comprehensive supply chain security requires proactive measures such as risk management, regular security audits and resilience testing. Effective supply chain security also requires collaboration and information sharing between different organizations and systems, which EDR solutions often do not support.

In summary, EDR is an important part of the cybersecurity strategy, but additional measures and technologies are required to comprehensively secure the software supply chain.

Agentless is Often Better

What happened to Crowdstrike could have happened to any EDR provider or any other provider with an agent that injects drivers in the early stages. Since Crowdstrike is the most mature EDR on the market, this incident will certainly make it even better. But the question should be allowed: can't it do without agents and what are the advantages?

Well, agentless cybersecurity solutions offer a more efficient, consistent and resource-efficient way to perform security updates, which is particularly beneficial in complex and fast-moving IT environments. As no client installation is required because no agents need to be installed on endpoints, the effort involved in distributing and updating software on individual devices is eliminated.

This considerably simplifies the update process and makes it independent of any driver errors. As the updates are managed and carried out centrally, the consistency and speed of implementation are increased, and the risk of inconsistencies and errors that can arise from distributed update processes is reduced. Endpoint productivity and security remain undisturbed while security measures are updated.

In addition, agentless solutions can respond faster to new threats as updates and patches can be deployed immediately without delays caused by client installations.

Why Asset Management and Risk Management Are Important

In the aftermath of the Crowdstrike incident, organizations were called upon to establish a triage process as quickly as possible to categorize assets, communications, and business processes based on the impact of the disruption and the complexity of the remediation. Based on these assets, prioritization plans for remediation should also be applied to embedded systems, such as checkout systems, departure machines, or others that require special treatment or where possible side effects and unintended (negative) consequences of remediation will occur. This will include “straggler” machines that may also have the malicious driver but have not yet been identified in the first wave of remediation.

Because Network Detection and Response (NDR) systems passively monitor network traffic and identify all devices and systems on the network, they help to maintain an up-to-date inventory of all assets. The behavioral analysis of network traffic and communication between devices enables NDR systems to identify new and unknown devices.

• Dynamic inventory: NDR systems automatically update the asset database when new devices are added or removed from the network.
• Constant monitoring: Constant monitoring of the network ensures that the asset database is updated in real time.
• NDR systems can also be integrated with existing Configuration Management Databases (CMDB) and other asset management systems to ensure that all systems are using consistent and up-to-date asset information.
• With risk assessment and prioritization, an NDR can evaluate the criticality of different assets based on their role in the network and their exposure to threats. Threats and anomalies are prioritized according to the criticality of the affected assets to ensure targeted and effective security measures.
• Finally, dashboard views and visual representations of the entire network provide increased visibility and transparency of assets.

KRITIS (Actually) Impossible

CrowdStrike has caused significant disruption to air traffic, the financial sector, and some areas of critical infrastructure (KRITIS). On a positive note, no energy suppliers, wastewater disposal companies, financial service providers or discount stores in Germany are currently affected. Only a few hospitals and public authorities have been affected, with 90% of KRITIS remaining unscathed.

CrowdStrike expressly warns against using its security software for critical infrastructures. The Terms and Conditions (T&Cs) state that CrowdStrike tools are not fault-tolerant and are not designed for hazardous environments where even a short-term failure could have serious consequences such as death, injury, or property damage. Examples include aircraft navigation, nuclear power plants, and life support systems.

In Switzerland, state energy suppliers and state air traffic control were affected on 19-07 and had to ensure the safe use of the software in accordance with the general terms and conditions, which is practically impossible. Its T&Cs also make it clear that CrowdStrike only offers a limited guarantee and liability, which calls into question the trust in the quality of the offering for KRITIS.

Software Monoculture

On July 19th, parts of the world experienced significant outages when software from CrowdStrike almost simultaneously revived the infamous Windows blue screen. In relation to NIS2 and DORA, we have increased our focus on the supply chain.

However, these incidents also highlight that significant IT outages were due to the convergence of 2 very common production and security platforms, CrowdStrike and Microsoft. When it comes to data security solutions, the choice is often between a single vendor or a best-of-breed strategy. A platform promises easy management and integration, reduced complexity, and cost savings, but as seen, it carries risks of security vulnerabilities, slow innovation, and 19.07. ☹

A best-of-breed strategy, on the other hand, enables access to specialized solutions, but requires more management effort and could result in higher costs.

An overview of our agentless, best-of-breed NDR solution ExeonTrace, and how it addresses the challenges of NIS2 and DORA can be seen in our recorded demo video.