Understanding the CrowdStrike Global Outage: Insights and Guidance from Sophos
Analyzing the Incident and Addressing Key Questions for Customers and Partners
On July 19, 2024, a “content update” issued by CrowdStrike for its Falcon endpoint agent on Windows devices led to significant disruptions across various industries worldwide, including travel, banking, healthcare, and retail.
What Happened?
Cyber threats often exploit large-scale disruptions. In this post, we aim to clarify what happened during the CrowdStrike incident and address key questions from our customers and partners, referencing the original insights provided by Sophos.
Our collective mission in the cybersecurity industry is to safeguard organizations from attacks. Despite commercial competition, we stand united against cybercriminals. We extend our support to CrowdStrike and wish all affected organizations a swift recovery.
Cybersecurity is a complex and fast-evolving field. As Joe Levy, CEO of Sophos, noted on LinkedIn, “For those of us deeply involved in kernel operations, such incidents can happen despite all precautions, and no system is ever 100% immune.”
Incident Overview
- Nature of the Incident: This was not a result of a security breach or cyberattack at CrowdStrike.
- Impact on Availability: Although not a security incident, the disruption affected system availability, marking it as a cybersecurity issue.
- Cause: The blue-screen-of-death (BSOD) on Windows machines was triggered by a product “content” update rolled out to CrowdStrike customers.
- Affected Systems: Organizations using CrowdStrike Falcon agents on Windows systems were impacted. Linux and macOS devices remained unaffected.
- Resolution: CrowdStrike identified the problematic update and reverted it. They have provided remediation guidance to their customers.
Understanding “Content” Updates
This incident stemmed from a typical product “content” update to CrowdStrike’s endpoint security software—a routine procedure for enhancing protection logic against emerging threats. Such updates are common across many cybersecurity providers, including Sophos. However, unexpected issues can occur, as demonstrated in this case.
CrowdStrike’s Response
CrowdStrike has issued a statement with remediation guidance, available on their website:
[CrowdStrike Falcon Content Update Remediation and Guidance Hub](https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/)
Vigilance Against Cybercriminals
It’s crucial to remain vigilant, as cybercriminals may exploit this situation through malicious domains and phishing campaigns. Always verify communication with authorized CrowdStrike representatives.
Impact on Sophos Customers
Sophos customers using their endpoint protection solutions, including Sophos Endpoint with Sophos XDR or Sophos MDR, were not affected by the CrowdStrike incident. A small number of customers using the Sophos “XDR Sensor” agent alongside CrowdStrike Falcon might have experienced some impact.
Sophos’ Mitigation Strategies
According to Sophos, they continually update their endpoint protection products and release regular content updates to counter evolving threats. Their processes, honed over three decades, minimize the risk of customer disruption, although this risk is never entirely eliminated.
Sophos’ Update Procedures
- Testing: All updates undergo rigorous testing in internal quality assurance environments.
- Internal Deployment: Updates are first rolled out to all Sophos employees and infrastructure.
- Gradual Customer Deployment: Once internal testing is successful, updates are gradually released to customers in stages, monitored through real-time telemetry.
- Rollback Capability: If issues arise, the affected systems are limited, and quick rollback is possible.
Customer Control Options
Sophos customers can manage endpoint product updates using update management policy settings, including options for Recommended (Sophos-managed), Fixed-term support, and Long-term support, with customizable scheduling.
### Ensuring Quality and Security
All content updates are tested and reviewed to meet quality standards before production release. Sophos adheres to a secure development lifecycle, detailed in the Sophos Trust Center. Further information on their development principles for Sophos Endpoint is available in their knowledgebase.
By maintaining stringent quality controls and continuous improvement, Sophos strives to protect its customers and stay ahead in the cybersecurity landscape. For more detailed insights, you can refer to Sophos’ original article on this topic.
Finite Technologies is a Sophos Reseller contact us if you would like more information on hos Sophos Integrate suite of security products can protect your business.