Balancing internal innovation and risks from external suppliers
As a former FBI Special Agent in the Los Angeles Cyber Crime Squad, I’ve seen my fair share of flawed software updates. However, the recent global technical outage caused by a flawed CrowdStrike software update has truly captured the world’s attention. The shock and awe of such a respected cybersecurity vendor causing a major security incident has brought to light a previously overlooked area of third-party risk.
Given CrowdStrike’s reputation and trusted position, many companies automatically allowed their software update package into their systems without fully considering the possibility of failure. As a result, no CISO anticipated that the update would result in a global technical outage, leading to systemic disruption of interconnected systems.
The aftermath of the CrowdStrike incident was particularly severe for banks, hospitals, retailers and airlines.
Interestingly, some companies with legacy systems reportedly remained unscathed by the flawed update, while others with best-in-class systems experienced outages of several days or longer. This is not a tale of old technology versus new technology, as some articles have suggested. Rather, it is a nerve-racking tale that argues for the need for a risk-based approach to minimizing the possibility and impact of a flawed software update.
Know your seller
CrowdStrike has been criticized for its automatic update process and for not rolling out in phases or stages to limit the potential for widespread disruption. However, the company is not alone in this approach: many other security vendors, looking to protect customers from a newly discovered cyber threat, also provide automatic, real-time updates.
While CrowdStrike’s update was flawed, the incident highlights the importance of balancing innovation in the IT systems landscape with more careful management of external vendors. CISOs are reminded to foster secure innovation by collaborating with their technology colleagues across the organization and forging strong partnerships with the company’s external vendors. The two priorities are not mutually exclusive; instead, they are intertwined.
Collaborating with technology colleagues provides better ways to understand, minimize, and mitigate risk, allowing the business to continue to innovate without increasing cyber risk to the business. Partnerships with critical third-party vendors provide greater assurance that vendors are prepared to respond at scale when the next unexpected outage occurs. Understanding which vendors are distributed across a large portion of the enterprise infrastructure and production environments (particularly those that receive frequent updates) can optimize the processes of replacing software with new and improved versions.
Mastering the unknown
CrowdStrike’s automatic real-time updates brought these processes into sharper focus. While immediate updates allow systems to quickly identify and neutralize threats, they also carry the risk of causing a complete system outage and subsequent business disruption. On the other hand, delaying updates for a day or two may mean missing out on the “latest and greatest” features, but it gives time to identify and address potential flaws first. The point here is that one is not better, but rather both updates serve specific needs and purposes.
To determine which update is best from a security standpoint, CISOs should identify which systems require real-time updates and which allow for delayed updates. High-risk, externally facing systems may require near real-time updates that help identify and block zero-day attacks. Lower-risk systems that are located deeper in the infrastructure with additional layers of security between them and external attacks can be configured for delayed software updates of 4, 8, or 24 hours, allowing the updates to take effect before updating more critical systems.
A faulty update issued by a cybersecurity vendor is also a powerful reminder of the need to leave no stone unturned in the management of third-party vendors. All vendors should be required to submit to ongoing legal, business and technology reviews and independent audits.
CISOs should regularly require confirmation of their cybersecurity certifications and compliance with SOC 2 and ISO 27001, and collect evidence that they have patched a reported vulnerability or implemented a comprehensive update.
Another lesson from the incident is the relative value of decentralized network security management versus the centralized model. The centralized approach is touted as providing greater consistency in security protocols and threat detection, but the downside is that when the central server experiences a breach, the technologies connected to it go down with the ship.
The decentralized approach, on the other hand, makes it harder for hackers to compromise an entire platform. By spreading data across many connection points, if one point is hacked or gets a broken update, the rest of the ship moves forward, increasing the resilience of the organization. Decentralization alone is not a panacea, however. InfoSec teams must still prioritize mission-critical systems and software, which in turn guides the associated risk assessment and remediation.
The high visibility of the CrowdStrike incident provides CISOs with a valuable opportunity to learn from the mishaps of others, collaborate with peers on technology leadership teams, and work with enterprise vendors to be better prepared and more responsive should similar events occur in the future.
We have listed the best tools for network monitoring.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here: