From Defender to Offender: CrowdStrike's Billion-Dollar Blunder

The Curious Codex

             35 Votes  
100% Human Generated
2024-07-22 Published, 2024-09-02 Updated
1892 Words, 10  Minute Read

The Author
GEN UK Blog

Richard (Senior Partner)LinkedIn

Richard has been with the firm since 1992 and was one of the founding partners

 

The Incident

crowdstrike

On July 19, 2024, CrowdStrike, a cybersecurity company, experienced a significant failure that had far-reaching consequences across the globe. The incident, now known as the "Crowdstrike Crash" was caused by a faulty update to its Falcon Sensor software, which affected an estimated 8.5 million Microsoft Windows devices worldwide. With any software that 'auto-updates' there is risk, but pushing a poorly tested update to millions of computers is unforgivable and has shattered the trust of many users.

Global Impact

The outage affected a wide range of industries and services, including airlines, airports, banks, hotels, hospitals, manufacturing, stock markets, and broadcasting services. Government services, including emergency services and websites were also heavily impacted.

The extent of this outage cannot be underestimated, because it didn't just affect retail, but many service providers all fell silent in the wake of this disaster, causing disruption and costs right through the services sector

The cost

With an estimated 8.5 million Microsoft Windows devices worldwide, the cost of this outage and the subsequent cleanup can only be estimated, with some experts suggesting it could exceed £1bn.

Regardless of the financial cost, Crowdstrike has lost favour with the consultancy companies that promoted its products, many of which are now facing the prospect of financial restitution to the companies who suffered the loss.

GEN has never deployed Crowdstike falcon to any of our managed clients and as such we are liability free on this one, but it does demonstrate that besides Microsoft, a third party solution that is designed to protect can instead injure the brand and the MSPs who promote it.

Crowdstrike History

Crowdstrike Holdings, Inc. was founded in 2011 by George Kurtz, Dmitri Alperovitch, and Gregg Marston. The company was established to address the limitations of traditional malware-based defences by focusing on advanced endpoint protection combined with expert threat intelligence. In 2013, CrowdStrike launched its flagship product, the Falcon platform, which integrated next-generation antivirus (NGAV), endpoint detection and response (EDR), and managed threat hunting services into a single lightweight agent. The company quickly gained recognition for its innovative approach to cybersecurity and was involved in several high-profile investigations, such as the 2014 Sony Pictures hack and the 2015-2016 Democratic National Committee (DNC) cyberattack.

From 2020 onwards, CrowdStrike made several strategic acquisitions to enhance its capabilities. These included Preempt Security for zero trust technology, Humio for log management, and SecureCircle for extending zero trust endpoint security. The company continued to expand its product offerings and market presence, joining the S&P 500 index in June 2024.

Why?

With so many players in the market for endpoint protection of the fragile Microsoft Windows why do consultants push Crowdstrike over other, possibly better alternatives?

That comes down to the commission structure, which at the time of writing was a standard 20% of the list price, with 'elite tier' consultants and resellers receiving 35% of the list price. This contrasts with, for example Trend Micro Apex One which at most offers 20%.

Crowdstrike Falcon offers nothing extraordinary and is comparable to many other products in the market, yet with the high commission margins, and these are recurrent, it finds favour with top tier consultants who enjoy a continuous revenue stream from its deployment.

The problem

Windows has always been a weak point in any company, and in 2024, this remains the case, and is probably one of the forces driving companies to adopt Linux desktops, which are cheaper, faster, inherently more secure, and more reliable. Windows will always be a concern, and the fact that in 38 years of development Microsoft has not yet managed to secure it should indicate to many that its time should be over. The whole idea that you should need to spend millions of pounds on third-party software to protect an OS that is inherently weak really doesn't make any sense.

Microsoft Windows only really survives because of the eco-system it satisfies, such as microsoft office, and the extensive catalogue of Windows only software produced by third parties. However, those third parties are migrating their software to either thin client (browser based) or direct ports to Linux in response to customer demand, and I suspect this trend will continue to accelerate.

In 2024, Microsoft Windows still occupies approximately 31% of the market share, second only to Android at 38%, with MacOS pulling in 15%, and linux desktops only accounting for 4%. We are certainly seeing a growing uptake in Linux especially in smaller more agile companies, and this will only increase over time. One of the biggest challenges with Linux migration is user training, but with the latest Linux front-ends being able to emulate the look and feel of Windows, the barriers to migration are being knocked down one by one.

Alternatives

In the wake of this massive disaster, many companies are looking for alternatives, and indeed GEN has gained several new clients over the last few days, desperate for help to resolve this massive outage, and we have dedicated resources to restore these services. I do know of at least one MSP that has filed for voluntary liquidation in fear of the impending civil claims that this will bring and I suspect many more will be facing unexpected invoices. When considering alternatives, because, no one can realistically stick with Crowdstrike after this, there are many, listed below in no particular order:

  • SentinelOne
    • SentinelOne is a cloud-based endpoint protection solution that offers a comprehensive suite of security features, including advanced threat intelligence, EDR, and zero trust solutions.
  • Microsoft Defender for Endpoint
    • Microsoft Defender for Endpoint is a cloud-based endpoint protection solution that offers a comprehensive suite of security features, including advanced threat intelligence, EDR, and zero trust solutions. However, I'm not sure you should trust Microsoft to protect their own OS that is fundamentally weak.
  • Cynet 360 AutoXDR
    • A comprehensive security platform that includes endpoint protection, network analytics, and automated incident response. It's designed to be an all-in-one solution for organizations.
  • Palo Alto Networks Cortex XDR
    • Palo Alto Networks is a cloud-based endpoint protection solution that offers a comprehensive suite of security features, including advanced threat intelligence, EDR, and zero trust solutions.
  • Symantec Endpoint Security
    • An endpoint protection solution known for its multi-layered approach to security and global threat intelligence network. Far from the best, this budget friendly solution does provide some protection, but doesn't really provide the same comprehensive support as many of the others.
  • Sophos Intercept X
    • Sophos Intercept X is a cloud-based endpoint protection solution that offers a comprehensive suite of security features, including advanced threat intelligence, EDR, and zero trust solutions. Sophos do not have an established reputation in this field, and their AV software has often been questionable in our experience.
  • Trend Micro Apex One
    • An integrated endpoint security solution that combines automated detection and response with a broad range of threat defense techniques. Trend Micro offer an entire portfolio of protection solutions including Linux and MacOS.

GEN, as a full service IT company work with all of these, but we do have our favourites. You really need to assess what you specifically need and then select the solution that fits best.

Considerations

Before migrating from one endpoint protection service to another, its important to take stock of the entire estate, looking at where Windows is used, and if there are better alternatives.

If you MUST use windows, then do you need each PC to have its own local copy? We can for example these days boot PC's over the network from images, and then use start-up scripts to map network resources and auto-run software, meaning that a PC is no longer dependent on its local hard drive. Or you can setup network based recovery, where a PC can quickly be recovered to a set state without the need to visit each PC individually. Simple solutions that are only ever considered by those companies who understand the risk, and work to mitigate it.

We recently migrated the entire POS system of a well known fast food outlet to Linux, and it has improved productivity across the company with the elimination of 'the till has crashed, just rebooting', and 'I'm sorry this till is down, please move to another'. Wholesale migration isn't for everyone, and some companies are stuck with windows because the software they need only runs on windows, but even in that case, do you really need endpoint protection? in many cases, no you don't. The reason for this is manifest, but essentially, endpoint protection serves the role of protecting a windows machine from compromise, and in what scenario would a remote machine be compromised?

Email

An email can contain a malicious payload, or links to an internet site with a malicious intent even with comprehensive email filtering, but, why does that endpoint actually need external email, and global internet access? in many cases, it doesn't. Use an internal email system that doesn't talk to the world, and restrict internet access, or restrict it to a whitelist of domains that the endpoint actually needs.

Local Access

The ability to read and write local USB storage is a risk for sure, but this risk is easily avoided by locking down the ability of a windows PC to talk to USB storage, and there are many options for this, some free and very effective.

Corporate Access

Many companies have Windows PC's that are on a network with full network scope, that is, from any PC you can reach any other PC, any Server, any resource, and the public internet. This is lunacy and should never be the case today, but we see it all the time. With a little smart hardware, it's very easy to restrict a computers 'view' of the network to just the services it requires. A PC in the finance department for example, may need access to the companies ERP system via a browser, a shared storage location for the Finance Department, and perhaps an online accountancy system. By restricting access to ONLY these three services we can massively reduce the 'attack surface', in that, now the maximum risk for any PC in finance is the shared storage, which is limited to the finance department. Now you don't need expensive endpoint security, but you do need a security service for the shared storage, that you would need anyway.

Limit the risk

This kind of service segmentation is best practice and effectively protects endpoints and the larger network from significant cross departmental risk. If you can further reduce risk by removing email from departments, and implementing ticket systems, then this further enhances protection.

In many companies, everyone having external email access is commonplace, yet rarely required. GEN as a provider of secure email services, regularly provides 'local-only' email into companies, where only certain users can send and receive email's externally, and the rest can only send email's internally. This also reduces the attack surface significantly, and with link and attachment blocking, done correctly, and a smattering of security training for end users, the risk is reduced further.

Conclusion

The intent behind blog posts is to share information in a clear and concise way, and in this case I think that has been achieved. Any 'endpoint' software has the potential to malfunction and damage productivity and reputation, but beyond that, choosing Windows as an operating system brings with it considerable cost and an entire back catalogue of potential issues. The Linux alternatives are free, fast, rock solid and fully supported.

Remember GEN consultancy is affordable and the first hour is always free.


             35 Votes  
100% Human Generated

Comments (4)

Jason Sharland · 2024-09-06 11:51 UTC
Yeah, one of our competitors was hit with this, paralysed their business for days. Not that Im complaining, thank you crowdstrike.

Illas D · 2024-07-27 13:44 UTC
Blllion dollar blunder, like it! This has cause so many problems, but it also highlights the number of end user terminals, that do nothing but use a browser, that are still running windows in 2024. Why, why choose a weak OS like windows knowing its going to bite you, and knowing there are better options. I think the truth is that many people are afraid of linux because its not all pointy clicky, but if you cant handle a little command line, use Android! that can install on a PC, that can do the job, that doesnt crash all the time and finally that doesnt need expensive endpoint security. I have spoken.

Susan K · 2024-07-26 17:37 UTC
What a complete cluster! We migrated to sentinel one and so far are very happy with it with a nicer interface and better aggregation, but everyone to their own really. If youre moving away from clusterstrike then do shop around we got a discount that really helped offset some of the costs.

Petra A · 2024-07-24 18:10 UTC
This has been a nightmare for us, taken us days to fix working through the night and its still not done. We wont be staying with CrowdCrap any longer and will be going with one of the others, we just havent decided yet. I think this must have cost the company 10k in overtime just to fix it.

×

--- This content is not legal or financial advice & Solely the opinions of the author ---


Index v1.030 Standard v1.114 Module v1.062   Copyright © 2025 GEN Partnership. All Rights Reserved, Content Policy, E&OE.   ^sales^  0115 933 9000  Privacy Notice   56 Current Users, 350 Hits