Richard has been with the firm since 1992 and was one of the founding partners
The Incident
On July 19, 2024, CrowdStrike, a cybersecurity company, experienced a significant failure that had
far-reaching consequences across the globe. The incident, now known as the "Crowdstrike Crash" was caused by
a faulty update to its Falcon Sensor software, which affected an estimated 8.5 million Microsoft Windows devices
worldwide. With any software that 'auto-updates' there is risk, but pushing a poorly tested update to millions of computers is unforgivable and has shattered the trust of many users.
Global Impact
The outage affected a wide range of industries and services, including airlines, airports, banks, hotels, hospitals,
manufacturing, stock markets, and broadcasting services. Government services, including emergency services and
websites were also heavily impacted.
The extent of this outage cannot be underestimated, because it didn't just affect retail, but many service providers all fell silent in the wake of this disaster, causing disruption and costs right through
the services sector
The cost
With an estimated 8.5 million Microsoft Windows devices worldwide, the cost of this outage and the subsequent cleanup can only be estimated, with some experts suggesting it could exceed £1bn.
Regardless of the financial cost, Crowdstrike has lost favour with the consultancy companies that
promoted its products, many of which are now facing the prospect of financial restitution to the companies who
suffered the loss.
GEN has never deployed Crowdstike falcon to any of our managed clients and as such we are liability free on this one, but it does demonstrate that besides Microsoft, a third party solution that is designed to protect
can instead injure the brand and the MSPs who promote it.
Crowdstrike History
Crowdstrike Holdings, Inc. was founded in 2011 by George Kurtz, Dmitri Alperovitch, and Gregg Marston. The company was
established to address the limitations of traditional malware-based defences by focusing on advanced endpoint protection
combined with expert threat intelligence. In 2013, CrowdStrike launched its flagship product, the Falcon platform, which
integrated next-generation antivirus (NGAV), endpoint detection and response (EDR), and managed threat hunting services
into a single lightweight agent. The company quickly gained recognition for its innovative approach to cybersecurity and
was involved in several high-profile investigations, such as the 2014 Sony Pictures hack and the 2015-2016 Democratic
National Committee (DNC) cyberattack.
From 2020 onwards, CrowdStrike made several strategic acquisitions to enhance its capabilities. These included
Preempt Security for zero trust technology, Humio for log management, and SecureCircle for extending zero trust
endpoint security. The company continued to expand its product offerings and market presence, joining the S&P 500
index in June 2024.
Why?
With so many players in the market for endpoint protection of the fragile Microsoft Windows why do
consultants push Crowdstrike over other, possibly better alternatives?
That comes down to the commission structure, which at the time of writing was a standard 20% of the list price, with
'elite tier' consultants and resellers receiving 35% of the list price. This contrasts with, for example Trend Micro
Apex One which at most offers 20%.
Crowdstrike Falcon offers nothing extraordinary and is comparable to many other products in the market, yet with the high
commission margins, and these are recurrent, it finds favour with top tier consultants who enjoy a continuous revenue stream from its deployment.
The problem
Windows has always been a weak point in any company, and in 2024, this remains the case, and is probably one of
the forces driving companies to adopt Linux desktops, which are cheaper, faster, inherently more secure, and more
reliable.
Windows will always be a concern, and the fact that in 38 years of development Microsoft has not yet managed to
secure it should indicate to many that its time should be over. The whole idea that you should need to spend millions of pounds on third-party software to protect an OS that is inherently weak really doesn't make any sense.
Microsoft Windows only really survives because of the eco-system it satisfies, such as microsoft office, and the
extensive catalogue of Windows only software produced by third parties. However, those third parties are migrating
their software to either thin client (browser based) or direct ports to Linux in response to customer demand, and I
suspect this trend will continue to accelerate.
In 2024, Microsoft Windows still occupies approximately 31% of the market share, second only to Android at 38%, with MacOS pulling in 15%, and linux desktops only accounting for 4%. We are certainly seeing
a growing uptake in Linux especially in smaller more agile companies, and this will only increase over time. One of the biggest challenges with Linux migration is user training, but with the latest Linux front-ends being able to
emulate the look and feel of Windows, the barriers to migration are being knocked down one by one.
Alternatives
In the wake of this massive disaster, many companies are looking for alternatives, and indeed GEN has gained several
new clients over the last few days, desperate for help to resolve this massive outage, and we have dedicated resources to restore these services. I do know of at least one MSP that has filed for voluntary liquidation
in fear of the impending civil claims that this will bring and I suspect many more will be facing unexpected invoices. When considering alternatives, because, no one can realistically stick with Crowdstrike after this, there are many, listed below
in no particular order:
SentinelOne
SentinelOne is a cloud-based endpoint protection solution that offers a comprehensive suite of security
features, including advanced threat intelligence, EDR, and zero trust solutions.
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a cloud-based endpoint protection solution that offers a comprehensive
suite of security features, including advanced threat intelligence, EDR, and zero trust solutions. However, I'm not sure you should trust Microsoft to protect their own OS that is fundamentally weak.
Cynet 360 AutoXDR
A comprehensive security platform that includes endpoint protection, network analytics, and automated
incident response. It's designed to be an all-in-one solution for organizations.
Palo Alto Networks Cortex XDR
Palo Alto Networks is a cloud-based endpoint protection solution that offers a comprehensive suite of
security features, including advanced threat intelligence, EDR, and zero trust solutions.
Symantec Endpoint Security
An endpoint protection solution known for its multi-layered approach to security and global
threat intelligence network. Far from the best, this budget friendly solution does provide some protection, but doesn't really provide the same comprehensive support as many of the others.
Sophos Intercept X
Sophos Intercept X is a cloud-based endpoint protection solution that offers a comprehensive suite of
security features, including advanced threat intelligence, EDR, and zero trust solutions. Sophos do not have an established reputation in this field, and their AV software has often been questionable in our experience.
Trend Micro Apex One
An integrated endpoint security solution that combines automated detection and response with a broad range
of threat defense techniques. Trend Micro offer an entire portfolio of protection solutions including Linux and MacOS.
GEN, as a full service IT company work with all of these, but we do have our favourites. You really need to assess what you specifically need and then select the solution that fits best.
Considerations
Before migrating from one endpoint protection service to another, its important to take stock of the entire estate,
looking at where Windows is used, and if there are better alternatives.
If you MUST use windows, then do you need each PC to have its own local copy? We can for example these days boot PC's over the network from images, and then use start-up scripts to map network resources and auto-run software, meaning
that a PC is no longer dependent on its local hard drive. Or you can setup network based recovery, where a PC can quickly be recovered to a set state without the need to visit each PC individually. Simple solutions that
are only ever considered by those companies who understand the risk, and work to mitigate it.
We recently migrated the entire POS system of a well known fast food outlet to Linux, and it has improved
productivity across the company with the elimination of 'the till has crashed, just rebooting', and 'I'm sorry this
till is down, please move to another'.
Wholesale migration isn't for everyone, and some companies are stuck with windows because the software they need
only runs on windows, but even in that case, do you really need endpoint protection? in many cases, no you don't.
The
reason for this is manifest, but essentially, endpoint protection serves the role of protecting a windows machine
from compromise, and in what scenario would a remote machine be compromised?
Email
An email can contain a malicious payload, or links to an internet site with a malicious intent even with comprehensive email filtering, but, why does that
endpoint actually need external email, and global internet access? in many cases, it doesn't. Use an internal
email
system that doesn't talk to the world, and restrict internet access, or restrict it to a whitelist of domains that
the endpoint actually needs.
Local Access
The ability to read and write local USB storage is a risk for sure, but this risk is easily avoided by locking down
the ability of a windows PC to talk to USB storage, and there are many options for this, some free and very
effective.
Corporate Access
Many companies have Windows PC's that are on a network with full network scope, that is, from any PC you can reach
any other PC, any Server, any resource, and the public internet. This is lunacy and should never be the case today,
but
we see it all the time. With a little smart hardware, it's very easy to restrict a computers 'view' of the network
to just the services it requires. A PC in the finance department for example, may need access to the companies ERP
system via a browser, a shared
storage location for the Finance Department, and perhaps an online accountancy system. By restricting access to ONLY
these three services we can massively reduce the 'attack surface', in that, now the maximum risk for any PC in finance
is the shared storage, which
is limited to the finance department. Now you don't need expensive endpoint security, but you do need a security
service for the shared storage, that you would need anyway.
Limit the risk
This kind of service segmentation is best practice and effectively protects endpoints and the larger network from
significant cross departmental risk. If you can further reduce risk by removing email from departments, and implementing
ticket systems, then this further enhances protection.
In many companies, everyone having external email access is commonplace, yet rarely required. GEN as a provider of
secure email services, regularly provides 'local-only' email into companies, where only certain users can send and receive
email's externally, and the rest can only send email's internally. This also reduces the attack surface significantly, and
with link and attachment blocking, done correctly, and a smattering of security training for end users, the risk
is reduced further.
Conclusion
The intent behind blog posts is to share information in a clear and concise way, and in this case I think that has
been achieved. Any 'endpoint' software has the potential to malfunction and damage productivity and reputation, but
beyond that, choosing Windows as an operating system brings with it considerable cost and an entire back catalogue of potential issues. The Linux alternatives are free, fast, rock solid and fully supported.
Remember GEN consultancy is affordable and the first hour is always free.
35 Votes
Comments (4)
Jason Sharland
· 2024-09-06 11:51 UTC
Yeah, one of our competitors was hit with this, paralysed their business for days. Not that Im complaining, thank you crowdstrike.
Illas D
· 2024-07-27 13:44 UTC
Blllion dollar blunder, like it! This has cause so many problems, but it also highlights the number of end user terminals, that do nothing but use a browser, that are still running windows in 2024. Why, why choose a weak OS like windows knowing its going to bite you, and knowing there are better options. I think the truth is that many people are afraid of linux because its not all pointy clicky, but if you cant handle a little command line, use Android! that can install on a PC, that can do the job, that doesnt crash all the time and finally that doesnt need expensive endpoint security. I have spoken.
Susan K
· 2024-07-26 17:37 UTC
What a complete cluster! We migrated to sentinel one and so far are very happy with it with a nicer interface and better aggregation, but everyone to their own really. If youre moving away from clusterstrike then do shop around we got a discount that really helped offset some of the costs.
Petra A
· 2024-07-24 18:10 UTC
This has been a nightmare for us, taken us days to fix working through the night and its still not done. We wont be staying with CrowdCrap any longer and will be going with one of the others, we just havent decided yet. I think this must have cost the company 10k in overtime just to fix it.
×
--- This content is not legal or financial advice & Solely the opinions of the author ---