On September 4, 2024, KuppingerCole’s Cybersecurity Council convened for its third meeting of the year. This council, composed of Chief Information Security Officers (CISOs) from some of Europe’s largest organizations, provides a platform for discussing pressing cybersecurity challenges. This session focused on the July 2024 CrowdStrike incident, which caused widespread disruption to Windows systems globally, and provided members the opportunity to share their lessons learned and proposed future actions.
The incident, caused by a faulty kernel-level driver, resulted in the crash of around 8 million machines worldwide, particularly affecting systems using BitLocker encryption. John Tolbert, KuppingerCole’s lead analyst, opened the discussion with an analysis of the event, pointing out that insufficient pre-deployment testing and the absence of a phased rollout were key factors in the incident’s scale. Tolbert also presented findings from his recent research into Endpoint Protection, Detection, and Response (EPDR) tools, highlighting the growing complexity and risk that accompanies widespread reliance on these solutions.
The attending CISOs, representing a variety of industries from banking to energy and retail, provided invaluable feedback on how their organizations dealt with the fallout from the CrowdStrike incident. Their experiences offered a wide range of perspectives: from those who directly used CrowdStrike to those impacted by the vulnerabilities of suppliers who relied on it. A key theme that emerged was the importance of improving testing procedures, ensuring stronger controls over software updates, and reinforcing supply chain security practices.
Across the board, CISOs emphasized the importance of Business Continuity Management (BCM). One organization reported that despite having thousands of systems down, their BCM efforts ensured a rapid recovery, with 95% of systems restored within 48 hours. Others, however, encountered significant operational downtime, particularly in sectors reliant on point-of-sale systems. For these organizations, recovery was hampered by complex dependencies on both internal and third-party systems.
Another key insight revolved around insurance and liability issues. CISOs debated the challenges of pursuing insurance claims in incidents where the root cause stems from software vendors rather than cyberattacks. Many organizations are now considering adding technical insurance to their cyber policies, as existing coverages did not account for software-induced outages.
One of the more nuanced discussions concerned the merits of multi-vendor EPDR strategies. While employing multiple security tools may reduce dependence on a single vendor, the increased complexity of managing and integrating different solutions often brings its own risks. Several members expressed concern over this approach, with one noting that a multi-EPDR strategy could cause operational inefficiencies that outweigh the potential benefits.
The session concluded with a focus on key takeaways:
- Better Testing and Controlled Rollouts: Vendors must implement more stringent testing protocols and provide customers with better control over update timings to avoid global disruptions.
- Supply Chain Security: Organizations need to reassess their vendor management strategies, ensuring that service-level agreements (SLAs) clearly define responsibilities during incidents.
- Incident Communication: Timely and transparent communication with internal teams and external partners is critical in managing the fallout from large-scale incidents like CrowdStrike’s.
The KuppingerCole Cybersecurity Council continues to serve as an essential forum for CISOs to exchange insights and best practices. The next in-person meeting will take place during the cyberevolution 2024 conference, scheduled for December 3-5 in Frankfurt, where members will further explore cutting-edge cybersecurity strategies and enjoy networking opportunities.
This lively session offered valuable insights for council members and showcased the ongoing relevance of collaborative efforts in the cybersecurity space. Through these discussions, the council can drive industry-wide improvements in how security incidents are managed, both for member organizations and the broader public.
Next Meeting: December 3-5, 2024, cyberevolution, Frankfurt.