On Friday, the world was hit by what many are calling the biggest IT outage in history, with 8.5 million Windows computers crashing and unable to reboot.
The culprit was a bug caused by an automatic update to CrowdStrike’s Falcon, software that until Friday no one outside of cybersecurity experts had ever heard of.
Falcon is a type of software called “endpoint detection and response,” or EDR for short. It’s like antivirus on steroids. Once installed, Falcon monitors your computer for signs of cyberattack.
It can collect data such as files users open, programs they run, and websites they visit. This makes it highly privileged software. If an employee accidentally opens a malicious email attachment, Falcon will be constantly vigilant, watching over them.
EDR programs are considered best practice and are recommended by the Australian Government’s peak cyber defence body.
This means that the best strategy recommended by cybersecurity experts in 2024 is to use software that spies on everything that happens on your computer.
How did we get here, and is there a better way going forward?
The Case for EDR
CrowdStrike is the market leader in EDR, which is why so many systems went down last weekend. There’s good reason to recommend EDR technologies like Falcon. For individual organizations, these technologies are extremely useful in alerting IT security teams to signs of cyber intrusion.
This allows IT teams to stop attackers before they can cause significant damage. For more stealthy attacks, it can help flag suspicious behavior that suggests a long-term intrusion. The Medibank hack in 2022 is a good example of this: after initially gaining access, hackers spent weeks inside Medibank’s network undetected.
CrowdStrike’s technologies, such as Falcon, also provide valuable intelligence on emerging cyberthreats around the world, and because the company’s software is deployed in so many organizations around the world, CrowdStrike has a bird’s-eye view that allows it, at least in theory, to identify patterns of malicious behavior that individual organizations might not be able to see.
For this reason, the company is also a leader in cyber threat intelligence, providing IT teams with information on what to look out for. If an organization detects a cyberattack, the data collected by EDR tools like Falcon can also help them understand exactly how the intrusion occurred.
Again, the Medibank hack is a good example: Federal Court documents provide detailed information about the chain of events that led to the hack, including how the initial intrusion happened and what the attackers did once they accessed Medibank’s network.
Without the omniscient perspective provided by monitoring tools like EDR, gathering this information becomes very difficult.
What are the drawbacks?
In the wake of Friday’s outage, it’s worth asking questions about the shortcomings of EDR technology. Many are already raising obvious questions about our society’s excessive reliance on a few global tech giants and the risks of tech monopolies.
But these risks have been known for over 20 years, and this case should not be expected to dismantle the monopolies that pervade technology markets.
Another drawback is that the technical risks are very high: EDR software like Falcon gains its omnipotence from being tightly integrated into the core of Microsoft Windows, the base software that controls most computers. This is why it can potentially cause the crash we saw in the first place.
As a maker of highly privileged software, CrowdStrike had a responsibility to ensure its updates were secure. The company has clearly failed to do so, and we should demand a higher level of accountability from makers of critical software.
Privacy trade-offs
All of these issues were widely discussed in the days following the incident, although the privacy trade-offs were less discussed.
Ask any cybersecurity expert what type of software spies on everything you do on your computer, and they’ll probably mention spyware before EDR.
Spyware is malicious software that hackers install on victim’s computers in order to obtain confidential information such as passwords, banking details, nude photos, etc.
In fact, some privacy-conscious computer scientists Equating EDR with Spyware.
As with other forms of corporate surveillance, there is an obvious tension between individuals’ right to privacy and organizations’ obligation to protect themselves from cyber intrusions.
EDR technology has been deployed in major organizations with little discussion about its impact on user privacy and trust, and this outage may finally be an opportunity to have that discussion.
Is there a better way?
In light of this incident, it’s worth considering whether the trade-offs currently being made with EDR technology are the right ones.
Abandoning EDR would be a gift to cybercriminals, but cybersecurity technology can and should be better.
From a technical standpoint, Microsoft and CrowdStrike need to work together to allow tools like Falcon to operate outside of the core of Microsoft Windows, greatly reducing the risk posed by future faulty updates. There are already several mechanisms in place to make this possible. CrowdStrike’s Anti-Falcon Technology It already works like this.
To protect user privacy, EDR solutions must employ privacy-preserving methods for data collection and analysis. Apple has demonstrated how to collect data from iPhones at scale without violating user privacy, but applying such methods to EDR will likely require new research.
More fundamentally, this case raises the question of why society continues to rely on such obviously untrustworthy computer software – particularly in Australia, a globally recognised leader in designing highly secure computer systems, including systems that protect sensitive information.
In the long term, we need to reduce our reliance on intrusive technologies like EDR by focusing on building reliable and secure software in the first place.