There has been much discussion on social media about the technical causes of the issue, with the company’s very existence being the subject of much online speculation.
But CrowdStrike’s competitors have remained quiet on the issue, perhaps aware that the same thing could happen to them.
The chief information security officer (CISO) of a well-known insurance brokerage and CrowdStrike customer, speaking on condition of anonymity, told Computing magazine that the Windows crash had caused a busy weekend for the company, but that mitigation was relatively easy because the company is “cloud-first” with few standalone devices. CrowdStrike provided quick notification and clear instructions, the CISO said.
The company is considering its options but will likely retain its security vendor.
“My conclusion is that we should continue to use CrowdStrike for three reasons,” the CISO said.
“First, they’re the best at what they do. Second, if we had used another contractor and the same thing had happened, we would have ended up in the same situation.”
“Third, if this happened to another company, would they get the same transparency and immediate remediation that they got from CrowdStrike? In my opinion, they wouldn’t, because CrowdStrike has a lot of significant customers and they need to be more responsive and remediate quickly.”
The CISO noted that given the company’s customers, many of which are Fortune 500 companies and large public sector organizations, the impact of the outage was disproportionate to the number of devices affected (only about 1% of Windows machines were down).
The CISO declined to speculate on the cause of the massive outage and suggested some of the comments on social media were suspicious at best.
“I think we need to reserve judgment until CrowdStrike makes a public announcement. They will be honest. They have committed to transparency, and they have to be transparent because they have customers.”
Microsoft has come under fire for its third-party code signing procedures and controls around kernel access, but it’s not guilty here: Effective endpoint detection and response (EDR) will likely always require kernel access, and this also applies to any access to the kernel of Apple and Linux devices, the CISO said.
“As others have said, Windows is actually a pretty secure environment these days. It would take a major lapse in quality control for something like what CrowdStrike did to happen. CrowdStrike has to take 99% of the blame here.”
Can customers claim on cyber insurance?
While reports are starting to emerge about efforts to file class action lawsuits against CrowdStrike, CISOs have little doubt the company will survive, given its customer base and market share. Alternatives include SentinelOne, Microsoft Defender, and “a number of smaller players,” but they’re not exactly comparable and may be more expensive.
“You pay for the licenses and the infrastructure, assign the appropriate licenses, and then Microsoft does EDR for you. They take the telemetry from the Defender product and put EDR on top of that, but there’s a fee for that.”
So, if an organization loses business due to a power outage, can they claim for that loss under their cyber insurance? This depends on the individual policy, but the CISO felt that in most cases, since this was not a cyber attack, they would be unlikely to be able to claim. However, they may be able to claim under their business interruption policy, depending on the limitations within the policy and whether the organization feels it is worth claiming.
When it comes to contracts with vendors, CrowdStrike offers guarantees against hacks but not against outages, but since many of its customers are Fortune 500 companies, they may have individual SLAs. “Being U.S. companies, those contracts are usually pretty strict,” the CISO said.