New Report
Menlo Security Named a Leader in GigaOm Radar Report for Secure Enterprise Browsing
Icon Rounded Closed - BRIX Templates

The largest cybersecurity outage ever.

|

It’s a wake-up call for the industry, the Crowdstrike defect that “bricked” nearly 10 million machines. By now, most of us know what happened and are busy fixing things. And the fix? A manual process that will require physical access to every machine. For remote and hybrid workers, the recovery will require providing administrative privileges to the affected machines (which then need to be revoked or managed to avoid risk).

The workers who rely on those machines will need to work on unmanaged machines or personal machines until their enterprise-issued machines are available. So a bunch of work will get done on unmanaged machines, smartphones, and personal Apple MacOS machines. Or the work won’t get done at all. Work will get done on unmanaged machines: consider that.

Beyond blame, the bigger picture

Down the road, we should consider the value of unmanaged machines and bring them into the zero-trust sphere. We have been forced to get some work done even without the corporation-issued PC. Maybe we should plan for that to happen as part of business continuity. 

But for now, in addition to mobilizing the IT team, the SOC team needs to be aware of opportunistic cyberattacks that will make phishing attempts or attempt to deliver malware while masquerading as a fix for the problem.

Already, Menlo Security has identified websites impersonating CrowdStrike and using the offer of a fix as a means to deliver malware. Dozens of such URLs and domains across several enterprise tenants in the Menlo Cloud have been identified and thwarted. The most common attacks have come from crowdstrike0day[.]com and crowdstrikebluescreen[.]com.

The following figure is a representative page:

website offering crowdstrike fix

While enterprises focus on returning to normal operations, the SOC team needs to be on alert: over 50% of these URLs are not categorized as 'bad' by traditional security gateways and cloud services. These attacks are using Legacy URL Reputation Evasion (LURE) tactics and will not be blocked by traditional tools. We are seeing them categorized as “uncategorized” and “Health & Medicine”--and so they would be allowed through legacy defenses.

Rethinking cybersecurity resilience

After we recover, we need to consider why this happened. Why are our enterprises not resilient to an update to a security sensor? Endpoint protection has expanded to monitor network telemetry among other things. These sensors have grown evermore complex over the years: evolving from next-gen AV and endpoint detection to network event monitoring. Sensors dynamically monitor behaviors, including interprocess communication. To say it’s complex does not say enough.

This is no time to bash the latest vendor that caused such an outage. Most large-scale endpoint security tools could have caused such an outage. This outage was big, but service interruptions caused by security tools and systems are not rare. 

In 2021, over 50% of enterprises had reported an outage caused by a security tool. Juniper Networks had an issue with code integrity. McAfee once had an issue  similar to the Crowdstrike defect. Solarwinds, oof. A leading WiFi company recently had a large-scale outage. CitrixBleed. Log4Shell in VMware Horizon. And poor Ivanti has had it rough lately. The rate of outages reported is probably much higher than 50% now.

In a panel this week, Gartner analysts discussed this latest problem, calling it a “Black Swan” event. They suggested that IT teams take on testing updates such as these before deploying them. That approach won’t scale. It would overburden IT teams: such updates sometimes come out more than once a day, and delaying the distribution of them will increase the risk of an attacker gaining traction. Gartner analysts also discouraged the use of multiple endpoint security products for obvious reasons: 

  1. Two sensors would double the risk of such a thing happening.
  2. It would be very costly.

During that panel, John Amato suggested a critical question in the context of considering alternatives to the current state. He suggested that any vendor trying to push aside Crowdstrike should be asked:

 “Exactly why would your product be immune to this issue?”

That is an important question. It should be asked more generally, in the context of the current enterprise security architecture. 

Embracing a modern security architecture

The Crowdstrike outage exposed a fundamental flaw: we are over-reliant on complex endpoint software installations. For decades, we’ve layered on antivirus (AV), endpoint protection platforms (EPP), and endpoint detection and response (EDR), and extended detection and response (XDR). But this approach has created a fragile house of cards, prone to collapse under the weight of its own complexity.

To address today’s needs and threats, we need a radical shift: 

  • Streamline endpoint installations: Avoid adding complexity to endpoint software. Each new feature or agent to update increases the risk of outages and vulnerabilities.
  • Rethink business operations: The internet is the lifeblood of modern business. Our security strategies need to reflect this reality, not hinder it.
  • Adopt zero trust: A zero-trust access model that works with both managed and unmanaged systems and that can survive such a defect, without increasing complexity in the endpoint software installation.

But what would a more resilient security solution look like? John Amato’s question challenges us to ask: "Exactly what would a product need to be immune to this issue?" Here's what we should be looking for:

  • Kernel-Independent Operation: By operating outside the operating system kernel, the risk of "bricking" the machine is eliminated. Even better, it would operate independently of the local operating system, without requiring additional endpoint software installations.
  • Ephemeral Sessions: Be instantiated, orchestrated, and disposed of with each user session so that no saved state would preserve defective or malicious software.
  • Robust Threat Prevention: Provide unassailable defenses from phishing and malware delivery.
  • Seamless Access: Users should be able to access the resources they need without sacrificing security. This means providing secure access to applications and data regardless of the device or network.

Of course, such a product would not apply to all use cases: The CT scan machines and airline reservation systems require installed software. E-voting machines need to be managed and secured, of course. They all need endpoint security software. However, for the vast majority of end-user devices, a light-touch approach that prioritizes security and resilience is both feasible and necessary.

Asking the right questions

End-user machines need endpoint protection–and they also need to be able to protect users from malware, phishing, and software defects. As we recover from the Crowdstrike outage, it makes sense to revisit our security architecture and ask some tough questions:

  • Have we tried to solve everything with firewalls and endpoint software installations for too long? Are we just allowing endpoint software to run on autopilot?
  • Is the “secure service edge” really getting the job done? Is Log4Shell on VMware Horizon or CitrixBleed still a worry?
  • How is that zero-trust initiative going? Is there another way to protect users and endpoints from threats?
  • Can we employ strict network separation and still provide access to information and tools without using a VPN connection? 

It’s also probably time to reassess how users work: 50% of users can do their job entirely within a browser. 80% of users can do 80% of their job within the browser. Microsoft Windows remains the main PC operating system, but Google Chrome and Microsoft Edge have emerged as the place where much of our work gets done. Since enterprise browsers have emerged as the main tools that most workers use, maybe it’s time to think about the browsers first. 

Browser-first security 

While securing endpoints and networks remains crucial, we can't ignore the browser's growing role in our work lives. The CrowdStrike outage highlighted how a single software glitch can cripple productivity, emphasizing the need to integrate enterprise browser security into our broader risk management strategy.

Simply piling on more endpoint security software isn't the answer. Instead, let's leverage the tools we already have: our browsers. You're using Google Chrome, Microsoft Edge, or Apple Safari; you already have the right tool at hand. The question is, how can we use it to our advantage?

Instead of hastily replacing your endpoint protection product, consider these questions:

  • What alternative approach would have reduced the impact of this outage? 
  • What approach might have made it easier and cheaper to recover?
  • How can the browsers that we already have help without increasing the complexity of endpoint software installations?

While it's likely that CrowdStrike will address this issue, it's wise to explore proactive measures.

Effective enterprise security needs to protect and control endpoints and networks. Crowdstrike and Microsoft are proven EPP options. There remains a wide variety of network security providers. But who is safeguarding the enterprise browsers? Browsers, where most of us spend the majority of our workday, need to be managed and protected, too..

In the browser arena, there is really a single choice: Menlo Security and Secure Cloud Browsing. Menlo adds the browser context to a security architecture in a way that works for business–on both managed and unmanaged machines. Where legacy approaches have failed and where they sometimes even introduce risk themselves, Menlo provides the safety and access that users and businesses require. Menlo Security enables the world to connect, communicate, and collaborate securely without compromise–and without the added risk of bricking your machines.

See what other folks are saying about adding the browser to a security architecture in recent work by Coalfire or this analysis from GigaOm.

Learn more about Enterprise Browser solutions and how browser security can make your business more resilient to attacks and “black-swan” software defects in this report from Omdia.

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail