Not to jump on the bandwagon, but this Crowdstrike incident is a perfect example of the risk of supply chain attacks. As we drive to be as close to the cutting edge as possible in regards to our controls to thwart potential malicious actors, we have introduced several instances of centralisation which can and has affected global markets. The SolarWinds attack was a pivot into various organisations, technologies such as Crowdstrike sit at the heart of a lot of services we provide our customers. Because of this requirement to deploy frequent and almost instant changes of signatures and heuristic detections across our security estate, the ability to test what has been deployed is almost impossible. I am sure that Crowdstrike did not intend to release such a potentially devastating content pack, but it does demonstrate the loss of control and the centralisation of these controls have been performed globally. I don't have an answer apart from our suppliers need to ensure the validation of their tools are correct, but it does come at the expense of speed. Correctness vs speed, not sure what side I would want to be on whilst the next sexy new 0day comes into play. It's a hard one.
Nailed it
The implicit trust in vendors is definitely a risk that most if not all organisations fail to recognise adequately.
Good insight, Thomas!
It's a good point. Security vendors pride themselves on stopping threats as soon as they're discovered, and for good reason, but this incident shows that there is a need for caution. I wonder if vendors will start offering different risk options to customers. A customer could then select if they'd rather receive the update immediately to fix a potential threat, or wait for full testing to be complete to avoid this scenario.
Vendors, MSP’s, MSSP’s, all have access to your systems at various levels and in various ways.. Trust is ONE thing, COMPLIANCE is THE thing!! If any of your supply chain is not fully compliant, walk away. Make the change! Drive compliance through demand and choice! Now, even then, you NEVER EVER drop your guard. ALL standards and Controls MUST be maintained and regularly checked / run with individuals and teams being Accountable and Responsible and a controls teams policing them and ensuring the frequency is correct and adhered to with evidence. STANDARDS - Never ever deploy software without TESTING first and patches are software.. Even zero day should be tested albeit in an accelerated RISK accepted process. And this is not hindsight.. It is all just best practice and if implemented properly, they DO NOT impact productivity! IMHO..
Cloud Architect
1yMy kids finished school for the summer yesterday and tons of people went to the park. I joined after work and was talking to a random dad who has never worked in IT. Somebody else brought up Crowdstrike and I described the issue, briefly. The random dad asked why they didn't push the update to a small subset of customers to check it works okay, before sending it to everyone. Then another random dad said, "there you go, he's just solved that problem so it won't ever happen again". I couldn't really argue with any of that.