CrowdStrike Outage: Lessons for Third-Party Vendor Risk Management Programs

Cybersecurity vendor CrowdStrike pushed an update to the Windows versions of its software that ended up causing computer systems worldwide to crash. Use our free assessment to determine the impact of the incident on your vendor universe.
By:
Matthew Delman
,
Product Marketing Manager
July 19, 2024
Share:
2024 Blog Crowdstrike Update Outage

In the early hours of Friday, July 19, an update to the CrowdStrike Falcon Sensor product triggered a worldwide outage on Windows machines. Equipment at banks, television stations, airlines, hospitals, and many more companies suddenly displayed the dreaded “Blue Screen of Death” after CrowdStrike pushed what the company said was a faulty content update out to its user base.

The incident was not a cyberattack or malicious in any way. It was faulty code in a regular product update. This is a perfect example of why you need to continually assess the business resilience practices of your third parties and understand the third-party risk exposure in your vendor universe when widespread outages like this one occur.

The CrowdStrike Incident and Why It Matters

CrowdStrike regularly publishes content updates to its Falcon Sensor products to ensure that they’re protecting against the newest cyberattacks. All reports point to the update being part of that deployment cycle.

The update, however, included some faulty code that triggered the dreaded Blue Screen of Death on Windows machines. Affected equipment was unresponsive even after restart, grinding thousands of companies to a halt worldwide and disrupting operations at banks, airlines, hospitals, and other organizations. Around 1,400 flights were canceled worldwide because of the issue, with some travelers being issued hand-written boarding passes to get on their flights because of the issue.

CrowdStrike’s defensive products are used in so many places that this mistake resulted in a slew of problems. It wasn’t even a cyberattack, as CEO George Kurtz said in a statement.

CrowdStrike Vendor Risk Assessment Questionnaire

Prevalent has developed a short assessment to send out to your vendors to better understand who is affected and how they are responding to the issue. This short assessment will provide quick visibility on any third parties who are using the Crowdstrike Falcon Sensor product and who and to what extent they have been affected by this incident. 

Note to Prevalent customers: This assessment is now available in your questionnaire library.

Questions Answer Choices

1. Does your organization use the CrowdStrike Falcon Sensor NGAV (Next-generation antivirus) and EDR (Endpoint detection and response) product?

Help Text: The cybersecurity company CrowdStrike pushed out an update to its Falcon Sensor product on Friday 19th July, which caused an incident affecting Windows systems. The defect was found in a single content update for Windows hosts, causing them to crash and display the Blue Screen of Death.

a) Yes

b) No

2. How significant has the incident been on your systems and infrastructure?

Help Text: Consideration should be given to where the impact has occurred, alongside the level of impact.

Significant impact: The vulnerability has caused a loss of confidentiality or integrity of data

High impact: System availability has been periodically lost, and some loss of confidentiality or integrity of data

Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to system availability

a) There has been significant impact to our critical systems, applications or information

b) There is a high level of impact to our critical systems, applications or information

c) There has been a low level of impact to our critical systems, applications or information

d) The incident has had no impact to our critical systems, applications or information

3. Does the organization have workarounds and/or backup systems to restore from?

a) Yes

b) No

c) N/A

4. Has the organization implemented the recommended manual recovery steps from CrowdStrike?

Help Text: CrowdStrike have suggested the following manual workarounds to restore systems:

Boot Windows into Safe Mode or the Windows Recovery Environment

Navigate to the C:\Windows\System32\drivers\CrowdStrike directory

Locate the file matching “C-0000029*.sys” and delete it.

Boot the host normally

a) Yes

b) No

5. Who is designated as the point of contact who can answer additional queries?

Help Text: Please state the key contact for managing information and cybersecurity incidents.

  • Name:
  • Company:
  • Title:
  • Email:
  • Phone:

Four Best Practices for Proactive Third-Party Incident Response

The announcement of a high-impact incident, regardless of cause, is the wrong time to ensure your organization has a third-party incident response plan in place. Instead, start preparing for the next incident through implementing a proactive approach now. Here are four best practices to start with:

1. Develop a centralized inventory of all third parties

A centralized vendor inventory needs to be created in a platform, not manual spreadsheets, so all the necessary internal teams can participate in vendor management through an automated process. Once that’s done, you need to conduct inherent risk scoring to help determine how to assess your third-party vendors on an ongoing basis according to the risks they pose to your business.

2. Build a map of third parties to determine technology concentration risk

Knowing about the 4th-party technologies deployed in your vendor ecosystem helps to identify relationships between your organization and third parties based on certain technology usage.

Once you understand this, you can better determine possible concentration risks like weak points and access paths into your enterprise for proactive mitigation. You can accomplish this through a targeted assessment or via passive scanning.

3. Assess third parties’ business resilience and continuity plans

Proactively engage impacted vendors with simple, targeted assessments that align with known industry supply chain security standards such as NIST 800-161 and ISO 27036. Results from these assessments will help you target remediations to close potential gaps. Good solutions will provide built-in recommendations to speed up the remediation process and close those gaps quickly.

4. Continuously monitor impacted vendors and suppliers for issues

Being continuously vigilant for the next supply chain problem means looking for signals of an impending incident. Monitoring multiple sources of risk intelligence, such as criminal forums, hack/breach notice sites, code repositories, and vulnerability databases, is key. You can monitor these sources individually or find solutions that unify all the insights into a single dashboard so all risks are centralized and visible to the enterprise. The CrowdStrike issue was thankfully not from a malicious source, but risk monitoring remains a key component in understanding your exposure to a third-party incident.

What Next?

Over the next few weeks, companies affected by the CrowdStrike outage are likely going to be spending a significant amount of time recovering their systems. Vendors, large and small, will be contending with the business slowdown and bringing potentially many thousands of end-user machines back into service. Understanding which of your vendors have been impacted the most should be a good indication of what to do next and how to ensure that you – if you’re not also dealing with the outage – don’t experience the same slowdown in business.

Looking to mature your third-party risk management program and be better prepared for future incidents like this one? Learn how Prevalent can help by requesting a demo of our TPRM platform today.

Tags:
Share:
Matthew delman
Matthew Delman
Product Marketing Manager

Matthew Delman has more than 15 years of marketing experience in cybersecurity, financial technology, and data management. As product marketing manager at Prevalent, he is responsible for customer advocacy, product content, enablement, and launch support. Before joining Prevalent, Matthew held marketing leadership roles at Techstrong Group and LookingGlass Cyber, and owned product positioning for EASM and breach prevention technologies.


  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo