Microsoft CrowdStrike Outage: Key Insights & Early Takeaways

On Friday, July 19th, a software update to CrowdStrike's Falcon sensor initiated one of the most extensive IT outages in history, impacting multiple industry sectors including financial services, healthcare, transportation, and others.??

According to CrowdStrike , the outage stemmed from "a defect found in a Falcon content update for Windows hosts." At that point, the software update had not affected Mac and Linux systems.

Given the widespread impact of this incident across industries globally, clean-up and response activities are likely to continue into this week.

Global Impact

The Microsoft CrowdStrike outage significantly impacted multiple sectors and regions. Some of the affected areas included:

Affected Sectors (airlines, healthcare, financial services)

Industries - The airline industry experienced severe disruptions with over 4,295 flight cancelations worldwide, creating chaos at airports. Healthcare systems such as Mass General Brigham and Emory Healthcare had to postpone services and revert to manual processes. Financial services also suffered with disruptions to payment systems and customer access at banks globally.?

Geographical Spread of the Outages

Geography - This was not isolated as the outages influenced services across the U.S., Canada, the U.K., Europe, and Asia. Major U.S. cities saw disruptions in healthcare and public transportation, while the U.K.'s National Health Service faced setbacks in managing patient records and appointments.

Operational Consequences on Businesses

Business Operations - Organizations worldwide faced operational challenges. Amazon warehouse employees struggled with schedule management, and Starbucks temporarily closed stores due to mobile ordering issues. Large corporations like FedEx and UPS reported substantial disruptions impacting logistics and deliveries. This outage underscored how critical stable and secure IT infrastructures are for modern businesses.

What Should Organizations Do After the Incident?

Lessons learned from CrowdStrike will likely expand as more details surface regarding the outage's impacts on organizations worldwide. However, reconsidering and reinforcing strategies around key processes and resources can help ensure a more robust response to future events.

1. Follow Official Restoration Instructions

An organization should first follow the restoration and workaround instructions published on the vendor's official website if impacted by the incident. The steps include information on what systems are affected and instruct users on how to address the issue based on their system’s status and configuration.?

2. Assess Third-Party Impact

Next, an organization should evaluate how this issue has impacted third-party vendors. Have they been exposed to the incident and followed the proper restoration steps to recover their systems? It is important to understand that even if internal systems have not been affected, third-party vendors and service providers relied upon may have been impacted.

3. Evaluate Vendor Security Posture??

At this time, an organization should also assess whether vendors still have the appropriate security controls in place. Some businesses may disable the solution entirely rather than restore systems to an earlier version. This could leave vendors and the organization vulnerable to cyber threats and data security risks.

4. Monitor Supply Chain Risk

Depending on the prioritization of this incident, companies reliant on the solution in their supply chain will have higher risk than average over the next few days. Reports have shown threat actors identifying and targeting impacted customers.

7 Essential Actions Moving Forward

• Apply all relevant fixes and patches released by CrowdStrike for the impacted systems immediately. Continuously monitor for any additional updates from the vendor.

• Vigilantly monitor system and security logs for unusual activity that could indicate ongoing issues or exploitation attempts following the resolution of the incident.

• Confirm that all critical data backups are current and readily available. Test restoration procedures to guarantee data can be swiftly and accurately recovered if needed.

• Maintain heightened awareness against phishing through ongoing end-user training focused on identifying suspicious emails and avoiding unverified links and attachments.

• Create clear channels for communicating regularly with stakeholders, including employees, customers, and partners, about incident details and recovery progress.

• Evaluate affected vendors and coordinate with them to understand response plans and remediation timelines. Collaborate to ensure coordinated mitigation across the supply chain.

• Update and routinely test incident response plans to facilitate rapid mitigation of similar supply chain disruptions in the future.

Reassess Strategies in Light of Lessons Learned

As with any incident, cleanup and follow-up are essential. For organizations that have recovered machines post-CrowdStrike, certain items should be reviewed. Firstly, consider reissuing Bitlocker recovery keys . For manually distributed recovery keys, consider reissuing and rotating keys.?

For infrastructure changes being considered, rather than entirely replacing technology with a different operating system, consider alternatively changing how software is deployed and restricting allowed software on special-purpose machines. Antivirus is used because unlimited software runs on systems. Limiting allowed software could better secure machines with focused effort and resources.

The operating system purpose should also be reconsidered. Social media shows bluescreens on mere notification displays. Is a full operating system truly needed only for information? Are alternative information displays possible? Should Vendors not conduct their own quality control? Issues from Microsoft to now CrowdStrike raise questions if reduced testing budgets cause root issues. For CrowdStrike, a Falcon update logic error caused the issue , per CEO George Kurtz. The circumstances require clarification post-incident.

Even if unimpacted, update file rollout speeds should be reviewed. From vendor to definition updates, independent testing and validation processes are recommended before rollout, given reduced quality assurance at many firms. No software can be completely trusted.??

Conclusion

The Microsoft CrowdStrike outage caused by a defective Falcon sensor update, the incident underscored the need for strong IT infrastructures. Organizations should follow restoration guidelines, assess third-party impacts, and bolster cybersecurity measures. For expert guidance and comprehensive cybersecurity solutions, check out Symposia 's Trust Services.