CrowdStrike Incident: New Assessment Tool and TPRM Best Practices
On July 19, 2024, CrowdStrike announced an investigation of an update-related outage. CrowdStrike is a cybersecurity company that provides various Managed Detection and Response (MDR) solutions.
Many organizations across all industries use CrowdStrike, and as a result, this incident has had widespread implications for organizations of all sizes and industries across the world. It extends beyond the immediate enterprise customers of both CrowdStrike and Microsoft (whose software is closely integrated) to potentially affect millions of additional organizations that rely on Microsoft O365 software.
This article provides a brief overview of steps you can take to protect your organization and your third-party network. We also cover a few general risk-management best practices and a summary of mitigation efforts.
What to do if you are at risk
If you are a CrowdStrike customer, you may have already taken steps to respond and recover. CrowdStrike is urging their customers to identify affected hosts and attempt to download and install a reverted file update.
If this is not possible, build an autorecovery ISO or manually deploy a working ISO. For more detailed remediation steps, refer to the official CrowdStrike guidance link.
Determine if your third parties are impacted
With all incidents impacting third parties, it can be a challenge to simply know who in your vendors supply chain is at risk. Whistic offers the capability to bulk send assessment questionnaires to your vendor list to quickly understand the scope of impact and understand what steps your third parties have taken or plan to take.
To assess whether your third parties are using any CrowdStrike services and if there is any associated impact, Whistic customers can access the CrowdStrike Outage Questionnaire immediately in our Questionnaire Standards Library.
Does the CrowdStrike incident impact Whistic?
As a result of our investigation, we have determined that this situation does not directly impact Whistic. Whistic does not use CrowdStrike products, and we haven’t identified any of our third parties that use CrowdStrike products. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.
The role of TPRM in incident response and overall risk management
It is fair to say that even the most robust vendor assessment process would not have prevented this CrowdStrike incident from impacting many businesses. But this outage speaks to the need for a comprehensive third-party risk management (TPRM) program. Let’s take a look at a few essential elements of a strong program that are especially relevant for this current incident.
Fundamentals of vendor management
When an incident occurs, it’s important to be able to quickly recognize how widespread the threat may be across the totality of your vendor landscape. In order to accomplish this quickly, your TPRM program needs to include:
- Strong, centralized vendor inventory—Having a single system of record for all vendors allows you to look at all your vendors at one time; if you use a TPRM software or other tool, make sure your vendor inventory can be queried by controls so vulnerabilities are easier to spot.
- Vendor profiles—Make sure you are collecting consistent information from every vendor as a part of your standard procurement and vendor onboarding processes. This will ensure consistency and make it easier to compare risk levels among vendors.
- Clear risk ranking methodology—Develop a definitive scoring system that allows you to classify and group your vendors by risk category. This makes it easier to allocate resources to high risk vendors and have a plan in place in the event of an incident. Again, consistency is key here. Your risk ranking should factor in things like the types and volumes of data the vendor can access and the criticality of the vendor to your business operations.
TPRM best practices to reduce the impact of an incident
Good TPRM fundamentals will help you in better identifying and managing risks on an ongoing basis, but there are other risk-management practices that can help your organization respond and recover more quickly and with greater confidence in the event of a future breach or outage.
1. Test updates before they are deployed
This practice involves testing all software updates in a controlled environment to identify and rectify potential defects before they affect production systems.
By simulating real-world conditions and performing comprehensive testing, organizations can significantly reduce the risk of deploying faulty updates that can cause widespread disruptions. Automation tools can enhance this process by quickly identifying issues that manual testing or human error might miss.
2. Conduct internal Business Continuity and Disaster Recovery testing
Most organizations develop clear and documented processes for business continuity and disaster recovery, but it’s vital to conduct regular drills of your responses to ensure your teams are well-versed in procedures.
This preparedness can minimize downtime and data loss during actual incidents and can help identify gaps in your response plan before they are exposed during a real-world incident. Also, be sure to include all relevant departments in these drills.
3. Develop a robust backup and recovery strategy
Ensuring that all critical data and system configurations are backed up regularly can mitigate the impact of an IT outage. Test these backups for integrity, and make sure you have a good sense of the time it will take to restore systems. This practice not only improves data availability during outages but also helps more quickly restore normal operations—which in turn minimizes downtime and associated costs.
Whistic helps businesses dedicate more resources to incident response
The goal of any TPRM program is to identify, mitigate, monitor, and respond to risks. This process makes it possible to prevent a large number of incidents, but only if you have the resources you need.
Whistic’s AI-first platform allows companies to best allocate even limited resources to the right TPRM activities. We accomplish this by:
- Automating the assessment process with a powerful AI engine
- Generating richer insights to better understand risk
- Reallocating resources from manual/administrative tasks to active risk management
- Making it simple to monitor your environment consistently, reassess vendors more quickly, and query your entire vendor inventory in the event of an incident
Our customers also have access to an ever-growing list of specific assessment questionnaires, so you always have the right tool at hand to assess your vendors in the event of an incident. If you’d like to learn more about how our AI platform can help you before the next security incident, schedule your brief, hassle-free consultation today.