Pages

Saturday, July 20, 2024

Toby Murray: What is CrowdStrike Falcon and what does it do? Is my computer safe?


A massive IT outage is currently affecting computer systems worldwide. In Australia and Aotearoa New Zealand, reports indicate computers at banks, media organisations, hospitals, transport services, shop checkouts, airports and more have all been impacted.

Today’s outage is unprecedented in its scale and severity. The technical term for what has happened to the affected computers is that they have been “bricked”. This word refers to those computers being rendered so useless by this outage that – at least for now – they may as well be bricks.

The widespread outage has been linked to a piece of software called CrowdStrike Falcon. What is it, and why has it caused such widespread disruption?

What is CrowdStrike Falcon?

CrowdStrike is a US cyber security company with a major global share in the tech market. Falcon is one of its software products that organisations install on their computers to keep them safe from cyber attacks and malware.

Falcon is what is known as “endpoint detection and response” (EDR) software. Its job is to monitor what is happening on the computers on which it is installed, looking for signs of nefarious activity (such as malware). When it detects something fishy, it helps to lock down the threat.

This means Falcon is what we call privileged software. To detect signs of attack, Falcon has to monitor computers in a lot of detail, so it has access to a lot of the internal systems. This includes what communications computers are sending over the internet as well as what programs are running, what files are being opened, and much more.

In this sense, Falcon is a bit like traditional antivirus software, but on steroids.

More than that, however, it also needs to be able to lock down threats. For example, if it detects that a computer it is monitoring is communicating with a potential hacker, Falcon needs to be able to shut down that communication. This means Falcon is tightly integrated with the core software of the computers it runs on – Microsoft Windows.
An update alert from the CrowdStrike website informing customers about the Windows crashes related to Falcon. The Conversation/Crowdstrike

Why did Falcon cause this problem?

This privilege and tight integration makes Falcon powerful. But it also means that when Falcon malfunctions, it can cause serious problems. Today’s outage is a worst-case scenario.

What we currently know is that an update to Falcon caused it to malfunction in a way that caused Windows 10 computers to crash and then fail to reboot, leading to the dreaded “blue screen of death” (BSOD).

This is the affectionate term used to refer to the screen that is displayed when Windows computers crash and need to be rebooted – only, in this case, the Falcon problem means the computers cannot reboot without encountering the BSOD again.

Why is Falcon so widely used?

CrowdStrike is the market leader in EDR solutions. This means its products – such as Falcon – are common and likely the pick of the bunch for organisations conscious of their cyber security.

As today’s outage has shown, this includes hospitals, media companies, universities, major supermarkets and many more. The full scale of the impact is yet to be determined, but it’s certainly global.

Why aren’t home PCs affected?

While CrowdStrike’s products are widely deployed in major organisations that need to protect themselves from cyber attacks, they are much less commonly used on home PCs.

This is because CrowdStrike’s products are tailored for large organisations in which CrowdStrike’s tools help them monitor their networks for signs of attack, and provide them with the information they need to respond to intrusions in a timely way.

For home users, built-in antivirus sofware or security products offered by companies such as Norton and McAfee are much more popular.

How long will this take to fix?

At this stage, CrowdStrike has provided manual instructions for how people can fix the problem on individual affected computers.

However, at the time of writing there does not yet appear to be an automatic fix for the problem. IT teams at some organisations may be able to fix this problem quickly by simply wiping the affected computers and restoring them from backups or similar.

Some IT teams may also be able to “roll back” (revert to an earlier version) the affected Falcon version on their organisation’s computers. It’s also possible some IT teams will have to manually fix the problem on their organisation’s computers, one at a time.

We should expect that in many organisations it may take a while before the problem can be resolved entirely.

What is ironic about this incident is that security professionals have been encouraging organisations to deploy advanced security technology such as EDR for years. Yet that same technology has now resulted in a major outage the likes of which we haven’t seen in years.

For companies like CrowdStrike that sell highly privileged security software, this is a timely reminder to be incredibly careful when deploying automatic updates to their products.

Toby Murray, Associate Professor of Cybersecurity, School of Computing and Information Systems, The University of Melbourne. This article is republished from The Conversation under a Creative Commons license. Read the original article

6 comments:

Anonymous said...

Toby, just so you know for future reference. The name is New Zealand not the thing you used.

Ian Bradford said...

The country is called New Zealand NOT Aotearoa NZ !!!

Russell said...

N-1 release strategy exists to mitigate exactly this issue. It allows testing before production systems are updated, and the use of non-production 'canary' servers that get the updates first, to spot such issues. Falcon's console supports such features, to enable customers to hold back the latest version update into production until testing is done. So this debacle appears to be as much a failure of customer IT change management policy as it is a Crowdstrike failure. I am sure we will learn more soon, but there should be many red faces across the industry, not just at Crowdstrike.

Anonymous said...

Misnaming NZ. He’s at a university so either he’s woke or afraid of the woke cry-bullies.

K said...

Musk dropped it...
https://www.zerohedge.com/technology/largest-it-outage-history-sparks-disruptions-worldwide

Davi said...

By providing a basic explanation of how this software functions Toby Murray attempts to lend an air of authority to his wittering.

I used to work on business systems for large organisations. They have robust methods for testing updates prior to deployment. Banks in particular have whole departments dedicated to testing updates.

So, does any serious thinking person think this was an accident ? Hmmm, makes me think of Event 201.