It seems like only one week ago (because it was only one week ago) that you’d have considered an organisation in reasonably good shape if they had a fully-patched Windows Server estate and a market-leading EDR sensor deployed to 100% of those assets. Of course, we’d want to know more before giving that organisation a stamp of rude health, but that’s not a bad technology foundation from which to build.
Now the winds might be changing a little. Some thought provoking articles have appeared in the media, showing that the vast majority of the world’s cyber “attack surface” is covered by the same 15 vendors – intended to highlight a risk where previously others would perhaps have seen maturity and consolidation. We’ve heard that the kernel level permissions required by EDR vendors, previously seen generally as necessary to afford EDR agents deeper visibility, are now considered risky business indeed. We’ve heard that it is far too cavalier to download EDR threat content packages in near real time, where previously that have been seen by many as cutting edge and borderline essential to detection and response. Similarly, the application of DevOps principles to include software tools which intelligently check for errors in code have been viewed as innovative and essential to the reduction of human error; whereas there’s now lots of chatter about the “good old days” of manual validation, extensive peer review and third-party code reviews.
I’m being a little provocative of course – each of the topics above could be a PhD thesis in and of itself, and none are as cut and dry as I’m suggesting. But they are thoughts that I’ve heard amongst my peers, my customers and my friends in recent days. In general, any knee-jerk reactions are best avoided, particularly in light of an unprecedented event such as this – ostensibly one of a kind. This was a mistake. A highly impactful mistake undoubtedly, but still a mistake and nothing more. We implore security leaders to see it as such, and to resist the temptation to completely overhaul their processes and technology as a result.
So, what best practices might we change?
Reliance Cyber have hundreds of CrowdStrike agents deployed across our own infrastructure, and support thousands of CrowdStrike endpoints for our clients. One thing we’re seriously considering internally, and talking to our customers about is Operating System diversification. Like many, we’re mostly a Windows house. It’s what we know, it works and integrates perfectly with everything else that’s deployed. But next time it might not be EDR, it might be some other ubiquitous Windows software. Or Linux, or Mac OS. We won’t know in advance what the next major event like this will be – but it does seem likely that there will be one. A medium-term goal for us will be to make a meaningful effort to migrate our critical services to a more balanced ratio across Windows and Linux.
We’d love to hear from you on what you might change – avoiding unhelpful “delete CrowdStrike” comments please!
Speak to a specialist
Get in touch with your comments, or if you simply need some sage advice.