CrowdStrike Outage: Lessons for Third-Party Vendor Risk Management Programs

In the early hours of Friday, July 19, an update to the CrowdStrike Falcon Sensor product triggered a worldwide outage on Windows machines. Equipment at banks, television stations, airlines, hospitals, and many more companies suddenly displayed the dreaded “Blue Screen of Death” after CrowdStrike pushed what the company said was a faulty content update out to its user base.

The incident was not a cyberattack or malicious in any way. It was faulty code in a regular product update. This is a perfect example of why you need to continually assess the business resilience practices of your third parties and understand the third-party risk exposure in your vendor universe when widespread outages like this one occur.

The CrowdStrike Incident and Why It Matters

CrowdStrike regularly publishes content updates to its Falcon Sensor products to ensure that they’re protecting against the newest cyberattacks. All reports point to the update being part of that deployment cycle.

The update, however, included some faulty code that triggered the dreaded Blue Screen of Death on Windows machines. Affected equipment was unresponsive even after restart, grinding thousands of companies to a halt worldwide and disrupting operations at banks, airlines, hospitals, and other organizations. Around 1,400 flights were canceled worldwide because of the issue, with some travelers being issued hand-written boarding passes to get on their flights because of the issue.

CrowdStrike’s defensive products are used in so many places that this mistake resulted in a slew of problems. It wasn’t even a cyberattack, as CEO George Kurtz said in a statement.

CrowdStrike Vendor Risk Assessment Questionnaire

Prevalent has developed a short assessment to send out to your vendors to better understand who is affected and how they are responding to the issue. This short assessment will provide quick visibility on any third parties who are using the Crowdstrike Falcon Sensor product and who and to what extent they have been affected by this incident. 

Four Best Practices for Proactive Third-Party Incident Response

The announcement of a high-impact incident, regardless of cause, is the wrong time to ensure your organization has a third-party incident response plan in place. Instead, start preparing for the next incident through implementing a proactive approach now. Here are four best practices to start with:

1. Develop a centralized inventory of all third parties

A centralized vendor inventory needs to be created in a platform, not manual spreadsheets, so all the necessary internal teams can participate in vendor management through an automated process. Once that’s done, you need to conduct inherent risk scoring to help determine how to assess your third-party vendors on an ongoing basis according to the risks they pose to your business.

2. Build a map of third parties to determine technology concentration risk

Knowing about the 4th-party technologies deployed in your vendor ecosystem helps to identify relationships between your organization and third parties based on certain technology usage.

Once you understand this, you can better determine possible concentration risks like weak points and access paths into your enterprise for proactive mitigation. You can accomplish this through a targeted assessment or via passive scanning.

3. Assess third parties’ business resilience and continuity plans

Proactively engage impacted vendors with simple, targeted assessments that align with known industry supply chain security standards such as NIST 800-161 and ISO 27036. Results from these assessments will help you target remediations to close potential gaps. Good solutions will provide built-in recommendations to speed up the remediation process and close those gaps quickly.

4. Continuously monitor impacted vendors and suppliers for issues

Being continuously vigilant for the next supply chain problem means looking for signals of an impending incident. Monitoring multiple sources of risk intelligence, such as criminal forums, hack/breach notice sites, code repositories, and vulnerability databases, is key. You can monitor these sources individually or find solutions that unify all the insights into a single dashboard so all risks are centralized and visible to the enterprise. The CrowdStrike issue was thankfully not from a malicious source, but risk monitoring remains a key component in understanding your exposure to a third-party incident.

What Next?

Over the next few weeks, companies affected by the CrowdStrike outage are likely going to be spending a significant amount of time recovering their systems. Vendors, large and small, will be contending with the business slowdown and bringing potentially many thousands of end-user machines back into service. Understanding which of your vendors have been impacted the most should be a good indication of what to do next and how to ensure that you – if you’re not also dealing with the outage – don’t experience the same slowdown in business.

Looking to mature your third-party risk management program and be better prepared for future incidents like this one? Learn how Prevalent can help by requesting a demo of our TPRM platform today.