1 In 10 Orgs Dumping Their Security Vendors After CrowdStrike Outage

An anonymous reader quotes a report from The Register: Germany's Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrike's outage in July are dropping their current vendor's products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to do so in the near future. It wasn't explicitly said whether this referred to CrowdStrike's Falcon product specifically or was a knee-jerk reaction to security vendors generally. One in five will also change the selection criteria when it comes to reviewing which security vendor gets their business. The whole fiasco doesn't seem to have hurt the company much though, at least not yet.

The findings come from a report examining the experiences of 311 affected organizations in Germany, published today. Of those affected in one way or another, most said they first heard about the issues from social media (23 percent) rather than CrowdStrike itself (22 percent). The report also revealed that half of the 311 surveyed orgs had to halt operations -- 48 percent experienced temporary downtime. Ten hours, on average. Aside from the obvious business continuity impacts, this led to various issues with customers too. Forty percent said their collaboration with customers was damaged because they couldn't provide their usual services, while more than one in ten organizations didn't even want to address the topic. The majority of respondents (66 percent) said they will improve their incident response plans in light of what happened, or have done so already, despite largely considering events like these as unavoidable. The report highlights a curious finding that over half of CrowdStrike customers wanted to install updates more regularly, even though that would have been worse for an organization.

"Regardless, with the number of urgent patch warnings we and the infosec community dish out every week, it's probably a net positive, even if it's slightly misguided," concludes The Register.

Your data breach insurance ...

[PPH]

... premiums just went up.

I Struggle with the Way Security is Marketed

[Seven Spirals]

Security is a necessary thing, but I question how it gets sold to folks. I see a lot of scare tactics out there "Can you afford an outage or reputation damage?" or "Threats are everywhere but we'll shield you with our secret sauce software" or "You can get put out of biznass super easily, but not if you pay for our audit services." Might as well skip to "Nice business you got there, be a shame if anything happened to it."

Sure, there are events that could definitely put you out of business under the wrong

Re:

[machineghost]

"Not having backups" is not only *not* the only concern ... it's not even the top one, for many companies.

For instance, *data* breaches are a much, much bigger concern to many. Who cares if you have backups of your customer's sensitive info ... when that info exposed to the world?

Re:

[Seven Spirals]

True statement. I'm not saying security isn't important or that it's not difficult. However, I think it is something folks should consider before drinking the entire bottle of Kool-Aid. If you have a big important customer database with PHI in it, by all means try hard to keep it secure. However, putting the security team in charge of every new project and empowering CISSP types to quash products and stifle engineering isn't always the appropriate response, either.

Re:

[Bongo]

It's a failure caused by not having a sense of proportionality.

The fact that computers are complex and fragile doesn't help either.

But one can be pessimistically proportionate.

For example, if it is true that simply clicking a link or visiting a website can compromise your computer and organisation, then simply, why is the important stuff connected to the internet?

If it is true that there's practically on average one zero day in common software per week, every week of the year, then why rely on patching? It'

Re:

[Seven Spirals]

You make some great points, but my favorite is "If this shit is important, why is it on the Internet?" I have the same thought multiple times a day, sometimes. I also wonder things like "Why did you setup this critical process to use your at-risk workstations in the process?" or "You have real-time data processing requirements, why aren't you using a real time system?" or "Why do you need layer-3 access to these sensitive systems, can they not just use a proxy?"

I'm a little crazier than most, I guess, I l

Insanity

[sunderland56]

So, because of one bad vendor, people are going to run with no security at all? Good luck with that. When you're hacked, you can go to the press conference and proudly proclaim "we were running no security software".

I had horrible luck with a Ford once. Didn't make me stop buying cars.

That's not what it says...

[Roger W Moore]

So, because of one bad vendor, people are going to run with no security at all?

No, they are dropping their current security vendor and the summary says that it's not clear whether that is related to the one bad vendor or not. It does not say anything about what they are intending to do in the future only that they are not continuing with the security solution they currently have. It's hard not to see this as a lot of companies bailing from Crowdstrike but the summary specifically says that there is no data regarding that yet.

I strongly suspect, since it indicates that 20% are chan

No, but they are examining them

[Somervillain]

So, because of one bad vendor, people are going to run with no security at all? Good luck with that. When you're hacked, you can go to the press conference and proudly proclaim "we were running no security software".

I had horrible luck with a Ford once. Didn't make me stop buying cars.

This is the most sane thing I've heard tech companies do. Nope, not dropping security...just actually paying attention to it. This is what we want, isn't it?....for companies to do their homework and give business to those who deliver and stop giving it to those who don't!

Re:

[AmiMoJo]

It doesn't say they are not having any security software, just that they are ditching their current vendor for another. Maybe they looked at who had kernel mode drivers that could cause Crowdstrike style problems, and which Microsoft has said it is getting rid of.

This is a win for them!

[oldgraybeard]

Only 1 in 10 are dropping their security vendors!

Re:

[OrangeTide]

10% of customers are switching vendors and signing new contracts? That sounds like a healthy industry to me.

This seems like an useless statistic

[gweihir]

What would have been interesting is how many are dropping Cloudstrike.

Re:

[machineghost]

It's probably not 100%, but given the timing still I think it's safe to say that most (and close to all?) aren't leaving some random company: they're leaving Crowdstrike.

Modern security products seem to increase...

[PubJeezy]

Modern security products seem to increase your attack surface rather than reduce it. SaaS is the cornerstone of all of these products and monetizing SaaS requires persistent connections which simply create another path for threat actors.

The reality of cyber-security is that it can't be engineered because the social engineering and financial engineering of a company or product will always be the real vulnerability.

The whole world has realized that they need to start air-gapping databases and hiring in-house devs to make their own security products and protocols that don't require creepy persistence connections to massive centralized actors.

Vendors are a massive liability but talented employees are an even bigger asset.

Re:

[QuantumFTL]

I don't necessarily disagree with where you're going here, but can you elaborate on this:

The whole world has realized that they need to start air-gapping databases

I've worked at government contractors that had real air-gaps for things like their databases, but that does not seem to be the norm for the rest of the world. How would ordinary businesses make use of their databases if they are not network accessible under any circumstances, printed reports? Some sort of unidirectional transmission? What sort of data ingress are they using?

I ask this because I have been involved in

Re:

[PubJeezy]

What do you mean by ordinary business? Personally, I think that means a retail store or restaurant and there no real reason that their databases should have any kind of internet connection aside from payment processing.

There were restaurants and stores in my neighborhood that couldn't even sell physical goods for cash during the CrowdStrike outage. That requires their supply to have been made deliberately vulnerable simply so someone else can have access to their sales data in real time. That's gross. Tha

Re:

[tlhIngan]

What do you mean by ordinary business? Personally, I think that means a retail store or restaurant and there no real reason that their databases should have any kind of internet connection aside from payment processing.

There were restaurants and stores in my neighborhood that couldn't even sell physical goods for cash during the CrowdStrike outage. That requires their supply to have been made deliberately vulnerable simply so someone else can have access to their sales data in real time. That's gross. That'

Re:

[Himmy32]

OP used air-gapped to mean firewalled.

Re:

[Himmy32]

Nearly all POS software for small business is cloud connected. Unless you are a massive retailer that shells out for something that integrates with large enterprise ERP and Supply Chain Management. And then have to maintain PCI compliance which have some controls like having security software on it.

Expecting a small restaurant to not have internet connected security software, pay for "talented employees" in IT security, and not use industry standard cost effective/convenient tooling is on the edge of unrea

Re:

[PubJeezy]

lol. dude. You're doing the thing right now. You're looking at a real problem and ignoring it in favor of some other theoretical problem that's already been solved. Cash registers pre-date cloud-based POS systems and they simply work better. They are more reliable and do the job more efficiently. What they don't do is allow for massive conglomerates of dataminers to have real time access to global retail supply chains...

You're pitching the toxic environment I'm describing, the toxic environment that gave

Re:

[penguinoid]

How would ordinary businesses make use of their databases if they are not network accessible under any circumstances?

They'd find a way the instant a law makes them liable for the full damages resulting from a data breech.

Re:

[Himmy32]

The whole world has realized that they need to start air-gapping databases and hiring in-house devs to make their own security products

Network security is just defense in depth and another layer. And trying to build security tooling in-house is outside the core competency of most businesses.

The problem is that signals that indicate an attack have gotten more and more complex. Gone are the days of just being able to inspect files with a set of heuristic definitions when there are things like in-memory, script based attacks. So then comes in rule engines that monitor for a whole lot more for example Falco [github.com]. Add that on with all the other sec

What shocks me about this

[Tony Isaac]

is that 9 out of 10 affected customers are apparently *sticking with* CrowdStrike.

Re:

[damn_registrars]

That shouldn't be a surprise really. The majority of the clownstrike customers are very large companies, whose IT departments make very slow and deliberate decisions. Even if clownstrike had caused their servers to physically burst into flames the IT departments would take time to decide whether or not to drop them.

More telling will be decisions made well into 2025, which is closer to the decision time frame that these folks tend to operate on.

maybe i missed it, but there wasn't a 1:1 connecti

[Jayhawk0123]

maybe i missed it, but there wasn't a 1:1 connection specified in the article that said of the 311 companies questioned, that the REASON for changing security providers was Crowdstrike incident.

Companies change vendors all the time. I can see a reason why some of those 311 companies might drop Crowdstrike, the "risk" and the optics don't work in their favor for keeping them.

I highly doubt any of these 30 companies are saying they're going commando and no security at all... With the push of AI into everythi

It’s not security vendors they need to drop

[erasmix]

Drop Windoze for Linux and your security woes will diminish! How much longer will you keep beating on that dead horse?!

Cloud services

[Hoi Polloi]

Now I'm waiting for cloud security to explode and not just because a customer misconfigured it.

Have they addressed the root problem... Windows?

[mspohr]

One has to wonder why they haven't addressed the root problem. Windows has always been a security threat in spite of years of patches.
Security would be a lot more secure with an alternative OS such as Linux.

Endpoint software is terrible

[Murdoch5]

I was recently working with Microsoft Defender for Endpoint (MDE), in ~50% of cases, within 24 hours of installing it / configuring it on a lab computer, the computer could no longer boot. The bootloader was completely corrupted, and the only solution was a wipe and reinstallation. Every single computer that was reinstalled, had the same problem occur back to back.

I don't use endpoint projection software because no matter what product you pick, it's junk. I'll grant that I haven't used everything, but