During July 19, 2024, a “content refresh” was introduced by CrowdStrike to clients operating the CrowdStrike Falcon endpoint agent on Windows devices. This action resulted in disturbances to various organizations worldwide, spanning industries such as tourism, finance, healthcare, and retail.
In scenarios of large-scale disturbances and events, malicious individuals typically exploit the situation to prey on victims. In this post, we aim to bring clarity to Sophos’ comprehension of the incident and respond to important inquiries raised by our clients and partners.
Within the cybersecurity field, the primary objective for all organizations, including Sophos and competitors, is to ensure the safety of businesses and shield them from assailants. Although we engage in commercial competitiveness, our core bond lies in our collective fight against cybercriminals as a mutual adversary. At this moment, we extend our supportive hand to CrowdStrike and wish a swift recovery and restoration to normalcy for all impacted organizations.
The realm of cybersecurity is notably intricate and progresses swiftly. “For those of us with the skin-in-the-game of living in the kernel, it’s probably happened to us at one time or another, and whatever precautionary steps we take, we are never 100% immune” noted Joe Levy, CEO of Sophos, on LinkedIn.
Summary of the Problem
- This occurrence was not triggered by a security breach within CrowdStrike and did not result from a cyberattack.
- While it wasn’t a consequence of a security breach, cybersecurity embraces elements such as confidentiality, integrity, and availability. Since availability was clearly impacted, this is undeniably acknowledged as a cybersecurity lapse.
- The disruption, causing a blue-screen-of-death (BSOD) on Windows systems, was instigated by an update of “content” that was implemented for CrowdStrike customers.
- Businesses utilizing CrowdStrike Falcon agents on Windows systems may have been impacted. However, Linux and macOS devices remained unaffected during this incident.
- CrowdStrike acknowledged the issue linked to the content deployment and reversed those alterations. Guidance for rectification has been extended to CrowdStrike customers. Remediation guidance has been provided.
Insights on “Content” Updates
This was a customary update of “content” for CrowdStrike’s endpoint security software—an update type that numerous software providers (Sophos included) routinely undertake.
Content updates, occasionally referred to as protection updates, enhance the protection logic of an endpoint security product and its ability to detect prevailing threats. On this occasion, a content update from CrowdStrike yielded unintended substantial repercussions. However, no software provider is infallible, and dilemmas like this can impact other vendors, irrespective of the sector.
Response by CrowdStrike
CrowdStrike has issued a statement on its official website, offering remediation guidance for its clientele. In case you are impacted by the issue or encounter inquiries from clients utilizing CrowdStrike, please refer to this authenticated CrowdStrike page:
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
Eternal vigilance remains crucial. Cybercriminals are enrolling potentially malevolent domains (referred to as typo-squatting) and incorporating “CrowdStrike remediation” in phishing schemes to exploit victims. Before interacting with or being contacted by CrowdStrike representatives, it’s essential to validate their authorization.
Impact on Sophos Clients due to the CrowdStrike Incident
Clients leveraging Sophos for endpoint safeguarding, encompassing those utilizing Sophos Endpoint combined with Sophos XDR or Sophos MDR, remained unaffected. A limited subset of clients using the Sophos “XDR Sensor” agent (available in conjunction with Sophos XDR and Sophos MDR) as an overlay over CrowdStrike Falcon might have been affected.
How Sophos Reduces Potential Risks of Similar Service Disruptions
Every endpoint security product, including Sophos Endpoint, imparts periodic product updates and ceaselessly issues protection (content) updates. Due to the rapid evolution of threats, timely updates to the protective logic are crucial to keep pace with the ever-changing threat landscape.
Having delivered cutting-edge endpoint protection solutions for over thirty years and imbibed learnings from previous Sophos and industry incidents, Sophos has robust protocols and techniques to mitigate customer risks of disruptions. Nonetheless, absolute risk elimination remains unattainable.
At Sophos, all product updates undergo testing in internal, specialized quality assurance contexts before their production release. Once deployed into production, these updates are internally disseminated across all Sophos staff and infrastructure globally.
Only upon successful internal testing and assurance that the update adheres to the quality benchmarks, will it be progressively released to clients. The deployment initiates gradually, picking momentum at intervals and staggered across the client base. Real-time telemetry is amassed and analyzed. In cases of update anomalies, only a minimal subset of systems are affected, thereby enabling swift rollbacks by Sophos.
Clients have the option to manage Sophos Endpoint product updates (excluding protection updates) via update management policy configurations. Choices in software package include Recommended (handled by Sophos), Fixed-term support, and Long-term support, with the possibility to schedule updates for specific days and times.
Similar to product updates, all Sophos Endpoint content updates are meticulously tested in our quality assurance environments before their introduction into production. Each rollout is scrutinized to ensure compliance with prevailing quality standards. Deployments to clients are gradually staged within our ongoing quality assurance protocols, allowing adjustments based on telemetry as needed.
Sophos adheres to a secure development lifecycle guaranteeing that our solutions are crafted securely and efficiently. Elaborate insights on the Sophos Trust Center expound further on our development principles for Sophos Endpoint within our knowledge base.
About Author
