CrowdStrike Outage and Options for Remediation

An automated update released overnight on July 18 from CrowdStrike, an endpoint detection and response (EDR) software widely used on Windows devices, had a technical issue that caused Windows devices receiving the update to crash. Devices can only be rebooted in Windows safe mode, which has extremely limited functionality. As of now, remediation requires physical access to the device and privileged access to remove the update, which could make recovery slow, and difficult for firms to deploy a solution.

Response efforts

CrowdStrike published a workaround that may remediate the issue, but currently it appears that this workaround must be deployed on a per device basis. CrowdStrike has also indicated that the faulty update is no longer being distributed, and a new version has been deployed, but this will not address systems already affected by the faulty update.

In the interest of time, firms may elect to have users install this remediation on their own workstations and laptops and may grant temporary elevated privileges. However, elevating user privileges in this manner creates its own risks, which firms should manage by ensuring the elevated privileges are revoked immediately after the remediation is deployed or after a predefined time window. As an alternative to the CrowdStrike patch, firms may choose to restore affected systems from a recent backup.

Microsoft has also issued guidance on how to potentially address this on Virtual Machines in Azure.

This is an ongoing and fast changing situation. CrowdStrike customers should continue to follow guidance from their vendors.

• CrowdStrike customer portal
• Microsoft Azure Service Advisory
• Workaround from the CrowdStrike Reddit thread 

Our guidance

• Work with your IT team or managed server provider to deploy fixes, prioritizing most critical systems first.
• If deployment will be federated and staff are to be granted elevated privileges to deploy fixes, ensure privilege is revoked after deployment.
• If CrowdStrike is to be uninstalled temporarily, be aware that devices left unprotected can be exploited. Work with your technology team to understand what compensating controls are in place in the interim to make a risk-based decision.
• Longer term, review your policy and approach on automatic updates of software and consider a staged approach to deployment. Take into account the risks of delaying updates to security software.

Note for advisers to hedge funds with net asset values of $500 million or more:

If the CrowdStrike outage has significantly disrupted or degraded your ability to conduct investment, trading, valuation, reporting, or risk management functions, or has interfered with your ability to operate the fund in accordance with Federal securities laws and regulations, you must make a Section 5 Filing of Form PF within 72 hours.

This determination is highly fact-specific, so you may wish to call your consultant or counsel for a discussion.

How we help

ACA Aponix^® can help your firm establish and maintain operational resilience in the face of a cyber-attack or other business disruption. Our services include:

• Aponix Protect^TM is a cybersecurity and technology risk solution that helps you build a comprehensive risk management program tailored to your business needs.
• ACA Signature combines cybersecurity with compliance advisory services,  innovative technology and managed services for a scalable solution that can help you gain expert insight, guidance, and support as you navigate emerging challenges.

Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations. 

Contact us