Balancing internal innovation and third-party vendor risk

security
OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)

As a former FBI Special Agent in the Los Angeles Cyber Crime Squad, I've seen my fair share of defective software updates. However, the recent global tech outage caused by a faulty software update from CrowdStrike has truly captured the world's attention. The shock and awe of such a well-regarded cybersecurity vendor causing a major security incident has brought to light a previously overlooked area of third-party risk. 

Given CrowdStrike’s reputation and trusted position, many companies automatically allowed its software update package into their systems without fully considering the possibility of a defect. Consequently, no CISO expected the update to result in a global tech outage, causing systemic disruption across interconnected systems.

The aftermath of the CrowdStrike incident was particularly severe for banks, hospitals, retailers, and airlines.

Interestingly, some companies with outdated systems were reportedly unscathed by the flawed update, whereas others with best-in-class systems endured outages for a few days or longer. This is not a story of old technology versus new technology, as some articles have implied. Rather, it is a nerve-wracking tale arguing the need for a risk-based approach to minimize the possibility and impact of a defective software update.

Jill Knesek

Know Thy Vendor

CrowdStrike has come under criticism for its automatic update process and not staggering or staging the release to limit the potential for widescale disruption. However, the company is not alone in its approach: keen to protect customers against a newly discovered cyberthreat, many other security vendors also automatically provide real-time updates.

Although CrowdStrike’s update was defective, the incident nonetheless spotlights the importance of balancing innovation across the IT system landscape with more diligent third-party vendor management. CISOs are reminded to foster secure innovation by collaborating with their technology peers across the organization and forging strong partnerships with the company’s third-party vendors. The two priorities are not mutually exclusive; instead, they’re intertwined.

Collaborating with technology peers yields better ways to understand, minimize, and mitigate risks, ensuring the company can continue to innovate without increasing cyber risk for the business. Partnerships with critical third-party vendors provide greater assurance that vendors are prepared to respond at scale when the next unexpected outage occurs. Understanding which vendors are distributed across a large portion of the corporate infrastructure and production environments (especially those that receive regular updates) can optimize the processes of replacing software with new and improved versions.

Controlling the Unknown

CrowdStrike’s automatic real-time updates brought these processes into sharper focus. While immediate updates enable systems to rapidly identify and neutralize threats, they also carry the risk of triggering a full system outage and consequent business disruption. On the other hand, delaying updates by a day or two might mean missing the “latest and greatest” features immediately, but it allows time to identify and address the potential flaws first. The point here is that one is not better but that both updates serve specific needs and purposes.

To determine which update is best from a security standpoint, CISOs need to identify which systems require real-time updates and which can allow for delayed ones. External-facing high-risk systems might require near real-time updates that help identify and block zero-day attacks. Lower-risk systems placed deeper in the infrastructure with extra layers of security between them and external attacks can be configured for delayed software updates of 4, 8, or 24 hours, letting the updates bake in a bit before updating more critical systems.

A faulty update issued by a cybersecurity vendor, of all things, is also a potent reminder of the need to leave no stone unturned in third-party vendor management. All vendors should be required to submit to ongoing legal, business, and technology reviews and independent audits.

CISOs must require regular confirmation of their cybersecurity certifications and SOC 2 and ISO 27001 compliance and seek supporting evidence affirming they have patched a cited vulnerability or implemented a comprehensive update.

Another takeaway from the incident is the comparative value of decentralized network security management over the centralized model. The centralized approach is touted for offering more consistency in security protocols and threat detection, but the downside is that when the central server experiences a compromise, the technologies connected to it go down with the ship.

The decentralized approach, on the other hand, makes it more challenging for hackers to compromise an entire platform. By spreading data across many connection points, if one point is hacked or endures a defective update, the rest of the ship sails forward, increasing organizational resilience. Nevertheless, decentralization alone is not a panacea. InfoSec teams still need to prioritize mission-critical systems and software, which correspondingly guides the related risk assessment and remediation.

The high visibility of the CrowdStrike incident offers CISOs a valuable opportunity to learn from the misfortune of others, collaborate with peers across the technology leadership teams, and partner with enterprise vendors to be better prepared and responsive when facing similar events in the future.

We listed the best network monitoring tools.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Jill Knesek is Chief Information Security Officer at BlackLine. Jill

Read more
Concept art representing cybersecurity principles
What businesses need for modern third-party risk management
Security
Removing software supply chain blind spots that put public sector organizations at risk
Closing the cybersecurity skills gap
The critical need for watertight security across the IT supply chain
Abstract image of cyber security in action.
It’s time to catch up with cyber attackers
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
Latest in Pro
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Racks of servers inside a data center.
Modernizing data centers: an efficient path forward
Dr. Peter Zhou, President of Huawei Data Storage Product Line
Why AI commonization is so important for business intelligent transformation and what Huawei’s data storage has to offer
Wix automation
The world's leading website builder aims to save businesses time with new tool
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)