Balancing internal innovation and third-party vendor risk

security
OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)

As a former FBI Special Agent in the Los Angeles Cyber Crime Squad, I've seen my fair share of defective software updates. However, the recent global tech outage caused by a faulty software update from CrowdStrike has truly captured the world's attention. The shock and awe of such a well-regarded cybersecurity vendor causing a major security incident has brought to light a previously overlooked area of third-party risk. 

Given CrowdStrike’s reputation and trusted position, many companies automatically allowed its software update package into their systems without fully considering the possibility of a defect. Consequently, no CISO expected the update to result in a global tech outage, causing systemic disruption across interconnected systems.

The aftermath of the CrowdStrike incident was particularly severe for banks, hospitals, retailers, and airlines.

Interestingly, some companies with outdated systems were reportedly unscathed by the flawed update, whereas others with best-in-class systems endured outages for a few days or longer. This is not a story of old technology versus new technology, as some articles have implied. Rather, it is a nerve-wracking tale arguing the need for a risk-based approach to minimize the possibility and impact of a defective software update.

Jill Knesek

Know Thy Vendor

CrowdStrike has come under criticism for its automatic update process and not staggering or staging the release to limit the potential for widescale disruption. However, the company is not alone in its approach: keen to protect customers against a newly discovered cyberthreat, many other security vendors also automatically provide real-time updates.

Although CrowdStrike’s update was defective, the incident nonetheless spotlights the importance of balancing innovation across the IT system landscape with more diligent third-party vendor management. CISOs are reminded to foster secure innovation by collaborating with their technology peers across the organization and forging strong partnerships with the company’s third-party vendors. The two priorities are not mutually exclusive; instead, they’re intertwined.

Collaborating with technology peers yields better ways to understand, minimize, and mitigate risks, ensuring the company can continue to innovate without increasing cyber risk for the business. Partnerships with critical third-party vendors provide greater assurance that vendors are prepared to respond at scale when the next unexpected outage occurs. Understanding which vendors are distributed across a large portion of the corporate infrastructure and production environments (especially those that receive regular updates) can optimize the processes of replacing software with new and improved versions.

Controlling the Unknown

CrowdStrike’s automatic real-time updates brought these processes into sharper focus. While immediate updates enable systems to rapidly identify and neutralize threats, they also carry the risk of triggering a full system outage and consequent business disruption. On the other hand, delaying updates by a day or two might mean missing the “latest and greatest” features immediately, but it allows time to identify and address the potential flaws first. The point here is that one is not better but that both updates serve specific needs and purposes.

To determine which update is best from a security standpoint, CISOs need to identify which systems require real-time updates and which can allow for delayed ones. External-facing high-risk systems might require near real-time updates that help identify and block zero-day attacks. Lower-risk systems placed deeper in the infrastructure with extra layers of security between them and external attacks can be configured for delayed software updates of 4, 8, or 24 hours, letting the updates bake in a bit before updating more critical systems.

A faulty update issued by a cybersecurity vendor, of all things, is also a potent reminder of the need to leave no stone unturned in third-party vendor management. All vendors should be required to submit to ongoing legal, business, and technology reviews and independent audits.

CISOs must require regular confirmation of their cybersecurity certifications and SOC 2 and ISO 27001 compliance and seek supporting evidence affirming they have patched a cited vulnerability or implemented a comprehensive update.

Another takeaway from the incident is the comparative value of decentralized network security management over the centralized model. The centralized approach is touted for offering more consistency in security protocols and threat detection, but the downside is that when the central server experiences a compromise, the technologies connected to it go down with the ship.

The decentralized approach, on the other hand, makes it more challenging for hackers to compromise an entire platform. By spreading data across many connection points, if one point is hacked or endures a defective update, the rest of the ship sails forward, increasing organizational resilience. Nevertheless, decentralization alone is not a panacea. InfoSec teams still need to prioritize mission-critical systems and software, which correspondingly guides the related risk assessment and remediation.

The high visibility of the CrowdStrike incident offers CISOs a valuable opportunity to learn from the misfortune of others, collaborate with peers across the technology leadership teams, and partner with enterprise vendors to be better prepared and responsive when facing similar events in the future.

We listed the best network monitoring tools.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Jill Knesek is Chief Information Security Officer at BlackLine. Jill