News & Insights

July 2024 CrowdStrike/Microsoft outage: Lessons learned

Paul Jenkins

Read Time Mins

If you’ve been keeping an eye on the news, you probably heard about the big CrowdStrike/Microsoft outage in July 2024. You may have also been one of the millions of people and businesses affected by it. It was a real eye-opener for many of us in the industry, and we’ve wrapped up some of the lessons we learned from this incident below, and why it matters, especially for telecom operators.

 


 

Telecom operators, such as mobile and broadband providers, manage vast networks that are prime targets for cybercriminals due to the extensive personal and financial data they handle. The CrowdStrike/Microsoft outage serves as a stark reminder of the potential vulnerabilities within these networks.

So, what actually happened?

In a nutshell, a misconfiguration and vulnerability within the CrowdStrike agent on Microsoft systems caused a massive outage. This wasn’t just a minor hiccup, it had a ripple effect, disrupting businesses everywhere. The core issue? EDR (Endpoint Detection and Response) solutions having too much power, specifically, ‘kernel-level access’. A kernel is the ‘core’ of an operating system, managing resources and enabling communication between hardware and software, ensuring smooth execution of processes. Given its control over the entire system, protecting the kernel is crucial to prevent severe security breaches, necessitating robust security measures

Why it matters

Telecom networks face some unique challenges when it comes to security. First off, the infrastructure is incredibly complex. With so many interconnected systems and diverse technologies, implementing comprehensive security measures across the entire network is no small feat.

Then there’s the rapid pace of technological advancements. The rollout of 5G and the explosion of IoT devices are great for innovation, but they also expand the attack surface. This means we need more advanced strategies to mitigate new vulnerabilities that come with these technologies.

Regulatory compliance is another big hurdle. Telecom operators have to navigate a maze of regulations, like GDPR and PCI DSS, which vary by region. Meeting these standards is crucial, not just for avoiding legal trouble but also for maintaining customer trust.

Finally, there are resource constraints. Budgets can be tight, making it difficult to implement all the necessary security measures. It’s very important to prioritise security needs and allocate resources efficiently to maintain a strong security posture despite financial limitations.

Key takeaways for telecom operators

  1. Reevaluate kernel-level access

“Granting kernel-level access is like handing over the keys to the kingdom. It’s powerful but extremely dangerous if exploited.”

Most EDR vendors have kernel access in Windows, essentially giving them ‘god mode’ over the system. While necessary for monitoring and defence, this level of access can be risky.

Granting kernel-level access can be likened to handing over the keys to the kingdom. Sure, it’s powerful, but it’s also dangerous if exploited. As a telecom operator, it’s crucial that you question the necessity of such access and ensure robust security measures are in place.

 

  1. Prioritise comprehensive risk assessments

“Risk assessments should never be a one-off. Continuous vigilance is the key to preventing catastrophic failures.”

The CrowdStrike/Microsoft mishap was a massive oversight, proving the need for thorough and regular risk assessments.

Risk assessments shouldn’t be a once-a-year activity. Make them a continuous process. Dive deep into third-party integrations and understand their potential vulnerabilities. Regular reviews can help spot and fix issues before they become full-blown problems.

 

  1. Enhance your incident response protocols

The outage highlighted gaps in incident response protocols, making it clear that what’s needed is robust, adaptable response strategies.

What you should do:

“If your incident response plan isn’t adaptable, you’re already behind. Cyber threats evolve; so should your defences.”

 

  1. Invest in advanced threat detection and prevention

“Relying solely on traditional EDR solutions is like bringing a sponge to a flood. You need advanced tools to stay ahead.”

Relying solely on traditional EDR solutions just isn’t enough in today’s threat landscape.

Go beyond the basics. Invest in advanced threat detection and prevention technologies. At BlackDice, we’re all about using AI and machine learning to detect anomalies and potential threats before they cause harm. A proactive approach is key.

 

  1. Encourage cybersecurity awareness as part of your culture

Human error and oversight often play a big role in cybersecurity incidents.

Remember: Cybersecurity isn’t just the IT team’s job; it’s everyone’s responsibility. Regular training and awareness programmes can help your team recognise and avoid potential threats. Emphasise vigilance, especially during system changes or updates.

“Cybersecurity is everyone’s job. One weak link can compromise the whole chain.”

 

Wrapping up

The CrowdStrike/Microsoft outage was a wake-up call for all of us, and a stark reminder of the need for robust cybersecurity practices that improve the resilience of your communication infrastructure against evolving threats. For telcos, the lessons are clear: prioritise continuous vigilance, invest in cutting-edge detection tools, and create a culture of cybersecurity awareness within your teams and organisations. By doing so, you can better protect your networks, safeguard sensitive data, keeping your subscribers safe and confident online.