{"id":362,"date":"2024-09-25T10:00:00","date_gmt":"2024-09-25T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=362"},"modified":"2024-09-25T10:00:00","modified_gmt":"2024-09-25T10:00:00","slug":"crowdstrike-outage-redefines-edr-market-emphasis","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=362","title":{"rendered":"CrowdStrike outage redefines EDR market emphasis"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

July\u2019s infamous CrowdStrike outage has shaken up the endpoint detection and response (EDR) marketplace by placing a much greater emphasis on stability and reliability.<\/p>\n

But industry analysts and other experts predict few organizations will ultimately migrate away from CrowdStrike\u2019s Falcon EDR offering despite the widespread chaos triggered by a faulty CrowdStrike content update on July 19<\/a>.<\/p>\n

EDR technologies monitor endpoints, such as servers, PCs, and other devices, to detect and mitigate malicious threats. These enterprise-focused technologies combine continuous monitoring and collection of endpoint data with analysis and automated response capabilities \u2014 for example, logging off users or sending alerts based on pre-set rules. Behavioral analytics and machine learning are typically used by EDR systems to detect the hallmarks of suspicious activity.<\/p>\n

Major players in the EDR market<\/a> include Carbon Black, Cisco, CrowdStrike, Microsoft, Palo Alto Networks, SentinelOne, Symantec, Trend Micro, and others.<\/p>\n

Disaster strikes<\/h2>\n

CrowdStrike\u2019s faulty configuration update to its Falcon Sensor security software caused system crashes and boot loops when applied to Windows PCs and servers. Even though the faulty update was quickly withdrawn, the resulting outage<\/a> affected organizations worldwide across multiple sectors, including airlines, banks, and hospitals.<\/p>\n

Issues with updates are a well-known Achilles heel<\/a> for anti-malware and EDR products in general, but July\u2019s CrowdStrike calamity hit harder than comparable problems.<\/p>\n

\u201cCrowdStrike\u2019s brand operates on trust, and because of this incident, trust was eroded,\u201d Forrester principal analyst Allie Mellen told CSO. \u201cHowever, customers are still willing to stick with CrowdStrike given its security capabilities and market standing.\u201d<\/p>\n

In the aftermath of the outage, CrowdStrike strengthened its pre-release testing processes and improved quality control<\/a>, something that has helped assuage CrowdStrike customers, said Mike Jude, a research director at IDC.<\/p>\n

\u201cIt [CrowdStrike] has committed to more testing as well as offering customers more choice in how they deploy updates, including the option to \u2018back out\u2019 of a particular release,\u201d Jude explained.<\/p>\n

While arguably damaging to its reputation, the outage is unlikely to spur many defections or effect CrowdStrike\u2019s market share, according to Jude.<\/p>\n

\u201cThe outage caused all EDR vendors to face additional scrutiny \u2014 CrowdStrike more than others,\u201d said Forrester\u2019s Mellen. \u201cHowever, other EDR vendors have and should receive questions about how and when updates, whether full-on software updates or simpler updates like new config files, are sent to the kernel. Customers should also ask their EDR vendors about software quality assurance and testing practices and update controls.\u201d<\/p>\n

Down in the kernel<\/h2>\n

Many vendors attended Microsoft\u2019s recent Endpoint Security Summit<\/a> to discuss the future of endpoint security software in the kernel.<\/p>\n

Security vendors, unlike mainstream Windows application developers, have been allowed to load kernel drivers as a means of achieving greater visibility of malware, and as a defense against bootloaders that operate below the user application layer.<\/p>\n

Being able to load kernel (ring zero) drivers is problematic, however, because if anything goes wrong then the whole system, and not just an individual application, crashes. During the summit, Microsoft hinted that it wanted to change how Windows security software interacted with the kernel<\/a> but without offering details much less a timetable for any changes.<\/p>\n

\u201cMicrosoft is proposing to add a layer of abstraction above the kernel but below user space that security products would sit upon,\u201d according to IDC\u2019s Jude. \u201cIt might be possible to do this without affecting performance.\u201d<\/p>\n

While the approach might offer more protection against mishaps it could create competition concerns since Microsoft itself is a significant player in the enterprise EDR marketplace, through Windows Defender.<\/p>\n

Testing times<\/h2>\n

Michael Robert, senior technical contributor at GTA Boom, said that security resellers, integrators, and distributors have placed a greater emphasis on reliability in discussions with their clients since CrowdStrike\u2019s meltdown event.<\/p>\n

\u201cI\u2019ve noticed channel partners are now emphasizing the importance of reliability and backup plans when helping clients choose EDR solutions,\u201d Robert said. \u201cThey\u2019re asking tougher questions about testing procedures and gradual rollouts.\u201d<\/p>\n

Suppliers, meanwhile, are trying to reassure potential clients that their testing procedures are rigorous enough to catch any potential update problems before they are released.<\/p>\n

Vendors are \u201cstepping up their game,\u201d according to Robert. \u201cThey\u2019re highlighting their own reliability measures and being more transparent about their testing processes,\u201d he said.<\/p>\n

Hugo Farinha, founder of VirtuosoQA, a UK vendor that uses AI to create a platform for testing enterprise software, said the CrowdStrike outage highlighted the importance of \u201crobust testing procedures and contingency planning.\u201d<\/p>\n

\u201cThe CrowdStrike outage should serve as a wake-up call to review not just the reliability of their EDR solutions but also the overall resilience of their IT infrastructure,\u201d Farinha told CSO. \u201cRegular system testing, both from a functional and performance standpoint, is essential to ensure that services can continue running smoothly, even in the face of unforeseen vendor disruptions.\u201d<\/p>\n

Market consolidation and AI<\/h2>\n

The EDR market continues to evolve, with large players acquiring smaller firms to strengthen their offerings.<\/p>\n

\u201cCompanies are also focusing on balancing AI-powered automation with human oversight, ensuring that their security posture remains reliable,\u201d said Temi Akinlade, GRC\/P security advisor at Armor Defense.<\/p>\n

Forrester\u2019s Mellen added: \u201cProduct evolution to XDR [extended detection and response<\/a>] is a big dynamic at play in the endpoint security market at the moment. Vendors are evolving their capabilities beyond the endpoint and looking to steal market share from the tumultuous SIEM [security information and event management<\/a>] market.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

July\u2019s infamous CrowdStrike outage has shaken up the endpoint detection and response (EDR) marketplace by placing a much greater emphasis on stability and reliability. But industry analysts and other experts predict few organizations will ultimately migrate away from CrowdStrike\u2019s Falcon EDR offering despite the widespread chaos triggered by a faulty CrowdStrike content update on July […]<\/p>\n","protected":false},"author":0,"featured_media":363,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-362","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/362"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=362"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/362\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/363"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}