In the wake of the fallout from the outage, IT teams are rapidly reevaluating their testing methodologies, incident response strategies and plans. Additionally, enterprises are rethinking the automated, manual and human oversight of code development, testing and deployment.

The CrowdStrike incident falls into the category of ‘unknown unknowns’—unexpected or unforeseeable conditions that represent a risk because they cannot be expected based on past experience or events.

A quick CrowdStrike recap: A single computer update took down computer systems across the globe

CrowdStrike is a cybersecurity company based in Austin, Texas, USA. It provides endpoint protection, threat intelligence and response services to customers of all sizes across many different industries. CrowdStrike’s core technology, the Falcon platform, stops breaches using cloud-delivered technologies that prevent malware and other attacks.

CrowdStrike has an outstanding track record and is an excellent company. Customers and competitors view CrowdStrike as an industry-leading, top-tier organization. Their impressive customer roster and global deployments underscore their success.

As part of a regular operational update on Friday, July 19, 2024, CrowdStrike pushed a configuration update for the Windows sensor to gather telemetry on possible novel threat techniques. Included in that update were changes to the Rapid Response Content, designed to respond to the changing threat landscape at operational speed. The Rapid Response Content update contained an undetected error, resulting in a Windows system crash. Detailed information about the error and the systems impacted can be found here.

The crash was not foreseen or anticipated based on prior events, nor was the resulting damage and inconvenience expected or forecast. The incident impacted at least 8.5 million Windows devices globally (though Microsoft now believes the number of devices involved was higher), causing major service disruptions across industries and geographies.

Early on during the incident, CrowdStrike took immediate action to remedy the situation, and they should be applauded for their rapid and transparent response to the crisis.

The biggest worldwide workstation shutdown

Even with their rapid response, CrowdStrike could not stop the avalanche of IT disruption that followed. WithSecure’s Chief Research Officer Mikko Hyppönen, quoted in Wired, said, “It’s the biggest case in history. We’ve never had a worldwide workstation outage like this.” According to insurer Parametrix, U.S. Fortune 500 companies, excluding Microsoft, face an estimated $5.4 billion in financial losses from the CrowdStrike event.

How can enterprises defend against “unknown unknowns” and mitigate cybersecurity vulnerabilities?

CrowdStrike has documented and made public the events that led to the incident. However, in the aftermath, enterprises everywhere are (or should be) evaluating their incident response strategies and plans, including:

• Continuous, robust automated testing procedures and protocols with human and AI oversight
• Incident Response strategies, plans and procedures:
• Continual Learning and Adaptation
• Ongoing testing and training

Securing Salesforce: Defending against the often overlooked ‘known knowns’

One lesson learned from this incident is that security teams must double down against the more obvious IT vulnerabilities and cover any existing gaps: The known-knowns.

For example, nearly every Fortune 500 organization uses Salesforce to manage customer relationships. However, many of those organizations assume that Salesforce takes ownership of all security aspects of their product offering. They do, but only up to a point.

The Shared Responsibility Model (SRM), used by most cloud providers, is used by Salesforce for securing Salesforce. This security and compliance architecture model delineates the respective cloud provider and customer responsibilities for securing the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating system, network controls and access rights.

For example, Salesforce doesn’t scan incoming data for cyber threats – that’s your responsibility as the customer.

WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce

WithSecure Cloud Protection for Salesforce is a native application that runs in your Salesforce environment. The app prevents malicious and disallowed content from entering your Salesforce environment via files, web links and email messages.

WithSecure Cloud Protection for Salesforce focuses on securing Salesforce to mitigate advanced cyber threats on Salesforce. It:

• Provides real-time protection and instant visibility into your entire environment
• Works seamlessly with your customizations and workflows
• Fully complements the infrastructure security controls that Salesforce provides

WithSecure Cloud Protection for Salesforce is a highly certified solution. It meets the strict compliance requirements of modern enterprises and critical public sector organizations. Furthermore, It is an ideal choice for enhancing your Salesforce security. WithSecure Cloud Protection for Salesforce was designed for Salesforce, together with Salesforce.

Additionally, Salesforce recommends using it.

While it may be impossible to defend against unknown unknowns, defending against the ‘known knowns’ and securing Salesforce is much easier. Get to know WithSecure Cloud Protection for Salesforce, or use the form below to contact our team to discuss your Salesforce security requirements.