3 min Security

CrowdStrike resists “shady” criticism from rivals after outage

CrowdStrike resists “shady” criticism from rivals after outage

On July 19, a failed CrowdStrike Falcon update caused a global IT outage. Since the incident, competitors have gone on to heavily criticize CrowdStrike’s methods. Now the company is responding in kind.

The CrowdStrike incident reportedly caused an estimated 8.5 million Windows devices to crash. The infamous Blue Screen of Death (BSOD) showed up on PCs in hospitals, retail sales systems and the computers of several airlines. Delta Airlines had to cancel 6,000 flights and suffered an estimated $500 million in damages from the IT failure. It has threatened to sue.

CrowdStrike sees legal action as “meritless,” and its lawyers argue that the company’s maximum liability is contractually limited to “single-digit millions”.

Tip: CrowdStrike rejects flight delay claims

Criticism from competitors

From within the IT industry, the criticism is of a different nature. After all, CrowdStrike alternatives have something to prove to perhaps charm disgruntled customers. Among the critics were SentinelOne and Trellix. According to Trellix CEO Bryan Palma, the proprietary approach is “conservative” enough to never cause a similar incident.

CrowdStrike president Michael Sentonas defended himself against the criticism to Financial Times. He called the competitors’ attempt to capitalize on the IT failure “shady” and “misguided.” According to him, no other security vendor can guarantee that a similar incident with its own product is impossible. SentinelOne-CIO Alex Stamos calls that suggestion “dangerous.”

Kernel problems

CrowdStrike rightly notes that competitors are only too happy to profit from the company’s IT woes. That vendors do this, by the way, is not unique. Even with the VMware tumult at the hands of the Broadcom acquisition late last year, parties such as Nutanix and Scale Computing jumped in quickly to promote their alternative solution. However, the response to CrowdStrike has been particularly vitriolic and focused on the company’s alleged structural shortcomings.

Yet there is indeed a difference between CrowdStrike’s approach and most other security companies. The fact that CrowdStrike’s Falcon sensor is in kernel mode presents both opportunities and risks. The advantages are significant, as this deep mode in Windows systems allows it to read files and respond immediately to potential threats. The downside showed itself in a big way on July 19: if something goes wrong in kernel mode, the solution from Windows is to crash the system out of self-preservation.

Golden mean?

The criticism from other parties is based on a simple fact: they are not in kernel mode with their solutions. As a result, it would indeed not be possible for another vendor to cause a similar IT failure. Certainly not via updates whose timing is out of the control of users, something that will henceforth also not be the case with CrowdStrike.

Either way, kernel-level protection remains attractive. CrowdStrike has not suddenly stopped using a kernel-level sensor, which it has used since Falcon was introduced in 2013. Still, one wonders if a better solution is not available. For example, Linux allows a safer passage to the kernel via eBPF without the same risk of crashing the system (what Linux calls a “kernel panic,” its own equivalent of a BSOD).

Also read: Global IT outage due to botched CrowdStrike update: what went wrong?