CrowdStrike Outage Highlights Vendor Risk

Vendor Risk was often a featured item in board updates during my time as CIO. It was nearly always elevated to a "moderate" risk level because of the many unknowns and challenges to mitigation. This was further exacerbated as modern IT shifted to greater vendor dependency through cloud deployments, vendor based security platforms, SaaS migration, etc. The following are common vendor risks and, unfortunately, limited mitigation strategies.

Security and Software Updates

Let's start with the news of the day. Security updates are produced with great frequency in response to the changing sea of threats and attack vectors. The majority of security platforms, tools, and target systems such as operating systems, are provided by third parties. Updates deemed critical due to the existence of active attacks in the wild have challenged traditional IT deployment strategies which generally require system updates to be deployed first in a "sandbox" environment, separate from production systems.

"It comes down to the urgency of the patch and the risks of an exposed vulnerability, versus sound IT strategies that limit risk" (IT Manager, Anonymous).

The movement to allow automatic updates of critical security updates, has led to many IT operations allowing automatic updates of routine patching.

The risk is the inevitable consequences of a patch gone awry, or in the case of SolarWinds (SolarWinds hack explained: Everything you need to know (techtarget.com), the insertion of malicious code.

Mitigation: The most effective mitigation is old school sandbox testing of all deployed software and infrastructure configuration changes. It's expensive, time consuming, and may run counter to the vendor's SLA's or other guarantees, and may even trigger exemptions in cyber coverage due to delayed system patching.

SaaS

Software-as-a-Service (SaaS) is found in practically every environment. It may be limited in scope or represent core compute capabilities for an organization with significant downtime impacts to the business.

The risk ultimately to the organization is system availability, but also cyber risk leading to data exfiltration, fraud, etc. When you become a SaaS client, you not only are a customer of their software, you inherently are a customer of their entire IT infrastructure and practices and, all the related risks and vulnerabilities.

Mitigation: The vendor can make the "black box" as opaque as they wish. You may be able to obtain information as to what components are utilized in their environment, their backup strategy or patching cadence, but ultimately you really only have their contractual SLA's, liability commitments, and governance generalities found in SOC 2 or other attestation reports. As many customers discovered, they were exposed to the CrowdStrike outage indirectly, but with direct consequences.

It should become apparent that vendor risk is found not only in SaaS but in cloud, firewalls, EDR, monitoring, etc. If vendor provided but run in your own cloud or on-prem environment, you may be able to control various risks and limit exposure to bad software. If delivered as both software and service, your mitigation options are limited.

Take a look at the risks IT vendors present to your organization. It should, most likely, be categorized as elevated.