What is CrowdStrike Falcon and what does it do? Is my computer safe?
- Written by Toby Murray, Associate Professor of Cybersecurity, School of Computing and Information Systems, The University of Melbourne
A massive IT outage is currently affecting computer systems worldwide. In Australia and Aotearoa New Zealand, reports indicate computers at banks, media organisations, hospitals, transport services, shop checkouts, airports and more have all been impacted.
Today’s outage is unprecedented in its scale and severity. The technical term for what has happened to the affected computers is that they have been “bricked”. This word refers to those computers being rendered so useless by this outage that – at least for now – they may as well be bricks.
The widespread outage has been linked to a piece of software called CrowdStrike Falcon. What is it, and why has it caused such widespread disruption?
What is CrowdStrike Falcon?
CrowdStrike is a US cyber security company with a major global share in the tech market. Falcon is one of its software products that organisations install on their computers to keep them safe from cyber attacks and malware.
Falcon is what is known as “endpoint detection and response” (EDR) software. Its job is to monitor what is happening on the computers on which it is installed, looking for signs of nefarious activity (such as malware). When it detects something fishy, it helps to lock down the threat.
This means Falcon is what we call privileged software. To detect signs of attack, Falcon has to monitor computers in a lot of detail, so it has access to a lot of the internal systems. This includes what communications computers are sending over the internet as well as what programs are running, what files are being opened, and much more.
In this sense, Falcon is a bit like traditional antivirus software, but on steroids.
More than that, however, it also needs to be able to lock down threats. For example, if it detects that a computer it is monitoring is communicating with a potential hacker, Falcon needs to be able to shut down that communication. This means Falcon is tightly integrated with the core software of the computers it runs on – Microsoft Windows.
Why did Falcon cause this problem?
This privilege and tight integration makes Falcon powerful. But it also means that when Falcon malfunctions, it can cause serious problems. Today’s outage is a worst-case scenario.
What we currently know is that an update to Falcon caused it to malfunction in a way that caused Windows 10 computers to crash and then fail to reboot, leading to the dreaded “blue screen of death” (BSOD).
This is the affectionate term used to refer to the screen that is displayed when Windows computers crash and need to be rebooted – only, in this case, the Falcon problem means the computers cannot reboot without encountering the BSOD again.
Why is Falcon so widely used?
CrowdStrike is the market leader in EDR solutions. This means its products – such as Falcon – are common and likely the pick of the bunch for organisations conscious of their cyber security.
As today’s outage has shown, this includes hospitals, media companies, universities, major supermarkets and many more. The full scale of the impact is yet to be determined, but it’s certainly global.
Why aren’t home PCs affected?
While CrowdStrike’s products are widely deployed in major organisations that need to protect themselves from cyber attacks, they are much less commonly used on home PCs.
This is because CrowdStrike’s products are tailored for large organisations in which CrowdStrike’s tools help them monitor their networks for signs of attack, and provide them with the information they need to respond to intrusions in a timely way.
For home users, built-in antivirus sofware or security products offered by companies such as Norton and McAfee are much more popular.
How long will this take to fix?
At this stage, CrowdStrike has provided manual instructions for how people can fix the problem on individual affected computers.
However, at the time of writing there does not yet appear to be an automatic fix for the problem. IT teams at some organisations may be able to fix this problem quickly by simply wiping the affected computers and restoring them from backups or similar.
Some IT teams may also be able to “roll back” (revert to an earlier version) the affected Falcon version on their organisation’s computers. It’s also possible some IT teams will have to manually fix the problem on their organisation’s computers, one at a time.
We should expect that in many organisations it may take a while before the problem can be resolved entirely.
What is ironic about this incident is that security professionals have been encouraging organisations to deploy advanced security technology such as EDR for years. Yet that same technology has now resulted in a major outage the likes of which we haven’t seen in years.
For companies like CrowdStrike that sell highly privileged security software, this is a timely reminder to be incredibly careful when deploying automatic updates to their products.
Authors: Toby Murray, Associate Professor of Cybersecurity, School of Computing and Information Systems, The University of Melbourne