Post-Outage, CrowdStrike Gives Customers Update Control
CrowdStrike is revising the update process for its security tools following a July outage that disrupted thousands of systems worldwide. Senior Vice President Adam Meyers testified before the U.S. Congress, stating that customers will now have the option to choose when to receive updates: immediately or at a later time. This flexibility will help them avoid potential issues arising from the installation of new versions.
Meyers also revealed that CrowdStrike is reassessing its update verification process. Previously, the company admitted that its verification tools, over the past decade, had failed to detect a flaw in an update that compromised more than 8.5 million Windows devices. The outage affected critical systems such as airlines, hospitals, and banks, all of which rely on CrowdStrike products.
According to Meyers, the faulty update was not traditional software code but rather a configuration file containing threat intelligence data. Such updates can be released as frequently as 10 to 12 times a day and were not previously subjected to the same rigorous scrutiny as software code. However, after the incident, the company decided to treat these updates as full-fledged code and apply more stringent checks. Meyers noted that this approach has not yet become an industry standard.
CrowdStrike’s code verification process undergoes several stages. Initially, it is tested internally (“dogfooding”), then reviewed by early clients, and only after that is it rolled out to the wider user base. Meyers stated that these new measures will help prevent similar outages in the future. However, the hearings did not clarify why updates were not initially tested as code and how exactly the verification process would be modified. The company also declined to answer media inquiries on these matters.
Meyers further addressed one of the major concerns following the incident — CrowdStrike’s deep access to the Windows operating system’s kernel. He explained that the kernel is the core of the system, responsible for managing hardware interactions, and that many security solution providers, including CrowdStrike, leverage the Windows kernel to operate their products.
Previously, CrowdStrike had asserted that such access to the kernel is essential for providing maximum protection and thwarting hacking attempts. Meyers added that cybercriminals themselves aim to gain kernel access to disable security systems, which is why security products must operate at this level.
At the hearings, CrowdStrike also declined to answer questions about whether the incident would be investigated by the U.S. Department of Homeland Security and whether the company intends to compensate clients for their financial losses. The outage affected over 20,000 customers, including U.S. government agencies.
CrowdStrike is already facing the threat of lawsuits from major clients, such as Delta Airlines, which estimates its losses at $500 million due to flight cancellations. Economists have estimated that the total damage to Fortune 500 companies caused by CrowdStrike’s update failure amounts to over $5.4 billion. Furthermore, investors have expressed their dissatisfaction, leading to a lawsuit from the Plymouth County Retirement Association pension fund following a drop in CrowdStrike’s stock.
