July’s infamous CrowdStrike outage has shaken up the endpoint detection and response (EDR) marketplace by placing a much greater emphasis on stability and reliability.
But industry analysts and other experts predict few organizations will ultimately migrate away from CrowdStrike’s Falcon EDR offering despite the widespread chaos triggered by a faulty CrowdStrike content update on July 19.
EDR technologies monitor endpoints, such as servers, PCs, and other devices, to detect and mitigate malicious threats. These enterprise-focused technologies combine continuous monitoring and collection of endpoint data with analysis and automated response capabilities — for example, logging off users or sending alerts based on pre-set rules. Behavioral analytics and machine learning are typically used by EDR systems to detect the hallmarks of suspicious activity.
Major players in the EDR market include Carbon Black, Cisco, CrowdStrike, Microsoft, Palo Alto Networks, SentinelOne, Symantec, Trend Micro, and others.
Disaster strikes
CrowdStrike’s faulty configuration update to its Falcon Sensor security software caused system crashes and boot loops when applied to Windows PCs and servers. Even though the faulty update was quickly withdrawn, the resulting outage affected organizations worldwide across multiple sectors, including airlines, banks, and hospitals.
Issues with updates are a well-known Achilles heel for anti-malware and EDR products in general, but July’s CrowdStrike calamity hit harder than comparable problems.
“CrowdStrike’s brand operates on trust, and because of this incident, trust was eroded,” Forrester principal analyst Allie Mellen told CSO. “However, customers are still willing to stick with CrowdStrike given its security capabilities and market standing.”
In the aftermath of the outage, CrowdStrike strengthened its pre-release testing processes and improved quality control, something that has helped assuage CrowdStrike customers, said Mike Jude, a research director at IDC.
“It [CrowdStrike] has committed to more testing as well as offering customers more choice in how they deploy updates, including the option to ‘back out’ of a particular release,” Jude explained.
While arguably damaging to its reputation, the outage is unlikely to spur many defections or effect CrowdStrike’s market share, according to Jude.
“The outage caused all EDR vendors to face additional scrutiny — CrowdStrike more than others,” said Forrester’s Mellen. “However, other EDR vendors have and should receive questions about how and when updates, whether full-on software updates or simpler updates like new config files, are sent to the kernel. Customers should also ask their EDR vendors about software quality assurance and testing practices and update controls.”
Down in the kernel
Many vendors attended Microsoft’s recent Endpoint Security Summit to discuss the future of endpoint security software in the kernel.
Security vendors, unlike mainstream Windows application developers, have been allowed to load kernel drivers as a means of achieving greater visibility of malware, and as a defense against bootloaders that operate below the user application layer.
Being able to load kernel (ring zero) drivers is problematic, however, because if anything goes wrong then the whole system, and not just an individual application, crashes. During the summit, Microsoft hinted that it wanted to change how Windows security software interacted with the kernel but without offering details much less a timetable for any changes.
“Microsoft is proposing to add a layer of abstraction above the kernel but below user space that security products would sit upon,” according to IDC’s Jude. “It might be possible to do this without affecting performance.”
While the approach might offer more protection against mishaps it could create competition concerns since Microsoft itself is a significant player in the enterprise EDR marketplace, through Windows Defender.
Testing times
Michael Robert, senior technical contributor at GTA Boom, said that security resellers, integrators, and distributors have placed a greater emphasis on reliability in discussions with their clients since CrowdStrike’s meltdown event.
“I’ve noticed channel partners are now emphasizing the importance of reliability and backup plans when helping clients choose EDR solutions,” Robert said. “They’re asking tougher questions about testing procedures and gradual rollouts.”
Suppliers, meanwhile, are trying to reassure potential clients that their testing procedures are rigorous enough to catch any potential update problems before they are released.
Vendors are “stepping up their game,” according to Robert. “They’re highlighting their own reliability measures and being more transparent about their testing processes,” he said.
Hugo Farinha, founder of VirtuosoQA, a UK vendor that uses AI to create a platform for testing enterprise software, said the CrowdStrike outage highlighted the importance of “robust testing procedures and contingency planning.”
“The CrowdStrike outage should serve as a wake-up call to review not just the reliability of their EDR solutions but also the overall resilience of their IT infrastructure,” Farinha told CSO. “Regular system testing, both from a functional and performance standpoint, is essential to ensure that services can continue running smoothly, even in the face of unforeseen vendor disruptions.”
Market consolidation and AI
The EDR market continues to evolve, with large players acquiring smaller firms to strengthen their offerings.
“Companies are also focusing on balancing AI-powered automation with human oversight, ensuring that their security posture remains reliable,” said Temi Akinlade, GRC/P security advisor at Armor Defense.
Forrester’s Mellen added: “Product evolution to XDR [extended detection and response] is a big dynamic at play in the endpoint security market at the moment. Vendors are evolving their capabilities beyond the endpoint and looking to steal market share from the tumultuous SIEM [security information and event management] market.”