We know a lot about the who, what, when, where and why of the recent global outage caused by CrowdStrike’s software update. But the question that's still being asked is, "How can we prevent this from happening again?"
In a recent blog post, Mike Mullane at the International Electrotechnical Commission (IEC), an international not-for-profit standards and assessment organization, said that adherence to standards such as those from the IEC and ISO could have prevented the CrowdStrike incident.
"IEC and ISO international standards reflect the wisdom of a broad and diverse range of experts from every corner of the world. They codify the global best practices that could have helped prevent the recent IT outage that is still affecting hospitals, airports, banks and other businesses worldwide. Analysts blame the absence of three safeguards for exacerbating the impact of the faulty software: Rigorous testing, enhanced monitoring and effective communication. IEC and ISO [cybersecurity] standards address all three," Mullane said in the post.
Mullane is specifically talking about the best practices outlined in IEC/ISO 27002, which provides comprehensive guidelines for information security controls, including those related to change management and software updates. Another standard, ISO/IEC 27017, builds on ISO/IEC 27002 to provide additional security guidance for the cloud, Mullane said.
"It emphasizes the importance of a formal change management process, including thorough planning, risk assessment and approval of changes before implementation. The ISO/IEC Standard recommends sandboxing: Extensive testing in a controlled environment to detect any potential issues. It is easy to see how this step is crucial to prevent untested updates from causing widespread disruptions," Mullane said.
Sam Peters, chief product officer at ISMS.online, is in agreement -- at least about using standards as a starting point and a foundation for building robust cybersecurity best practices. He added that managed services providers (MSPs) and managed security services providers (MSSPs) can play a role here, too, by reviewing their own operational practices and security strategies and helping customers remain in compliance with standards and best practices.
"MSSPs must critically reassess their operational frameworks. This incident highlights the urgent need for a comprehensive review of industry practices and the implementation of more resilient systems. In this context, the ISO 27001 standard emerges as an invaluable foundation for building robust information security management systems," Peters said.
Compliance is Just a Starting Point
But just meeting compliance standards isn't enough, Peters added. The compliance standards represent global best practices that all organizations should be following to better assess and mitigate risk. The ISO 27001 standard outlines several risk mitigation standards, including diversification, continual improvement, incident response capabilities, proactive monitoring and business continuity, Peters said.
"MSSPs should avoid over-reliance on single-vendor solutions and implement a multi-layered security approach that leverages solutions from various providers; this strategy can significantly reduce the likelihood of systemic failures," he said.
The standard's emphasis on continual improvement aligns well with the need for rigorous quality assurance processes for MSPs and MSSPs, Peters added.
"Implementing stringent testing protocols for all software updates, including the use of staging environments that accurately replicate production systems coupled with enhanced change management procedures, can prevent the deployment of faulty updates and minimize potential service disruptions," he said.
MSPs and MSSPs should develop and regularly test comprehensive incident response plans that address a wide range of scenarios, including those involving trusted security tools. Effective crisis management also demands clear, rapid communication channels with clients to ensure timely updates during incidents, adhering to the standard's requirements for information security incident management, he said.
Proactive monitoring and regular security audits -- both internal and external -- are cornerstones of ISO 27001, Peters said, and are critical for maintaining a robust security posture.
"MSPs and MSSPs should invest in advanced monitoring systems capable of swiftly detecting anomalies across their infrastructure and client environments. Frequent internal and external security audits, as mandated by the standard, will help identify and address potential vulnerabilities before they can be exploited," he said.
Business continuity planning, another key aspect of ISO 27001, is crucial, Peters explained. MSPs and MSSPs must ensure critical systems have adequate redundancy and failover mechanisms to maintain service continuity during unforeseen events. This approach protects client operations and safeguards the MSSP's reputation and business relationships.
Standards Alone Are Not Enough
All that said, Chris Henderson, senior director of threat operations at Huntress, cautioned that standards alone would not have prevented this or any incident. While they are important guidelines and frameworks that outline best practices, it doesn't necessarily make any vendor or organization immune to outages, cybersecurity breaches or errors, and shouldn't be seen as a guarantee; they minimize risk, but don't eliminate it entirely, he said.
“Security compliance frameworks are, as the name implies, frameworks for doing the right thing. They are not guarantees that a process is immune to error; technical, human, natural or otherwise," Henderson said. "They seek to minimize risk, not eliminate it. The audit of these frameworks are primarily used to check the bias of efficacy. By leveraging third parties to examine the controls an organization utilities, it offers the best chance to identify weaknesses and areas of improvement. The external audit of controls by a reputable audit firm is arguably more important than the specific framework an organization has chosen to implement.”
The recent outage can and should be a catalyst for industry-wide improvement. MSPs' and MSSPs' role in safeguarding business operations has never been more critical, ISMS.online's Peters said, and rising to this challenge means leveraging established standards like ISO 27001 while also pushing beyond them to set new benchmarks for security and reliability in the industry, said Peters.
"Recent events underscore the critical importance of robust supplier management controls as outlined in ISO 27001. This standard advocates for service level agreements (SLAs) that ensure suppliers inform businesses of updates or fixes ahead of time. Implementing such provisions can significantly enhance an organization's ability to anticipate and mitigate the impact of incidents like the recent CrowdStrike driver update issue. Proactive communication and stringent monitoring of supplier activities are essential for maintaining the integrity and security of business operations," he said.