Crowdstrike - a para-incident review



We find ourselves in the midst of a classic social response to a significant incident - a heady blend of technobabble, confusion and hyperbole, with a sprinkling of genuinely helpful information, grief and support for those right in the thick of it, and warnings about the likelihood of further exploitation ... of ... the classic social response to a significant incident. 

That's a positive feedback loop, amplified by the echo chambers of social media, and traditional news reporters whose job is (in part) to stir the pot and sell papers.

"This is HUGE!" they tell us, breathlessly. "Bigger than a really big thing, and still growing!" According to the din just on LinkeDin over the weekend, the Crowdstrike incident is "a major global outage", a "mass global outage and major impact to services", "carnage", "cataclysmic", "global chaos", the "patchpocalypse", "digital catastrophe", "the biggest cyber incident in history", "one of the largest glitches in the Matrix", "massive disruptions", "a complete nightmare … the ramifications to this outage are going to be massive", "incredibly serious, detrimental and possibly life-threatening situation" ... OK OK we get the picture.

In my opinion, information technology, risk and security, cybersecurity and incident response professionals (leaders especially) ought to appreciate what's really happening here, rising above the hubbub. We should remain calm, confidently offering clear, competent guidance and rational direction. 

That's hard, though, because we too are human beings. We bleed. Allegedly.

At the same time, a cool, calm, confident, considered and unemotional response to a major incident can come across as cold, heartless or ignorant to those who are pumped up on adrenaline, perhaps teetering on the edge of panic. It's a no-win emotionally-charged situation ... but if we don't resist, there's a remote risk of the situation running away due to the positive feedback, precipitating something even worse. Conversely, downplaying or supressing the incident entirely would also be risky in slowing or halting the response.

I'm disappointed but not surprised at the number of armchair experts pontificating on 'the real cause' as if there is just one, some quick to point their fingers at Crowdstrike, Microsoft, Crowdstrike customers, the IT industry, IT QA and other professionals (including us infosec wonks) as if blaming anyone achieves anything except perhaps vent a little steam (and that's OK).

Meanwhile, there's an incident to resolve, systems to rebuild and secure, business processes to recover, an emotional swamp to drain.

Once that's done, the post-incident review and wash-up will be fascinating. Not just yet though, please. Let's catch our breath.