Originally Posted by
SW7London
This wasn't an update per se to Crowdstrike, but a pattern file update i.e. each hour/day/whatever timeframe you've configured, new definitions are downloaded to protect your infrastructure against the latest viruses/malware etc etc. Given the nature of what these definitions are protecting against, they need to be timely. There are numerous software security systems in any org, there could many many definition updates every day for each one. The number of organisations globally who would raise and approve changes for each of these unique definition updates I could probably count on my left hand.
The choice is between getting these updates into your environment quicker to reduce the security risk vs a slower deployment approach which reduces the risk of what we've seen today but also reduces how quickly you can protect your environment against a security risk.
I haven't been retired quite that long.
But it is still important to verify that an organization's systems still work after changes in code or configuration. These days, there's really no good reason for not having all of this built into something like GitLab pipelines. Any issues should be caught in the automated test and integration environments. If there is a problem there, then the automation stops and the problem can be dealt with before going into production. At my last employer we did this with our application. Of course, as a Trusted Security Provider, we were required to by ETSI specifications, and were regularly audited.
This incident did expose a shocking level of incompetence in IT worldwide.