CrowdStrike Contracts External Security To Evaluate Falcon Tool

Crowdstrike has employed two external security companies to review its Falcon tool, the agent-based platform at the heart of last month’s massive IT outage.

The company announced the news in its post-incident report, where it says the independent firms will "conduct [a] further review of the Falcon sensor code for both security and quality assurance."

CrowdStrike Falcon uses AI and machine learning to identify and remediate threats. Its knowledge base remains current through threat telemetry from CrowdStrike's wider business, but a recent update caused issues to cascade through the supply chain.

Although the problem with Falcon hit in July, it began months before, in February, with the release of sensor version 7.11. That update introduced a new Template type, a way of spotting and responding to new threats.

CrowdStrike explains, "Template types represent a sensor capability that enables new telemetry and detection, and their runtime behaviour is configured dynamically by the template instance."

The root of the problem was a mismatch between fields and input values: 21 of the former, but only 20 of the latter. The mismatch "evaded multiple layers of build validation and testing," partly due to CrowdStrike's use of wildcard matching criteria for the 21st input during testing.

At first, this didn't appear to affect things; the instances didn't cause the interpreter to use the missing parameter (although some Linux machines showed errors as early as April). However, on 21st July CrowdStrike deployed two additional IPC Template Instances. One of these "introduced a non-wildcard matching criterion for the 21st input parameter," exposing sensors that received the update to an out-of-bounds read issue.

We've written extensively about the fallout of the flaw, which affected banks, airlines and even tech companies. Some leaders say it highlights the risk of relying on a single provider; others say it could happen to anyone, and have committed to sticking with CrowdStrike.

CrowdStrike says it has evaluated its testing procedure and has changed its rollout process to avoid a similar situation – but it's still being sued by investors for not using a phased approach in the first place.

The company has not named the external security firms it's working with to investigate Falcon.

This article originally appeared on our sister site, Computing.