←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 1 comments | 22 Jul 24 02:22 UTC | HN request time: 0.225s | source
Show context
ykonstant ◴[22 Jul 24 06:05 UTC] No.41031312[source]
Sorry to hijack this post, but for affected admins reading this: how is the recovery process going? What is your estimated time to normalcy?

Also, for Linux and especially BSD admins: has this incident affected your perspective on EDR/XDR systems in the kernel? What would you suggest as an alternative to ensure regulatory compliance?

replies(2): >>41031360 #>>41041546 #
tgv ◴[22 Jul 24 06:15 UTC] No.41031360[source]
I do manage a few Linux machines (firewall passes only http and https -> nginx -> custom backend), but I'd never heard of Crowdstrike before. I don't even know what their product is supposed to do. As far as I can see, kernel level protection could only help prevent someone bypassing the firewall and trigger an exploit in nginx. But if Crowdstrike knows about such exploits, everyone does, and the firewall or nginx gets patched.

What am I missing?

Edit: I know it is supposed to implement "EDR", but it's always explained in the vaguest of terms.

replies(5): >>41031414 #>>41031431 #>>41031453 #>>41033240 #>>41034207 #
jabroni_salad ◴[22 Jul 24 06:31 UTC] No.41031453[source]
> But if Crowdstrike knows about such exploits, everyone does

This is actually the most important thing happening with EDR as a concept, it handles novel cases that have never been seen before, with a human review very quickly. Our csirt has an SLA of 3 minutes.

It's right there in the name acronym. Detection and Response.

replies(2): >>41031905 #>>41034825 #
therein ◴[22 Jul 24 08:07 UTC] No.41031905[source]
So like let's say a user of a computer in my fleet ran something infected with malware that had enough diligence to have a unique file signature. It puts itself to startup items in a creative way and then calls back home with just a standard SSH connection.

In that case are you telling me their pitch is that they detect this behavior, dispatch some human agent from their CSIRT within 3 minutes to remotely but manually come check the binary, dump some strings, do some reverse engineering and track the CC server etc?

replies(3): >>41032312 #>>41032982 #>>41036029 #
1. michaelt ◴[22 Jul 24 09:14 UTC] No.41032312[source]
> In that case are you telling me their pitch is that they detect this behavior, dispatch some human agent from their CSIRT within 3 minutes to remotely but manually come check the binary, dump some strings, do some reverse engineering and track the CC server etc?

Crowdstrike is not in the business of selling to people who know WTF any of that means.

Crowdstrike is in the business of selling to people like the CEO of Southwest Airlines. Their pitch is "The definitive AI-native SOC platform; Forrester named CrowdStrike a Leader in The Forrester Wave for Managed Detection and Response (MDR) in Europe; IDC MarketScape name CrowdStrike Named a Leader in Worldwide Risk-Based Vulnerability Management Platforms 2023 Vendor Assessment"

If the CEO consults people lower in the hierarchy, the pitch is "Some asshole has decided you need to be SOC2 compliant, that means you need to run antivirus, our product will check that checkbox and though our product is not good, it is at least better than mcafee or symantec"