"Well, you can certainly tell who the folks are that are skimping on security and resilience by not using us because they are the ones who are still operational."
Crowdstrike. Probably.
@th3j35t3r
Serious question: Given this latest disaster from CrowdStrike and previous ones from SolarWinds and other such security providers, why are so many companies continuing to rely on them? I can appreciate the scope of managing a huge number of systems, but when one breach, poisoned update, or just plain bad patch takes down a huge chunk of national or international infrastructure, when will these orgs finally look to other solutions? #cososec
@th3j35t3r
Tagging in @White_Rabbit
@th3j35t3r @White_Rabbit
I also wonder if CrowdStrike et al thoroughly test all patches on dev mirrors of their client installs before pushing them out. I realize that takes time and is not free, but I would think that's part of what you're paying these companies to do, to make sure that anything pushed out to operational systems is clean and solid.
@voltronic @th3j35t3r @White_Rabbit no company will pay what it requires to fully test all of the software they deploy. Even NASA admitted they shipped code with bugs that threatened human life, simply because they couldn't afford to. That said, Capitalism ensures that the absolute least amount of testing will be done. This current outage will be generally forgotten in a week and CrowdStrike will survive it, so apparently Capitalism ... works? Kind of?
@Spartan @voltronic @th3j35t3r @White_Rabbit Back in the day in IT in a Fortune 50 healthcare company, I wrote business cases & cost-benefit analyses for infrastructure & appdev. My corporate overlords knew damn well when cost-cutting would potentially impact patient outcomes, but very few cared enough to fight for adequate funding. Pure greed. When you are assessed on cost cutting over everything else, it's in your self-interest to roll the dice on someone else's life.
Risk transfer. Nothing to do with security - you can manage the risk yourself or you can offload it to someone else. In that sense, the Crowdstrikes of the world let you do that. And it's easier to sell to the C-Suite than Bucky the IT Guy.
@Cosmichomicide I think what Crowdstrike and similar really offer to their clients isn't freedom from outages, it is the freedom to say it wasn't their fault.
@voltronic @th3j35t3r
@AskTheDevil @voltronic @th3j35t3r
Reputational risk has a dollar value in most corporations. 🤷
@AskTheDevil @voltronic @th3j35t3r
Average cost of airline delay is $110/minute/plane.
Damned skippy that is coming out of someone's money, and it's not going to be the airlines nor the airports.
@Cosmichomicide @voltronic @th3j35t3r
Oh, they'll take it out of the customer's asses, never fear.
@AskTheDevil @voltronic @th3j35t3r
Not in this case - there are all sorts of penalties and fees associated with transit systems and delays built into the contracts. Crowdstrike's insurers are deeply deeply unhappy - and hopefully they are not self insured.
@Cosmichomicide @voltronic @th3j35t3r
And then the insurers will pass the expenses down to others.
There are _no_ ways that a company does a big fuckup like that where the rest of us don't end up paying the costs and enduring the consequences.
They are _always_ passed on to the public.
@AskTheDevil @voltronic @th3j35t3r
No argument here, just shining light on the chain.
@AskTheDevil @voltronic @th3j35t3r
Most amusing thing is that they took down the verticals most likely to be able to cost the loss by the minute and write it into contracts.
@voltronic I don't have an answer to this one, Volt.
@th3j35t3r
Appreciate the honesty, but *someone* needs to have the answer. Because we're long past this stage...
@th3j35t3r @voltronic i would say that we are al on our own now, it seems. (Some exceptions apply)
@voltronic @th3j35t3r I hate the argument ‘everybody is using it/them’ for exactly this reason. To me using such an argument shows your incompetence and laziness.
@th3j35t3r
Are there independent security contractors who can handle organizations this large? Because to me, that would be preferable.
What's happening now seems like the infosec equivalent of these large companies all investing a huge amount of their assets in the same stock, and trusting that it will stay stable.