Business Continuity Management / Disaster Recovery , CrowdStrike Outage Updates , Election Security
ISMG Editors: Will Microsoft Rethink Windows Security?
Also: Mastercard's Big Acquisition and US Election Security Efforts Anna Delaney (annamadeline) • September 13, 2024In the latest weekly update, Information Security Media Group editors discussed the fallout from the CrowdStrike global IT outage on endpoint security tools, Mastercard's monumental acquisition of Recorded Future to bolster its cybersecurity portfolio, and the latest efforts by U.S. officials to secure the 2024 election.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Chris Riotta, managing editor, GovInfoSecurity; and Michael Novinson, managing editor, ISMG business - discussed:
- The potential challenges with Mastercard's acquisition of global threat intelligence leader Recorded Future for $2.65 billion to strengthen its cybersecurity portfolio;
- How presidential election year threats have prompted CISA and other U.S. agencies to prioritize efforts to secure the vote, while concerns about security funding and coordination remain.
- Why Microsoft announced that reducing kernel mode dependencies and adopting safe deployment practices will make endpoint systems more resilient and secure for Windows customers.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 30 edition on how CrowdStrike's competitors are responding to its recent outage and the Sept. 6 edition on how the arrest of Telegram's CEO could affect encryption.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll dive into the fallout from CrowdStrike's major outage and its impact on endpoint security, Mastercard's monumental acquisition of Recorded Future to bolster its cybersecurity, and the latest efforts by U.S. officials to secure the 2024 election amid rising cyberthreats. My excellent teammates today include Mathew Schwartz, executive editor of DataBreachToday and Europe; Michael Novinson, managing editor for ISMG business; and Chris Riotta, managing editor for GovInfoSecurity. Very good to see you all.
Mathew Schwartz: Thanks for having us back to the party.
Delaney: Mat, the CrowdStrike outage was two months ago. As a reminder, the faulty update hit 8.5 million Windows devices. Since then, CrowdStrike has worked hard, avoiding customer lawsuits but facing a class action from investors. The big question now is will Microsoft rethink Windows security? So Mat, bring us up to speed. What's the latest on the CrowdStrike outage and recovery and how are they going to handle things moving forward?
Schwartz: Yes, this is a fertile ground for ISMG's coverage. I don't know if you can see Michael nodding off-screen, because he has been tracking this story very closely, because it has a lot of more big-picture implications for how we could see the cybersecurity market evolving and how we could see operating systems evolve. One of the as-yet unanswered questions, as we record this session, is, what is going to change with Windows? This global outage disrupted systems in all sorts of places, including some very critical systems, because there are several users of CrowdStrike's software, critical infrastructure and industries who are being hit by some of the latest, greatest and worst types of online attacks. Huge amount of disruption. What happened, very briefly, was CrowdStrike sent an update to its Falcon endpoint detection software. The update was written in a way that the agent didn't expect, and the agent crashed. CrowdStrike has to its credit issued a preliminary report very quickly and then a root cause analysis also relatively quickly, saying, "Look, we had a lot of testing in place. We thought this through to make sure that nothing went wrong. We got that wrong, so here's how we're trying to set that right." And Michael's done some great reporting about them front and center. "Here's our CEO on TV a lot. Here's the company. We're trying to make this right." And kudos to them. They've been good at crisis communication and trying to move the message forward. So, this bad update happened and all these computers crashed. That's a CrowdStrike problem and also a Microsoft problem, because the big question is, why Windows would fail in such a way that you couldn't restore it. And you couldn't restore it because it failed and kept rebooting and never loaded to the point where you could get remote access to it. So, you couldn't remotely fix these systems. Windows, at the moment, stands in stark contrast to Apple and Linux. Linux has added the ability to wall off the kernel so that this sort of thing doesn't need to happen. Apple, when it moved to its own silicon, walled off the kernel so that this sort of thing never happened. Microsoft points to a 2009 agreement it reached with the European Commission saying why it couldn't do these sorts of things. You see what we would think of as being modern operating systems is getting some pushback on that now. Germany, one of its agencies, which can't regulate but can tell German agencies what they can and can't use, has said to Microsoft it wants to see good progress on this question this year. How can you redesign Windows to either remove or substantially reduce the need for third-party tools to directly access the kernel, which is the problem that happened. Third-party tools, especially built by security firms, at the moment, need deep access to the Windows internals. Those tools include Microsoft's Windows Defender. This deep level of access lets these tools block many different types of threats and detect many types of threats, including things that can start up before the operating system starts up. And this is why we get into all this nuance of why it crashed and rebooted and couldn't recover. This sort of thing has happened before but never at the scale that we've seen with this CrowdStrike outage. I was caveating and hedging my bets before because there was a big, I hope it was a big, private summit - "private" because we don't know anything about it - between Microsoft and a bunch of cybersecurity firms and government representatives that happened earlier this week. What happened? What did they agree on? What are the next actions? We don't know. Hopefully, there'll soon be some good news to come out of that. I do think that reflects the difficulty of this problem. Microsoft's going to have to rebuild Windows substantially. What that doesn't fix is all of the current versions of Windows. Lots and lots of unanswered questions here. When you get it wrong, as we saw with CrowdStrike, the repercussions and ramifications can be huge. Hopefully, a lot of organizations are pointing at all their vendors and saying, "We don't want you to CrowdStrike out, like CrowdStrike did. What are you doing to fix it?" CrowdStrike, to its credit, is saying, "Here's what we're doing to fix it." It's handling the message very well. For example, they said they've not been sued by any customers. They've been doing a lot of hearts and minds type things to keep them sweet. And hopefully, we will get some net positive out of all of this.
Delaney: Beyond CrowdStrike, do you see this outage having a broader impact on how companies manage their relationships with their security vendors?
Schwartz: That's a great question. I don't know if they're going to be looking at service level agreements, like, if you do something silly that crashes us and 8.4 million other endpoints, you'll owe us some money. Probably not. I wouldn't think vendors would sign up for that. But hard questions are being asked. Very pointed questions are being asked about the sorts of failures that went into the CrowdStrike outage. Things such as rolling out updates all at once globally, instead of doing it slowly, even over a period of hours or a day, just in case something unexpected happens, which CrowdStrike is now doing, which a lot of other vendors were already doing. Again hopefully, people are being a bit smarter about all this.
Chris Riotta: I cover government agencies, and there's this huge over-reliance on their infrastructure across the federal government on Microsoft. Does this have any sort of impact on their customers for CrowdStrike or even Microsoft and their long-term trust?
Schwartz: That's a great question. I don't know if this alone will drive organizations to move off of Windows. If they were going to, they would have. Maybe this is the straw that breaks the camel's back for some organizations, but we do see Windows being integral for so many things. There are a lot of online services now that get hosted, so they may not have been disrupted, or if they were, if it was cloud-based, that was much easier to recover from this CrowdStrike problem. The real problems were the physical endpoints that were more difficult to get to. That was the challenge. So, great question. Will it drive more people off Windows? Remains to be seen.
Delaney: Excellent. Thanks Mat, and we'll stay tuned for updates post this closed summit. It will be interesting to hear takeaways from that once we know. Michael, breaking news! Mastercard is acquiring global threat intelligence leader Recorded Future for $2.65 billion to strengthen its cybersecurity capabilities. What are your thoughts on this move?
Michael Novinson: Thank you for the opportunity, Anna. And certainly, this comes as a surprise, not necessarily that there is a transaction, but who the buyer is. So, when we're speaking about Recorded Future, it is the largest independent pure play threat intelligence company that is going up against somebody such as Mandiant. A lot of Mandiant is now part of Google. It also competes directly against CrowdStrike's threat intelligence business. CrowdStrike does a whole lot of other things as well, some of which we've talked about here. So, in terms of Recorded Future, they've been part of, or they were inside partners, and Insight Partners bought a majority stake in them back in May of 2019 in the ballpark of $780 million. So, this is a pretty impressive return - $2.65 billion. You'll have about three and a half times in value over a half-decade. That way, it's not surprising that Insight would be looking to sell that typically private equity to hold on to an asset for at most about five years. The economy's been a bit topsy-turvy the past few years. So understandable. Might run a bit longer than that, but certainly makes sense that Insight would be looking to exit - a nice return for them. Certainly, who the buyer is is surprising. If you would ask me, who do I think would take them over? I would have guessed another private equity firm would have bought them, probably too small to go public, or that another cybersecurity company, somebody whatever SentinelOne might have paid or Cisco or Cisco Talos, but that some other cybersecurity company that wants to make a major impression on the threat intelligence side would have bought them. But, to have a business from outside the cyber arena and spend this type of money certainly is surprising. It is not Mastercard's first acquisition in cybersecurity. They did buy a smaller risk ratings firm called RiskRecon back in right around Christmas time in 2019 and then they did buy CipherTrace, which is cryptocurrency intelligence in 2022. They also bought this, which makes sense given what they do, digital identity company back in 2021. They also bought Ekata for $861 million. A lot of them are kind of closer to the core of what they do, whether it's authenticating identities ensuring there's no fraud or helping with third-party risks. The scope of what Recorded Future does is much bigger than the scope of what Mastercard does. So, Recorded Future has been clear in their communications that they're going to be an independent subsidiary of Mastercard and that they're going to remain neutral. Because it is a competitor of Mastercard for all I know, it might be customers of Recorded Future. So, they're not going to favor one source over another, and they are going to provide that detailed, proactive threat intelligence. That's geographically and vertically specific to organizations. So, they're saying it's the same thing. It wouldn't be an announcement nowadays if there wasn't a talk of artificial intelligence - their artificial intelligence, our artificial intelligence. It'll all come together. I don't think there's been a great track record when you've had companies outside of cyber try to spend money in cyber. It's a different mechanism. It's a different DNA, and it's something where the space is evolving so fast that the levels of investment in R&D required sometimes surprise folks who are outside of cyber. I don't think the payment card space is necessarily changing at the same pace as threat intelligence. So, the question always becomes - if you're bought by somebody from outside the space, can they continue with the same R&D? Are they going to continue to stop and pay the folks on that side of the business so that you can have leading-edge intelligence? Historically, the track record isn't great, but this is a massive bet Mastercard is making. There aren't any other threat intelligence vendors anywhere near the size of Recorded Future who are still independent. So, even if whatever Visa or Amex or somebody else tried to match them, they would be buying a much smaller, much less experienced company. So, a bit of a first-mover advantage here moving in. But, the track record certainly would be from other transactions, making this a bit of a cause for concern. So, we have to see what they do to continue to fuel the business and ensure that it's continuing to grow at the rate it has been.
Delaney: So Michael, talk more about that cause for concern, because I know you've just jumped on this story, so maybe it's too soon to answer this. But what sort of challenge might Mastercard face while integrating Recorded Future's tech into its services?
Novinson: It's a bit of shiny object syndrome that this doesn't overlap with what Mastercard does today. They are a credit card company, and yes, they have some ancillary services that they can provide and digital identity protection that can help with third-party risks. I'm sure they want to add this threat intelligence as an add-on for their corporate customers. It's an upsell, and they can take this to all their existing customers. They use global customers and try to sell them some threat intel. You get it off in one place. It is a different type of service. It is in Recorded Future's reputation - it's incredibly expensive. "You're paying a premium price for a premium product" is essentially how it's sold. But, the point is that there can't be that many synergies, because they kind of have to keep this independent. It's so different from anything they do. And for it to remain neutral and not for other folks in the financial services and payment industry to not be concerned that Mastercard is getting favorable or preferential treatment, they kind of have to keep Recorded Future at arm's length so that it can be truly a fair player. So yeah, that way there's less opportunity for synergies. It's a shiny object thing that they feel there's potential here. But 12, 18 or 24 months down the road, you get a new executive, you get a new member of the C-suite. You get activist investors who are concerned that the rates of return aren't as good as they want. And then what happens? Does this get deprioritized? They're spending the money today. It's a priority today. But what about a year or two from now when the macroenvironment looks different and when there are other things investors care about? Does it continue to receive the same level of investment and support when threat intelligence is the only thing you do that you're going to be putting all your eggs in that basket? But, $2.65 billion is a lot of money for you and me, but for Mastercard, it's a drop in the bucket, given the size of their business. So, if something else becomes a higher priority, what happens to the investment in this business? And it's cautionary as you've seen time and time again when companies not in cyber get interested in something within cyber, spend a whole lot of money, and then often end up, within a year or two, just kind of neglecting it in languishes, they spit it back out, or it gets carved out by private equity, and often by then, the company is much less strong than it is today. So, certainly for Recorded Future's sake, for the sake of their customers, I hope that's not the case. It is a leading product today. So, I hope it continues to receive that tender, love and care for Mastercard that it had during its time under Insight.
Delaney: Very good. Excellent work. Thanks Michael. I heard this will prompt similar acquisitions in the space by other major financial players, but let's see.
Novinson: I imagine it will, but they will be a lot smaller because there isn't anybody else of a Recorded Future size available now. So, I'm sure we'll see some others. But yes, we'll probably be in the 8 or 9 figures rather than in the 10 figures.
Delaney: Great. Moving on to Chris. 2024 has been marked election year. So, officials, particularly CISA, are focused on securing the vote amid rising cyberthreats. They are concerned about funding and coordination assistance. So, give us an update on the situation.
Riotta: Yes, we are less than two months from the vote. I'm here in Washington, where all eyes are pretty much on the security and the resiliency of the upcoming vote in the wake of Iranian-based hacks, global tensions with foreign adversaries such as Russia and China, a reported spike in cyberattacks targeting election infrastructure such as voting databases, and not to mention there's now a looming government shutdown that raises additional security concerns for the upcoming vote. Now, federal cyber operations would face significant disruptions as government agencies are left exposed to a wide range of emerging threats if lawmakers fail to avert a looming government shutdown, according to many security experts. Many of the teams dedicated to running election security operations remain at the local and state level. So, a shutdown would complicate holding the election itself, counting the votes or ensuring the integrity of the vote. However, election security experts and secretaries of state are calling for last-minute funding and additional federal support to ensure that the election is secured against emerging cyberthreats and disinformation campaigns. Secretaries of state from across the country testified before Congress this week, raising alarms that insufficient federal funding is stalling essential modernization efforts. They urge lawmakers to reinstate funds that have been left out by house appropriators in the upcoming budget for a Help America Vote Act program, which allows states to upgrade their voting systems. While experts agree that U.S. election infrastructure is largely secure and resilient to events-targeted attacks, the stakes are rising. The November 5th Presidential Election is unfolding amid heightened global tensions as foreign adversaries use digital influence campaigns and cyber tactics to erode trust in the upcoming vote. The Department of Justice recently seized dozens of internet domains and imposed a series of sanctions against Russian media executives - the first of their ever kind of sanctions - and accused this big network of media execs of orchestrating a campaign to interfere in the upcoming election. Additionally, the FBI has confirmed that Iran was behind a hacking effort targeting both Vice President Kamala Harris and Former President Donald Trump's presidential campaigns. The operation reportedly led to the release of the dossier containing information on Republican vice presidential nominee Senator JD Vance. Now, I spoke with David Becker, executive director of the nonpartisan Center for Election Innovation & Research. He told me that Congress is unlikely to pass any new legislation or allocate additional funding for election security ahead of November, and even if approved, the funds would arrive too late to make a meaningful impact. Recent reports highlight voter registration databases are becoming a key target for both domestic and foreign cyberthreats. A September vote from the same Center for Election Innovation & Research warns that security breaches could occur if election staff failed to follow strict access policies such as multi-factor authentication or limiting access based on the principle of this privilege. And as we all know, in the final weeks of campaign season, there's a lot more staff and volunteers who are added to campaigns and to local election sites across the country. Using personal devices and their network of IoT devices could kind of expand the threat landscape. On Monday, CISA released a checklist designed to help election security officials and IT teams assess their current cybersecurity posture and determine any additional steps needed to defend against common threats. Senior officials from CISA told ISMG that the agency is deploying more resources than ever before, including sending election security advisors to all of its regional offices across the country to provide frontline support to election workers in the lead-up to the vote. But James Turgal, vice president of global cyber risk for Optiv and former executive assistant director at the FBI, told me that the checklist lacked crucial details needed to fully secure local election IT systems. He also has criticized recent joint advisories from CISA and the FBI on DDoS attacks targeting the presidential campaign, saying they provide little actionable guidance for CISOs and CIOs. So, experts are advising that election and campaign officials have to spend these next few weeks focusing on strengthening coordination with federal and state agencies as much as possible and implementing comprehensive training programs to kind of tackle these threats. As the campaign season intensifies, so does the threat landscape as we talked about a bit, and without adequate resources and funding, experts are sounding the alarm right now that election systems could be left vulnerable. And, with emerging tech such as AI adding to new challenges such as ongoing generated disinformation campaigns, safeguarding the integrity of the elections has never been more urgent.
Delaney: But Chris, hasn't the government always struggled with resource constraints for election security? And I guess what's different about this situation, and given past experience, shouldn't they be more adept at managing these challenges?
Riotta: Yes, you are absolutely right. And what we hear during the election season is using the entire network for election operations. It is so complicated and diverse. It goes across the entire country. A lot of folks say that on the election day, it is 1000 mini-elections across the country, and there's been little federal support. It's something that we've seen increased surely every four years. Now, CISA has kind of become the flagship federal cyber authority for ensuring the elections. What I would say, which is slightly different, is that recently, the federal government allocated election infrastructure or determined that election infrastructure is critical infrastructure. So, it's now one of these critical infrastructure sectors that should receive additional federal support during heightened emergencies or situations that warrant it. The question remains whether the federal government will put its money where its mouth is.
Delaney: Busy couple of months ahead for you. Make sure you get your downtime. Thanks Chris. That's great. And finally, and just for fun, cybersecurity can be like a dance - complex and always in motion. If you had to compare it to a style of dance, what would it be and why? Show me your moves. Who's going to start?
Schwartz: I will go first or you could go first.
Riotta: I don't have a good one here. I was going to say robot - that felt derivative. But, then I was thinking ballet, because you don't often hear about the cyberthreats or cyberattacks that are prevented. Ballet is a very strenuous, very taxing and exhausting dance, but when done correctly, looks beautiful and graceful, and no one knows about the bruises. Technique is everything, and I guess you could merge them. Beautiful robotic ballet.
Delaney: Robotic ballet. Great!
Schwartz: So, this was a tough one for me, but I was thinking, maybe partially inspired by CrowdStrike flash mobs, these things that happen without warning and in a totally random way. Are they doing Taylor Swift karaoke in the middle of Trafalgar Square? Anything's possible, right? And it feels like with some of the stuff we've had lately on a cybersecurity front, who knows what's going to happen next.
Delaney: I love that. That's great. Michael?
Novinson: Oh man, I'm going to say tango, mostly thinking of like the two steps, like one step forward, one step back. And that certainly feels like how it is here. People make so many investments, put so much money into advancing protection, feel like they're doing a good job, and then there's a new issue or a new vulnerability that's exploited. So, it is constantly stepping forward and a step back.
Delaney: Yeah, control and fluidity as a very good tango. I am going to go for break dancing, or is it called breaking down, breaking fast, dynamic, sharp moves. You need a strong foundation. Perhaps comes with a headache or neck ache in the process. But great! I'm impressed by those choices. I thought it was all going to be ballroom dancing, but no, you're surprising me. Thanks so much everybody. Great commentary as always, and very informative and fun.
Novinson: Thanks Anna.
Delaney: Thank you so much for watching. Until next time.