After the initial incident response writeup, CrowdStrike recently posted this more in depth Root Cause Analysis (RCA).
The link leads to an overview and the actual RCA is written as a 12 pages PDF.
In my opinion, this RCA is crafted more for PR instead of clearly stating the issue. Which is kinda expected as don't think there's a good reason a fallout this big can happen this way.
Firstly, the reports hide the very obvious mitigation of Template Instances should have staged deployment to be the last one when it should have been the first. It also gives the feeling of purposely putting a lot of domain specific details to numb reader out before getting to that final mitigation points 🔴
CrowdStrike also skimmed over another important detail which is its kernel code. This statement is repeated in previous report and this RCA Rapid Response Content is configuration data; it is not code or a kernel driver , but the fact that the data is used by kernel code and in fact did cause issue means that it should be treated similarly. The mitigation here should be to review the whole architecture and make sure the absolute minimal code are running in kernel mode. Guess that is gloss over cause it will be costly or shine them in a bad light 🤷
Top comments (0)