Last week, a routine update from cybersecurity firm CrowdStrike turned into a global IT nightmare, erasing over $25B of market capitalization and sending CRWD 0.00%↑ down almost 30%. The damages to CrowdStrike customers are in the billions of dollars already, with a potential for litigation to follow.

CrowdStrike BYOD, Via Getty Images

A faulty configuration file in CrowdStrike's Falcon platform, used for threat detection and security management, caused Windows machines to crash, rendering them unable to boot up. This issue affected thousands of businesses, from airlines to banks, bringing operations to a standstill. As the technical teams scramble to fix each affected device manually, the aftermath continues to ripple through critical sectors worldwide. The incident underscores the immense responsibility and potential risk that comes with having deep access to system kernels.

The faulty update led to widespread crashes of Windows machines, causing a “Blue Screen of Death” and leaving systems inoperable. While larger IT teams may resolve the issue within days, smaller businesses could face weeks of disruption as they manually repair each affected device.

What specifically happened with the outage?

The CrowdStrike outage was triggered by a defective update to their Falcon platform, specifically targeting Windows systems. The issue did not affect Mac or Linux systems and was not the result of a cyberattack. Although CrowdStrike quickly identified the problem and issued a fix, the nature of the error meant that each affected machine requires manual intervention to restore functionality. This fix requiring manual intervention massively prolongs the recovery process, especially for smaller businesses with limited IT resources.

The update included a configuration file designed to enhance security features, but it contained a critical error. When the faulty update was deployed, it caused Windows machines to crash and enter a continuous reboot cycle, rendering them unusable. Microsoft estimates 8.5M devices globally were affected, in industries from airlines to financial services firms.

At approximately 1% of the total Windows install base, the number of devices affected by the CrowdStrike outage is relatively low. However, the damage is significant because these devices are critical systems where security is a top priority. CrowdStrike is widely used by over 70% of F2000s, including banks, airlines, and hospitals, meaning that the systems impacted are essential for daily operations and require the highest level of security. The outage thus has a disproportionate impact, causing major disruptions in sectors where reliability and protection are paramount.

Why was Windows affected: To lock kernel or to open kernel?

The outage specifically affected Windows systems because the faulty update targeted vulnerabilities unique to the Windows operating system. CrowdStrike's Falcon platform operates with deep access to the Windows kernel, meaning any errors in its updates can directly impact the core functionality of the OS. Unlike macOS and Linux, which restrict third-party software from accessing the kernel, Windows allows such access, making it more susceptible to this type of critical failure.

image illustrating the differing approaches to cybersecurity by Apple and Microsoft. The left side represents Apple's secure, locked kernel approach, while the right side depicts Microsoft's more open kernel strategy, highlighting the interaction with third-party security software and potential vulnerabilities.

Kernel access is a significant topic of debate in the security community because it offers both enhanced security capabilities and increased risk. From Microsoft's perspective, allowing third-party software like CrowdStrike deep access to the kernel can improve threat detection and system protection, but it also exposes the system to potential critical failures, as seen in this outage. Conversely, Apple's approach of restricting kernel access reduces the risk of such catastrophic errors but can limit the effectiveness of third-party security solutions.

What does CrowdStrike do?

CrowdStrike is a leading cybersecurity company specializing in cloud-based endpoint protection, threat intelligence, and incident response. Their Falcon platform uses AI to detect and prevent cyber threats in real time, with deep access to system kernels for comprehensive protection. As the third-largest cybersecurity vendor, following Palo Alto Networks and Microsoft, CrowdStrike is widely used by thousands of customers including 70% of F2000s. Crowdstrike was the fastest growing pureplay cybersecurity vendor in 2023, now approaching $4B of ARR and growing 33% year-over-year.

The cloud-based nature of Falcon allows for rapid deployment of updates, which historically has been a product advantage but now is how the recent faulty update was distributed. George Kurtz, the founder and CEO of CrowdStrike, has held numerous press conferences to address the recent outage and reassure customers. Despite his efforts, many clients, shaken by the incident, are contemplating leaving CrowdStrike for alternative security solutions.

Why is fixing the outage taking so long?

Fixing the outage is taking so long because each of the 8.5 million affected devices requires manual intervention to restore functionality. The faulty update caused systems to crash and enter an endless reboot loop, necessitating a complex and time-consuming process of rebooting in a special mode and manually removing the defective file. The critical nature of many impacted systems further complicates the recovery efforts.

Potential beneficiaries?

In the wake of the CrowdStrike outage, several cybersecurity companies with overlapping product offerings are poised to benefit after years of fierce competition with industry-leader CrowdStrike. SentinelOne, for example, has seen its stock rise 23% in the past month and over 10% in the past few days alone, as customers seek alternative solutions. Endpoint vendors like Palo Alto Networks and Fortinet offer robust endpoint and network security solutions that rival CrowdStrike's capabilities, though aren’t necessarily on par in cloud. Zscaler, known for its zero-trust architecture, and Wiz, a rising cloud security startup that is pending acquisition by Google for $23B, are also likely beneficiaries. It appears buyers are already looking for alternatives, with Google Trends spiking after the incident.

The Crowdstrike incident has highlighted the vulnerability of cybersecurity companies, making the market acutely aware of their susceptibility to breaches. In an industry built on trust, any erosion of that trust can have existential consequences.