In a time when cyber incidents are rapidly becoming a bigger threat, robust incident investigation and root cause analysis (RCA) processes are essential to prevent them and eliminate repeat occurrences. Recent IT outages highlight the need for effective tools like COMET’s Investigation and RCA module to address such challenges.

Understanding Cyber Incidents

Cyber incidents can take many forms, including:

  • Malware Attacks: Disruptive or damaging malicious software.
  • Phishing: Deceptive attempts to obtain sensitive information.
  • Ransomware: Malware encrypting data for ransom.
  • Denial of Service (DoS): Overwhelming systems to make them unavailable.
  • Data Breaches: Unauthorised access to confidential information.

COMET's Approach to Incident Investigation and RCA

Structured Investigations

COMET’s coded Root Cause Taxonomy and Root Maps dissect incidents across key categories:

  • Communication: Breakdown or failure in information flow.
  • Operating Environment: External contributing factors.
  • Management: Decision-making processes and policies.
  • Equipment: Hardware and software performance.
  • Training: Effectiveness of cybersecurity training programs.

Human Factors Analysis

Understanding human error is crucial. COMET is the first commercially available investigation and RCA software to integrate Human Factors analysis. This enables users to better understand individual, job, and organisational performance influencing factors.

Data-Driven Insights

Advanced data analytics within COMET enable users to identify patterns and trends, providing actionable insights. This data-driven approach allows organisations to implement targeted measures to preventrecurrence.

Ongoing Incident Challenges

Determining the cause of ongoing incidents, like the recent global IT outages, is challenging. The worldwide impact on operations, including airports, businesses, and broadcasters, underscores the importance of a thorough investigation. As Crowdstrike works to resolve the issue, COMET’s tools can offer valuable insights into preventing future disruptions.

Insights on the Crowdstrike Incident

The recent Crowdstrike incident highlights the importance of protecting our modern digital infrastructure. It has been reported that a "defect" in a "content update" for Windows devices led to widespread disruptions. Although the issue did not affect other operating systems like Mac and Linux, the global impact was significant, affecting airports, businesses, and broadcasters. The incident caused a notable plunge in Crowdstrike's shares, highlighting the financial and operational risks of high-level privileges in cloud security companies. This situation is a reminder of the critical need for resilient and thoroughly tested updates.

What is Crowdstrike?

Crowdstrike is a global cybersecurity firm based in Austin, Texas. Founded 13 years ago, it has grown to employ nearly 8,500 people. Crowdstrike specialises in preventing and responding to cyber-attacks and has been involved in several high-profile investigations. However, a recent flawed software update caused significant disruptions, highlighting the risks of centralised cybersecurity solutions.

Who is Affected?

The problem emerged gradually, with initial reports from Australia affecting payment systems at stores like Woolworths and financial institutions such as the National Australia Bank. The issues then spread to the US, impacting emergency services in Alaska and causing flight cancellations by United, Delta, and American Airlines. Other affected areas included:

  • Airlines: Virgin Australia, Jetstar, Tokyo-Narita, and Delhi airports reported disruptions.
  • European Airports: Delays at London’s Stansted and Gatwick, and Amsterdam’s Schiphol.
  • Broadcasters: Sky News in the UK went off air.
  • Other Sectors: Issues reported by the London Stock Exchange, Israeli hospitals, Poland’s Baltic Hub, UK railway companies, and UK bakery chain Gail's.

Lessons from Major IT Failures

This incident is the most significant IT problem since the WannaCry cyber-attack in 2017, which affected 300,000 computers in 150 countries. It exposed the vulnerabilities in our interconnected digital infrastructure. The Crowdstrike issue, resulting in a massive drop in its market value, shows the risks associated with high-level privileges in cloudsecurity companies. A defect in a content update can bring down the very systems they are meant to protect.

Preventing Repeat Cyber Incidents

Adopting COMET’s Incident Investigation and RCA module helps organisations understand cyber incidents and implement effective preventive measures. This proactive stance is key to enhancing cybersecurity resilience.

Conclusion

In a world where cyber threats are constantly evolving and becoming sophisticated, thoroughly investigating and understanding the rootcauses of incidents is invaluable. COMET’s Investigation and RCA module empowers organisations to prevent recurring cyber incidents, ensuring a safer digital environment.

For more information on how COMET can help your organisation, visit COMET's Investigation and RCA module page.

References

  • Tidy,     J. (2024, July 19). Outages latest: Airports, businesses and broadcasters experiencing issues worldwide. Sky News. Link
  • BBC     News. (2024, July 19). Latest updates on global IT outages. Link
  • BBC     News. (2024, July 19). Crowdstrike identifies cause of global IT outages. Link