topic Re: Preventing CrowdStrike disaster in Cortex XDR Pro in Cortex XDR Discussions

Preventing CrowdStrike disaster in Cortex XDR Pro

RFeyertag — Fri, 19 Jul 2024 16:47:06 GMT

Hello dear community!

what could we or PA setup in PA Cortex XDR to prevent us from such a disaster which happened to CrowdStrike?

Are there any settings or recommendations which can be shared?

Rob

Re: Preventing CrowdStrike disaster in Cortex XDR Pro

tlmarques — Mon, 22 Jul 2024 09:05:57 GMT

Hi @RFeyertag ,

What I recommend, and what I have implemented in my XDR, is the agents only perform auto-updates after 7 days (on settings you can see agent upgrade).
If there is an urgent update, I go to the tenant and force all devices to upgrade.

This way, the risk of problematic software is reduced.

Re: Preventing CrowdStrike disaster in Cortex XDR Pro

Rocky-25 — Mon, 22 Jul 2024 09:44:58 GMT

@tlmarques In a case like CrowdStrike's last week, this approach doesn't solve the issue. The faulty update was caused by a content update and not an agent update. However, you thankfully have the option with Cortex XDR to delay content updates through agent settings profile: Add a New Agent Settings Profile • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Networks documentation portal

We deploy content updates on 10% of the endpoints immediately and delay the remaining 90% for 2 days to make sure our business is not paralyzed by a faulty update.

Re: Preventing CrowdStrike disaster in Cortex XDR Pro

tlmarques — Mon, 22 Jul 2024 10:06:24 GMT

Hi @Rocky-25 , thanks for correction.
I've say agent only, but our rule is apply for both options (agent and content).

Re: Preventing CrowdStrike disaster in Cortex XDR Pro

Bisma_Verdya — Tue, 20 Aug 2024 07:26:57 GMT

To prevent issues similar to CrowdStrike, we can utilize the delay auto updates configuration mechanism available on the PANW Cortex XDR platform console:

using agent One release before the latest one. This method ensures that the auto upgrade of the PANW Cortex XDR agent version will be done to one version before the last available version (General Availability), where at least the PANW Cortex XDR agent version that will be used for auto upgrade deployment has been released about 3 months earlier. So this configuration is sufficient to prevent similar issues if the cause is due to the PANW Cortex XDR agent version upgrade.
By default, the PANW Cortex XDR agent version auto upgrade will be done per phase rollout (not a big bang to all PANW Cortex XDR agents on laptops and PCs) where by default only up to 500 PANW Cortex XDR agent versions will be auto upgraded per phase each week according to the number entered into the Amount Of Parallel Upgrades configuration. In addition, the auto upgrade process can also be selected for a specific day and specific time range that can be selected by the customer. Suggested that the auto upgrade can be selected on a specific day and time range where it can standby at that time if there are problems caused by the PANW Cortex XDR agent version upgrade.
By default, the content update configuration is Auto Update and Immediate. To increase the prevention of similar problems if the cause is due to the content update version, you can add a delayed configuration where the number of days of delay can be adjusted as needed. Not recommend that the content update version be delayed for a long time (for example more than 5 days), so that the PANW Cortex XDR agent version can get the new protection coverage available in the new content update version.