This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Preventing CrowdStrike disaster in Cortex XDR Pro

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Preventing CrowdStrike disaster in Cortex XDR Pro

RFeyertag
L4 Transporter

‎07-19-2024 09:47 AM

Hello dear community!

 

what could we or PA setup in PA Cortex XDR to prevent us from such a disaster which happened to CrowdStrike?

 

Are there any settings or recommendations which can be shared? 

 

BR

 

Rob

0 Likes Likes
4 REPLIES 4

tlmarques
L3 Networker

‎07-22-2024 02:05 AM

Hi @RFeyertag ,

What I recommend, and what I have implemented in my XDR, is the agents only perform auto-updates after 7 days (on settings you can see agent upgrade).
If there is an urgent update, I go to the tenant and force all devices to upgrade.

This way, the risk of problematic software is reduced.

Best regards
Tiago Marques
0 Likes Likes

Rocky-25
L1 Bithead

‎07-22-2024 02:43 AM - edited ‎07-22-2024 02:44 AM

@tlmarques In a case like CrowdStrike's last week, this approach doesn't solve the issue. The faulty update was caused by a content update and not an agent update. However, you thankfully have the option with Cortex XDR to delay content updates through agent settings profile: Add a New Agent Settings Profile • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Netwo...

 

We deploy content updates on 10% of the endpoints immediately and delay the remaining 90% for 2 days to make sure our business is not paralyzed by a faulty update.

tlmarques
L3 Networker

‎07-22-2024 03:06 AM

 

Hi @Rocky-25 , thanks for correction.
I've say agent only, but our rule is apply for both options (agent and content).

Best regards
Tiago Marques

Adhika
L0 Member

‎08-20-2024 12:26 AM

To prevent issues similar to CrowdStrike, we can utilize the delay auto updates configuration mechanism available on the PANW Cortex XDR platform console:

 

  1. using agent One release before the latest one. This method ensures that the auto upgrade of the PANW Cortex XDR agent version will be done to one version before the last available version (General Availability), where at least the PANW Cortex XDR agent version that will be used for auto upgrade deployment has been released about 3 months earlier. So this configuration is sufficient to prevent similar issues if the cause is due to the PANW Cortex XDR agent version upgrade.
  2. By default, the PANW Cortex XDR agent version auto upgrade will be done per phase rollout (not a big bang to all PANW Cortex XDR agents on laptops and PCs) where by default only up to 500 PANW Cortex XDR agent versions will be auto upgraded per phase each week according to the number entered into the Amount Of Parallel Upgrades configuration. In addition, the auto upgrade process can also be selected for a specific day and specific time range that can be selected by the customer. Suggested that the auto upgrade can be selected on a specific day and time range where it can standby at that time if there are problems caused by the PANW Cortex XDR agent version upgrade.
  3. By default, the content update configuration is Auto Update and Immediate. To increase the prevention of similar problems if the cause is due to the content update version, you can add a delayed configuration where the number of days of delay can be adjusted as needed. Not recommend that the content update version be delayed for a long time (for example more than 5 days), so that the PANW Cortex XDR agent version can get the new protection coverage available in the new content update version.
0 Likes Likes
  • 694 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks