Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Preventing CrowdStrike disaster in Cortex XDR Pro

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Preventing CrowdStrike disaster in Cortex XDR Pro

L4 Transporter

Hello dear community!

 

what could we or PA setup in PA Cortex XDR to prevent us from such a disaster which happened to CrowdStrike?

 

Are there any settings or recommendations which can be shared? 

 

BR

 

Rob

4 REPLIES 4

L3 Networker

Hi @RFeyertag ,

What I recommend, and what I have implemented in my XDR, is the agents only perform auto-updates after 7 days (on settings you can see agent upgrade).
If there is an urgent update, I go to the tenant and force all devices to upgrade.

This way, the risk of problematic software is reduced.

Best regards
Tiago Marques

L2 Linker

@tlmarques In a case like CrowdStrike's last week, this approach doesn't solve the issue. The faulty update was caused by a content update and not an agent update. However, you thankfully have the option with Cortex XDR to delay content updates through agent settings profile: Add a New Agent Settings Profile • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Netwo...

 

We deploy content updates on 10% of the endpoints immediately and delay the remaining 90% for 2 days to make sure our business is not paralyzed by a faulty update.

L3 Networker

 

Hi @Rocky-25 , thanks for correction.
I've say agent only, but our rule is apply for both options (agent and content).

Best regards
Tiago Marques

L0 Member

To prevent issues similar to CrowdStrike, we can utilize the delay auto updates configuration mechanism available on the PANW Cortex XDR platform console:

 

  1. using agent One release before the latest one. This method ensures that the auto upgrade of the PANW Cortex XDR agent version will be done to one version before the last available version (General Availability), where at least the PANW Cortex XDR agent version that will be used for auto upgrade deployment has been released about 3 months earlier. So this configuration is sufficient to prevent similar issues if the cause is due to the PANW Cortex XDR agent version upgrade.
  2. By default, the PANW Cortex XDR agent version auto upgrade will be done per phase rollout (not a big bang to all PANW Cortex XDR agents on laptops and PCs) where by default only up to 500 PANW Cortex XDR agent versions will be auto upgraded per phase each week according to the number entered into the Amount Of Parallel Upgrades configuration. In addition, the auto upgrade process can also be selected for a specific day and specific time range that can be selected by the customer. Suggested that the auto upgrade can be selected on a specific day and time range where it can standby at that time if there are problems caused by the PANW Cortex XDR agent version upgrade.
  3. By default, the content update configuration is Auto Update and Immediate. To increase the prevention of similar problems if the cause is due to the content update version, you can add a delayed configuration where the number of days of delay can be adjusted as needed. Not recommend that the content update version be delayed for a long time (for example more than 5 days), so that the PANW Cortex XDR agent version can get the new protection coverage available in the new content update version.
  • 1265 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!