The CrowdStrike Outage: What Nozomi Customers Need to Know

The CrowdStrike Outage: What Nozomi Customers Need to Know

What Happened?

Early on Friday, July 19, endpoint security company, CrowdStrike, pushed out an update to its customers, which resulted in a massive IT outage around the world. After this update was pushed, mission critical devices running Microsoft Windows became unavailable. CrowdStrike has released a fix which requires manual intervention for each endpoint.

Nozomi Platform and Operations Are Not Impacted

The availability of the Nozomi platform was not affected by this event. Nozomi’s internal operations, including customer success, technical support, and professional services, have also been unaffected by this event.

If you currently use Nozomi Arc, our endpoint security sensor, rest assured that our engineering team built this product with the appropriate precautions to protect the safety and availability of your OT endpoints. Arc does not operate at the kernel level of the host operating system, will never reboot your machines and is very light on system resources.

How Nozomi Networks Can Support Affected Customers

The Nozomi platform can help customers identify potentially impacted Windows-based engineering workstations, HMIs and other Windows systems in OT and IoT environments that it monitors. Both our on-premises and cloud-based management platforms can generate a list of affected assets using the queries provided below. Users can query assets by site, zones, and tags to help prioritize remediations for inoperable machines.

If your organization uses the Nozomi Vantage cloud-based management platform, you can run this query to identify impacted assets:

assets

| where os include? "Windows" OR os include? "Windows 11"

| where last_activity_time != "0"

| where hours_ago(last_activity_time) > 1

| sort last_activity_time asc

Nozomi customers can query to quickly identify impacted assets.

Customers using Vantage IQ Assistant can submit the following natural language query:

"Can you please tell me what Windows 10 and Windows 11 asset have not been seen on the network longer than X hours"

Customers using our on-premises solutions can run the following query in either CMC or Guardian:

assets | where os include? Windows | where last_activity_time != 0 | where hours_ago(last_activity_time) > 1 | sort last_activity_time asc

These queries will list all Windows assets where their Last Activity Time is greater than 1 hour ago. The activity time may need to be adjusted depending on how quickly devices are being brought back online.

If you have questions or need support from our team during this time, please reach out to your Customer Success Manager or login to the Support portal here.