[hello_moto]

To catch 0day quickly, EDR needs to know "how".

The "how" here is AV definition or a way to identify the attack. In CS-speak: content.

Catching 0day quickly results in good reputation that your EDR works well.

If people turn off their AV definition auto-update, they are at-risk. Why use EDR if folks don't want to stop attack quickly?

[LtWorf]

In theory you're correct. In practice it seems that crowdstrike has crashed systems with their updates much more often than 0day attacks.

[hello_moto]

How many times?

This is one bsod on windows 10. I saw another kernel panic on specific Linux distro.

What else?

One thing that is funny is that quite a few of their competitors are taking this opportunity to shit on them via Twitter and by marketing themselves as better than CrowdStrike.

Twitter, with all its issues, apparently has a feature to prevent fake news and that feature will show crowd source sentiment to debunk fake news, in this case, Twitter users showed how many times Crowdstrike competitor BSOD windows

[phs318u]

Bottom line is this: there is absolutely no good reason for not doing rolling updates. Do a few and make sure they are ok. Keep rolling out in groups. This single approach alone would've meant that this event was of marginal impact to most of the public, as sysadmins would've had the opportunity to halt further updates and work on remediating their first group (typically non-critical servers). Rolling out to everything all at once is just bad practice, period.

[hello_moto]

Put yourself in the customer shoes: who wants to sign up to be rolled first?

There's best practice and then there's customer

[RoyalHenOil]

Give those customers a discount.

The solution to customer reluctance to being the guinea pig is not to force every customer to be a guinea pig.

[LtWorf]

> This is one bsod on windows 10. I saw another kernel panic on specific Linux distro.

The red hat one. But they also did it to debian with a different issue, and I think another distro as well.