During the CrowdStrike/Windows outage, removing EDR was the wrong ask. Memory-safe languages and better release process were the right ones.
Good luck to every IT and security person grinding through the CrowdStrike / Windows outage. And to every CISO about to get flooded with "just remove the EDR" emails.
That ask is the wrong lesson. An endpoint agent failing hard is painful. Running without detection because one vendor had a bad day is how the next ransomware week starts.
Outage pain is not a reason to strip EDR.
What to push for instead:
Keep EDR. Fix the blast radius (staged rollout, canaries, kill switches, offline recovery) rather than deleting the sensor.
Prefer memory-safe languages for code that sits in the kernel or next to it. Ralph Hittell put it plainly after the incident: sensitive path code that is not memory-safe is an operational risk as well as a security one. A global blue-screen wave is the proof.
Treat sensor updates like flight software. Better testing, slower rings, clearer rollback. Feature bundling that blocks security patches is a separate failure mode - I wrote about that in Let security updates flow.
Outages teach you about recovery design. They should not teach you to fly blind.