It’s been nearly two months since a CrowdStrike outage caused Microsoft Windows machines around the world to crash.
CrowdStrike itself has investigated why the incident occurred, and Microsoft released its own analysis shortly after. While most in the industry agree that the CrowdStrike outage was not Microsoft’s fault, it has led some to question whether the company should have allowed security products to have kernel-level access.
>>>>>>>>>>Microsoft Surface Laptop Studio 1964 – Battery G3HTA071H 4948mAh
That was one of the topics discussed at the Windows Endpoint Security Ecosystem Summit on 10 September between Microsoft, government officials and cybersecurity companies. Kernel-level access allows security products to work at the deepest level, thereby increasing their effectiveness. However, Apple doesn’t provide this level of access because it says it could also be a security risk.
Kernel-level access allows security products to work at the deepest level, increasing their efficacy. Yet Apple does not offer this level of access, because it says this can also be a security risk.
>>>>>>>>>>Microsoft Surface Pro X 13″ Tablet – Battery G3HTA056H 5039mAh
In Microsoft’s case, the thinking is that reducing access to the kernel would mean an update to a security product such as CrowdStrike would not cause the whole Windows system to crash. The meeting comprised Microsoft, government officials and Microsoft Virus Initiative partners — companies that develop endpoint protection and additional security products for Windows.
The group discussed safe deployment practices at Microsoft and shared best practices as a community, including sharing data, tools and documented processes. “We face a common set of challenges in safely rolling out updates to the large Windows ecosystem, from deciding how to do measured rollouts with a diverse set of endpoints to being able to pause or rollback if needed,” Weston said.
A core SDP principle is “gradual and staged deployment of updates sent to customers.”This is something CrowdStrike did not do with its Rapid Response content before the July incident, but staged deployment for all updates are now in place.
Outside Of Kernel Mode
The conversation also explored new platform capabilities Microsoft plans to make available in Windows. For example, Windows 11’s “improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode.”
Microsoft said customers and ecosystem partners think it’s a good idea to provide additional security capabilities outside of kernel mode “which, along with SDP, can be used to create highly-available security solutions.”As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to “achieve the goal of enhanced reliability without sacrificing security,” Weston said.Weston also highlighted the importance of having business continuity planning and a major incident response plan in place and “backing up data securely and often.”
Security Experts Respond
Security vendors are supportive of the Microsoft-led plans. For example, ESET said it “supports modifications to the Windows ecosystem that demonstrate measurable improvements to stability, on condition that any change must not weaken security, affect performance, or limit the choice of cybersecurity solutions.”
However, the firm said it “remains imperative that kernel access remains an option for use by cybersecurity products to allow continued innovation and the ability to detect and block future cyberthreats.”Sean Wright, head of application security at Featurespace, “applauds Microsoft for holding this event and coming up with ideas,” but says he thinks “accountability sits with vendors.” ‘After all, it’s their update – they need to take responsibility,’ he said. He stressed the importance of ‘proper testing’ and a ‘more phased rollout’ – two things that were found lacking in CrowdStrike’s botched July update. Wright said kernel access is important for these products to work properly and be fully functional. He noted that ‘a very similar problem happened with CrowdStrike on Linux a few months ago.’ It’s worth noting, Wright said, that multiple vendors have had this access for years with only one major incident. ‘So, yes, the CrowdStrike issue is serious, but it’s extremely rare. I think it’s important to keep that in mind.’
>>>>>>>>>>Microsoft Surface Pro 8 1982 1983 – Battery 96BTA016H 4414mAh
