Itβs been nearly two months since the CrowdStrike outage caused Microsoft Windows machines across the globe to crash.
CrowdStrike itself has already examined why the incident happened, with Microsoft also publishing its own analysis soon afterwards. While most in the industry accept the CrowdStrike outage was not Microsoftβs fault, itβs led some to question whether the firm should allow security products to have kernel-level access.
This was one of the topics discussed at the Windows Endpoint Security Ecosystem Summit, a meeting between Microsoft, government officials and cybersecurity companies on Sept. 10.
Kernel-level access allows security products to work at the deepest level, increasing their efficacy. Yet Apple does not offer this level of access, because it says this can also be a security risk.
In Microsoftβs case, the thinking is that reducing access to the kernel would mean an update to a security product such as CrowdStrike would not cause the whole Windows system to crash.
The meeting comprised Microsoft, government officials and Microsoft Virus Initiative partners β companies that develop endpoint protection and additional security products for Windows.
Enhancing Resiliency
The meeting seems to have gone pretty smoothly. Everyone agreed thereβs a need to enhance resiliency by openly sharing information about how products function, handle updates and manage disruptions, David Weston, vice president enterprise and OS security at Microsoft reported in a blog.
The group discussed safe deployment practices at Microsoft and shared best practices as a community, including sharing data, tools and documented processes.
βWe face a common set of challenges in safely rolling out updates to the large Windows ecosystem, from deciding how to do measured rollouts with a diverse set of endpoints to being able to pause or rollback if needed,β Weston said.
A core SDP principle is βgradual and staged deployment of updates sent to customers.β
This is something CrowdStrike did not do with its Rapid Response content before the July incident, but staged deployment for all updates are now in place.
Outside Of Kernel Mode
The conversation also explored new platform capabilities Microsoft plans to make available in Windows. For example, Windows 11βs βimproved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode.β
Microsoft said customers and ecosystem partners think itβs a good idea to provide additional security capabilities outside of kernel mode βwhich, along with SDP, can be used to create highly-available security solutions.β
As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to βachieve the goal of enhanced reliability without sacrificing security,β Weston said.
Weston also highlighted the importance of having business continuity planning and a major incident response plan in place and βbacking up data securely and often.β
Security Experts Respond
Security vendors are supportive of the Microsoft-led plans. For example, ESET said it βsupports modifications to the Windows ecosystem that demonstrate measurable improvements to stability, on condition that any change must not weaken security, affect performance, or limit the choice of cybersecurity solutions.β
However, the firm said it βremains imperative that kernel access remains an option for use by cybersecurity products to allow continued innovation and the ability to detect and block future cyberthreats.β
Sean Wright, head of application security at Featurespace, βapplauds Microsoft for holding this event and coming up with ideas,β but says he thinks βaccountability sits with vendors.β
βIt is their updates after all β and they need to be held accountable,β he says. He highlights the importance of βappropriate testingβ as well as βa more staggered rolloutβ β two things that were found to be lacking in CrowdStrikeβs botched update in July.
Kernel access is important for these products to work and do a sufficient job, says Wright. He points out that βa very similar issue happened with CrowdStrike months before, on Linux.β
Itβs also worth considering that there has only been one major incident over many years with multiple vendors having this access, says Wright. βSo yes, the CrowdStrike issue was bad, but itβs incredibly rare. I think thatβs important to bear in mind.β