It’s been nearly two months since the CrowdStrike outage caused Microsoft Windows machines across the globe to crash.
CrowdStrike itself has already examined why the incident happened, with Microsoft also publishing its own analysis soon afterwards. While most in the industry accept the CrowdStrike outage was not Microsoft’s fault, it’s led some to question whether the firm should allow security products to have kernel level access.
This was one of the topics discussed at the Windows Endpoint Security Ecosystem Summit, a meeting between Microsoft, government officials and cybersecurity companies on Sept. 10.
Kernel level access allows security products to work at the deepest level, increasing their efficacy. Yet Apple does not offer this level of access, because it says this can also be a security risk.
In Microsoft’s case, the thinking is that reducing access to the kernel would mean an update to a security product such as CrowdStrike would not cause the whole Windows system to crash.
The meeting comprised Microsoft, government officials and Microsoft Virus Initiative partners — companies who develop endpoint protection and additional security products for Windows.
Enhancing Resiliency
The meeting seems to have gone pretty smoothly. Everyone agreed there’s a need to enhance resiliency by openly sharing information about how products function, handle updates and manage disruptions, David Weston, vice president enterprise and OS security at Microsoft reported in a blog.
The group discussed Safe Deployment Practices at Microsoft and shared best practices as a community, including sharing data, tools and documented processes.
“We face a common set of challenges in safely rolling out updates to the large Windows ecosystem, from deciding how to do measured rollouts with a diverse set of endpoints to being able to pause or rollback if needed,” Weston said.
A core SDP principle is “gradual and staged deployment of updates sent to customers.”
This is something CrowdStrike did not do before the July incident, but said it would be working on in the future.
Outside Of Kernel Mode
The conversation also explored new platform capabilities Microsoft plans to make available in Windows. For example, Windows 11’s “improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode.”
Microsoft said customers and ecosystem partners think it’s a good idea to provide additional security capabilities outside of kernel mode “which, along with SDP, can be used to create highly-available security solutions.”
As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to “achieve the goal of enhanced reliability without sacrificing security,” Weston said.
Weston also highlighted the importance of having business continuity planning and a major incident response plan in place and “backing up data securely and often.”
Security Experts Respond
Security vendors are supportive of the Microsoft-led plans. For example, ESET said it “supports modifications to the Windows ecosystem that demonstrate measurable improvements to stability, on condition that any change must not weaken security, affect performance, or limit the choice of cybersecurity solutions.”
However, the firm said it “remains imperative that kernel access remains an option for use by cybersecurity products to allow continued innovation and the ability to detect and block future cyberthreats.”
Sean Wright, head of application security at Featurespace “applauds Microsoft for holding this event and coming up with ideas,” but says he thinks “accountability sits with vendors.”
“It is their updates after all — and they need to be held accountable,” he says. He highlights the importance of “appropriate testing”, as well as “a more staggered rollout” — two things that were found to be lacking in CrowdStrike’s botched update in July.
Kernel access is important for these products to work and do a sufficient job, says Wright. He points out that “a very similar issue happened with CrowdStrike months before, on Linux.”
It’s also worth considering that there has only been one major incident over many years with multiple vendors having this access, says Wright. “So yes, the CrowdStrike issue was bad, but it’s incredibly rare. I think that’s important to bear in mind.”