The a major CrowdStrike outage-in July 2024 will go down in history as a real economic disaster. It is shaping up to be the largest IT outage in history, paralyzing banking systems, disrupting healthcare networks and destabilizing global air travel. The analyzes revealed a bitter truth: this catastrophe could have been avoided.
Following this incident, Microsoft held a one-day summit dedicated to Windows endpoint security. The event, strictly confidential and closed to the press as well as outside observers, aimed to gather “ a diverse group of endpoint security vendors as well as government officials from the United States and Europe Microsoft’s stated purpose was to discuss strategies to strengthen resilience and protect the critical infrastructure of their mutual customers.
A shot in the dark?
What are the specific outcomes of this session? The mystery remains. David Weston, vice president of operating systems and enterprise security at Microsoft, presented a brief carefully reviewed by legal and communications professionals. The text allows only optimistic messages and a few vague clues about ” key themes and points of consensus “. Specific details about potential developments in Windows and endpoint security products remain unclear, suggesting that significant changes may be a long way off.
As the report states, the Roundtable “ it wasn’t a decision meeting… we discussed the complexities of today’s security landscape, recognizing that there are no simple solutions Nevertheless, a recurring theme in the minutes of the meetings is the collective realization that the industry cannot afford another incident on the scale of CrowdStrike.
“The CrowdStrike incident in July highlighted the responsibility of security vendors to foster both resilience and flexible, adaptive protection. …We face a common set of challenges in safely deploying updates across the broad Windows ecosystem, from deciding whether to do metered deployments with a diverse set of endpoints to whether to pause or roll back as needed. One of the core principles of secure deployment practices is the gradual, phased deployment of updates sent to customers.”
This is a direct criticism of CrowdStrike whose deployment of the wrong update across its fleet of devices caused an IT outage. Instead of taking a phased approach, identifying the problem early and stopping updates to limit the damage, CrowdStrike chose to go global, thereby exacerbating the scale of the crisis.
Comments from meeting attendees added at the end of the post are a bit more colorful, such as this remark from Rick Smith, director of product and technology for CrowdStrike competitor SentinelOne:
« SentinelOne thanks Microsoft for its leadership in organizing the Windows Endpoint Security Ecosystem Summit, and we are fully committed to helping achieve its goal of reducing the risk of future events like the one caused by CrowdStrike. We believe that transparency is essential, and we fully agree with Microsoft that security companies must adhere to strict standards in engineering, testing, and implementation, and follow best practices in software development and deployment. We are proud to have followed the processes Microsoft is talking about today for years and will continue to do so in the future ».
Access to the Windows kernel
But the most heated discussion revolved around access to the Windows kernel, one of the main reasons for CrowdStrike’s failure. Indeed, the scale of the CrowdStrike outage was largely due to Windows architecture:
« Developers of Windows system applications, including security software, use extensions and drivers kernel to implement their functionality. As this incident shows, defective code in the kernel can cause irreparable problems, while code running in userspace is less likely to cause such damage.
Apple, in a similar move with macOS 11 in 2020, changed the architecture of its operating system to discourage the use of kernel extensions. Developers are now encouraged to create system extensions that operate in user space rather than at the kernel level. CrowdStrike, on macOS, uses Apple’s Endpoint Security Framework and claims its Falcon product achieves the same levels of visibility, detection and protection by using only a user-space sensor.
Microsoft may consider a similar approach for Windows, but such a transformation would risk criticism and concerns from competition authorities, particularly in Europe ».
For its part, Microsoft is instead highlighting the default security settings of Windows 11. These settings are intended to offer more security options to solution providers without resorting to the kernel. According to Microsoft, customers and ecosystem partners have expressed a desire for the company to provide additional security features outside of the core.
A divisive topic
However, not all participants are happy with this idea. For example, Joe Levy, CEO of Sophos, noted: “ We were pleased to see Microsoft support many of Sophos’ recommendations, based on all the architectural and process innovations we’ve built over the years, and which we’re rolling out today to the 30 million Windows endpoints we protect around the world. This summit was an important and encouraging first step in a journey that will lead to incremental improvements over time… »
So what are these recommendations? In a blog post published in August, Simon Reed, director of science and research at Sophos, made it clear that the company considers access to the Windows kernel essential. ” Working in the kernel is vital for security products. » Kernel drivers are “ basics “, he writes, not only for Sophos products, but also for “ Windows endpoint security in general ».
Therefore, it is unrealistic to expect radical changes in Windows in the near future. Sophos’ arguments are clearly shared by executives at other security companies, who fear that restricting access to the Windows kernel could give Microsoft’s endpoint protection products a decisive competitive advantage. This is the kind of debate that quickly moves from engineers to lawyers. Given Microsoft’s history with antitrust authorities in Europe and the United States.