Microsoft Talks Kernel Drivers Post CrowdStrike Outage
Microsoft says that an examination of Windows crash reports around the outage shows that kernel drivers need to be carefully employed.
UPDATED
Microsoft has released more details around its assessment of the CrowdStrike Falcon outage nearly two weeks ago, noting that one takeaway is the need to reduce infosec vendors' reliance on the kernel drivers.
In a blog post published over the weekend, David Weston, vice president of enterprise and OS security at Microsoft, detailed that the company measured the impact of the incident through accessing crash reports that were voluntarily shared by customers.
As not every customer opts to share crash reports, those are just "a subset of the number of impacted devices previously shared by Microsoft," Weston wrote.
But the consensus that emerged was that while kernel drivers such as those employed by CrowdStrike can actually improve performance and prevent software tampering, those advantages must be rationalized against potential risk posed by their innate privileges.
"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote.
He said he believes that if security vendors can strike the right balance, organizations can minimize kernel usage while also maintaining a strong security position.
This story was updated at 9:15 a.m. ET on July 30, 2024 to correct inaccurate reporting that Microsoft revised the original 8.5 million device estimate for how many machines were affected by the CrowdStrike outage.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024