3 min Security

Microsoft holds security summit to prevent CrowdStrike outage repeat

Microsoft holds security summit to prevent CrowdStrike outage repeat

Prevention is better than cure, but it’s too late now to have avoided a global Windows outage. However, to take proactive action against further issues of this kind, Microsoft is hosting a Windows Endpoint Security Ecosystem Summit on Sept. 10 at its Redmond headquarters.

Several partners are attending, including CrowdStrike. Improvements to cyber resilience and protecting critical infrastructure are at the top of the agenda. The clear cause is the global IT incident on July 19th.

A now infamous update to CrowdStrike’s Falcon Sensor through Channel File 291 led to the failure of an estimated 8.5 million Windows devices worldwide on that Friday. The damage was enormous, including canceled flights, missed appointments and disruptions in hospitals. IT professionals had to manually implement rollbacks for days and sometimes weeks, often combined with a search for the correct BitLocker key.

Read more about this: CrowdStrike reveals cause of global Windows blue screen problems

Solutions?

A Microsoft spokesman remarkably blamed the July 19 IT outage on the European Commission. A 2009 decision by that governing body gave vendors access to the kernel for their security solutions. This was to prevent a Microsoft monopoly when it came to providing protection at this deep level. Since this access makes it possible to detect exactly what files are loaded into memory, the potential proactive benefits are huge from a security standpoint.

The downside is that one’s system crashes if something goes wrong at the kernel level. Hence the caution from Microsoft. Ever since the EC decision in 2009, Windows Hardware Certification (WHQL) have provided a guarantee that a kernel driver is secure.

However, the CrowdStrike incident occurred not because of a change in kernel code, but a configuration change in user-space (where the vast majority of applications reside).

Also read: CrowdStrike resists “shadowy” competition after failure

eBPF or otherwise?

Since the CrowdStrike incident, some experts have recommended the adoption of eBPF, a middle ground between kernel access and user-space. This allows software to contact the kernel and access in-depth data without the same risk of the OS crashing. Specifically, it involves a VM isolated within the kernel. Currently, only Linux uses this methodology.

“eBPF programs cannot crash the entire system because they are security-checked by a software verifier and effectively run in a sandbox,” Intel Fellow Brendan Gregg, for example, stated. “If the verifier finds unsafe code, the program is rejected and not run.”

Other experts argue that eBPF can generate unforeseen increases in errors. Also, debugging it is difficult and eBPF programs are susceptible to vulnerabilities just like regular applications. Additionally, the opportunities for attackers are profound whenever they exploit an eBPF program, whereas one cannot normally manipulate a kernel driver due to the immense checks and required privileges.

Not the solution

Reportedly, eBPF is not the silver bullet Microsoft hopes to introduce. Instead, the tech giant wants to encourage other vendors to do as much user-mode work as possible and stay away from the kernel whenever they can. Thus, the company is sticking to the position it defended before the European Commission forced Microsoft to open up the kernel to others.

Also read: CrowdStrike rejects flight delay claims