CrowdStrike once again explained the cause of the July 19 IT outage during a U.S. Congressional hearing. The company maintains that it must continue using kernel mode, or else cybercriminals will be able to attack undetected.
CrowdStrike has had a technical explanation available for about six weeks now. However, the U.S. House of Representatives hearing is aimed at a completely different audience. “At CrowdStrike, our vision is to protect good people from bad things, and we have been very successful at doing that for more than a decade.”
The situation couldn’t be clearer. Despite years of content updates, occurring 10 to 12 times daily, a small oversight led to an incident. The error was minor but fundamental. A mismatch of 20 inputs to 21 input fields resulted in 8.5 million Windows machines failing. The systems within CrowdStrike Falcon that should have caught this weren’t functioning properly. Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, described it as a “perfect storm.” He likened the bug to trying to move a chess piece to a non-existent square on the board.
Kernel level access required
Typically, such an error wouldn’t cause Windows to crash. However, since the CrowdStrike Falcon sensor operates at the kernel level, even a single mistake can trigger a Blue Screen of Death (BSOD). So, shouldn’t we be moving away from kernel-level operations as much as possible, as Microsoft seems to suggest?
CrowdStrike disagrees. They argue that abandoning the kernel and sticking to user space would create far bigger issues. Falcon has kernel-level access to all activities on the operating system. “You can provide enforcement, in other words, threat prevention, and ensure anti-tampering,” Meyers explained. Take Scattered Spider, for instance – a group behind major cyber threats. They’re known to bypass security tools that only operate in user space. This led to severe attacks on several Las Vegas casinos in the summer of 2023. Given these circumstances, CrowdStrike insists on maintaining deep access to Windows and other operating systems.
Without a middle ground between kernel and user space, it’s hard to argue against CrowdStrike’s position. Whether updates at such an incredible frequency are truly necessary is another question altogether. After all, even the tiniest oversight could lead to major problems. That said, CrowdStrike has already announced a series of changes to its update policy, including phased rollouts and improvements to the Falcon sensor’s protection mechanisms.
In the end, preventing another incident like the July 19 IT outage isn’t solely CrowdStrike’s responsibility. While other vendors claim their security tools are immune to such failures, there’s no way to guarantee this from the outside. Microsoft is trying to push security companies away from kernel-level operations, but firms like CrowdStrike are pushing back. Perhaps it’s time for a Windows equivalent of eBPF, serving as a middle ground between kernel mode and user mode?
Also read: Fal.Con 2024: CrowdStrike unveils Project Kestrel, Signal and enhanced SIEM