In light of the CrowdStrike outage incident in July, Microsoft is planning to develop more options for security solutions to operate outside of kernel mode, according to a post on the Windows Experience Blog published Thursday.
The CrowdStrike outage, caused by an out-of-bounds memory error in an update to the CrowdStrike Falcon software, which operates at the kernel level, caused a blue screen of death (BSOD) for approximately 8.5 million Windows devices, interrupting operations at many organizations including airports, hospitals, financial institutions and more.
Microsoft, in response to the CrowdStrike incident, held a Windows Endpoint Security Ecosystem Summit at its headquarters in Redmond, Washington, on Tuesday, which was attended by several endpoint security vendors from the Microsoft Virus Initiative (MVI) as well as government officials from the United States and the European Union.
The group discussed various strategies and challenges when it comes to increasing resiliency in the endpoint security ecosystem, to prevent another incident like CrowdStrike without sacrificing security capabilities, according to the blog post authored by Microsoft Vice President of Enterprise and Operating System Security David Weston.
A key discussion point at the summit, in terms of long-term solutions for improving resilience, was the possibility of expanding security vendors’ ability to operate outside of the Windows kernel, making it less likely that a faulty update would lead to widespread BSODs.
“Windows 11’s improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode,” Weston wrote. “Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with [Safe Deployment Practices], can be used to create highly available security solutions.”
Kernel access restrictions could raise anticompetition law concerns
Microsoft did not mention the possibility of blocking off kernel access completely for security vendors, but instead discussed performance needs and challenges outside of the kernel, anti-tampering protection for security solutions, security sensor requirements and secure-by-design goals, according to Weston’s post.
Since the CrowdStrike incident, Microsoft has already hinted at aiming to reduce reliance on kernel access, with Vice President of Windows Servicing and Delivery John Cable writing on the Windows IT Pro Blog on July 25 highlighting examples of solutions that “use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access.”
However, concerns have been raised by some that, should Microsoft ultimately aim to restrict kernel access for other endpoint security vendors, it could give its own security solutions an anticompetitive advantage.
For example, Cloudflare Co-founder and CEO Matthew Prince wrote in a post on X in late August, “Regulators need to be paying attention. A world where only Microsoft can provide effective endpoint security is not a more secure world,” adding in a comment that, “The problem isn’t [locking] your kernel down. It’s locking it down for everyone else but still letting your own solution have privileged access.”
Microsoft previously attempted to restrict applications’ access to the kernel, including security applications, through a feature called PatchGuard in Windows Vista back in 2006. However, it eventually changed course after backlash from major security firms like Symantec and McAfee as well as regulatory concerns raised by the European Commission.
In comments from cybersecurity company ESET included in Weston’s blog post, ESET stated it “supports modifications to the Windows ecosystem that demonstrate measurable improvements to stability, on condition that any change must not weaken security, affect performance, or limit the choice of cybersecurity solutions. It remains imperative that kernel access remains an option for use by cybersecurity products to allow continued innovation and the ability to detect and block future cyberthreats.”
Short-term, vendor-neutral solutions discussed at Microsoft summit
In addition to issues regarding kernel access, attendees of the Windows Endpoint Security Ecosystem Summit, which also included representatives from Broadcom, SentinelOne, Sophos, Trellix, Trend Micro and CrowdStrike itself, discussed short-term solutions to prevent major incidents and acknowledged the importance of collaboration and open information sharing to benefit mutual customers.
“We’re competitors, we’re not adversaries. The adversaries are the ones we need to protect the world from,” Weston wrote.
For short term resiliency improvements, the attendees discussed the implementation of Safe Deployment Practices (SDPs) and how Microsoft and security vendors will work to create shared best practices to safely roll out updates to diverse Windows endpoints. Microsoft and MVI partners also aim to increase software testing, including joint compatibility testing for various configurations, and improve incident response by coordinating more closely with partners on recovery procedures.
For customers, Microsoft provided vendor-neutral recommendations for users to be prepared in the event of a major incident across the Windows ecosystem. These include the importance of having a robust business continuity plan (BCP), a major incident response plan (MIRP) and secure data backups that are updated frequently.
“We believe that transparency is critical and strongly agree with Microsoft that security companies must live up to stringent engineering, testing and deployment standards and follow software development and deployment best practices,” Ric Smith, chief product and technology officer at SentinelOne, said in comments after the summit.
