Kernel Mode Under the Microscope at Windows Security Summit – Source: www.databreachtoday.com

Business Continuity Management / Disaster Recovery
,
CrowdStrike Outage Updates
,
Endpoint Security

Company Focused on Safe Deployment Practices, Reducing Kernel Mode Dependencies

Michael Novinson (MichaelNovinson) •
September 12, 2024    

Reducing kernel-mode dependencies and adopting safe deployment practices will make endpoint systems more resilient and secure for Windows customers, according to Microsoft.

See Also: 2024 Threat Landscape: Data Loss is a People Problem

The Seattle-area software and cloud computing giant brought together government officials and leaders from endpoint security vendors including CrowdStrike, SentinelOne, Broadcom and Sophos to tackle common challenges in securing the Windows ecosystem. Tuesday’s meeting came two months after a faulty CrowdStrike update disrupted 8.5 million Windows machines and caused $5.4 billion in direct losses (see: After CrowdStrike Outage: Time to Rebuild Microsoft Windows?).

“We’re competitors; we’re not adversaries,” David Weston, Microsoft’s vice president of enterprise and OS security, said in a blog post Thursday. “The adversaries are the ones we need to protect the world from. We are grateful for the support and input from this community and excited about the conversations in progress and work we have ahead.”

The Conundrum With Kernel-Level Access

Weston said Microsoft wants to offer more security capabilities outside the kernel, enabling third-party security vendors to offer robust tools without the risks associated with deep system access. Platform-level improvements in Windows 11 aim to provide better protection without relying on kernel mode operations, which Weston said could expose vulnerabilities.

“Windows 11’s improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode,” Weston said in the blog post. “Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode.”

The Windows platform could evolve to minimize third-party kernel driver use to providing more built-in APIs for security operations, according to Sophos Vice President of Engineering Neil Watkiss. He said using APIs for file access control, registry access, network interception and process behavior monitoring could help vendors such as Sophos reduce their kernel-level dependence while maintaining interoperability.

“If the Windows Platform were to evolve in ways that would reduce the need for kernel drivers, this functionality may be helpful to include,” Watkiss said in a blog post Thursday. “That evolution is a process that will likely require open communication. We also note that implementing changes will require thoughtful consideration of how malicious entities might undermine any changes.”

Sophos currently employs five kernel drivers on Windows to maintain security and system performance, he said, allowing for deep system integration and enabling anti-malware protection, process journaling, tamper-proofing and network security. These kernel drivers are critical for ensuring system security and stability, providing high-fidelity event recording and control over processes and network traffic, he said.

“Sophos interoperates with the underlying Windows platform using a combination of techniques, some of which reach deep into the internals of the platform: kernel drivers, user-space hooking and other techniques,” Watkiss said. “Generally speaking, the system access provided by kernel drivers is necessary to provide the security functions expected by users of a modern cybersecurity product.”

Why It’s Important to Roll Software Updates Out Gradually

Tuesday’s meeting also discussed refining update processes across the Windows ecosystem to minimize disruptions while ensuring security, and Microsoft and other endpoint security vendors, including Broadcom and Sophos, shared best practices for safely rolling out updates and managing rollbacks in case issues occur. Creating a common framework for security vendors will improve customer safety and system resiliency.

A core safe deployment practice, or SDP, is “gradual and staged deployment of updates sent to customers,” Weston said. “This rich discussion at the Summit will continue as a collaborative effort with our MVI [Microsoft Virus Initiative] partners to create a shared set of best practices that we will use as an ecosystem going forward.”

CrowdStrike pushed the faulty software update out to all of its customers simultaneously, dramatically compounding the scope of the problem. The company published a root cause analysis of the outage and said it’s already making multiple changes to prevent a recurrence, including bolstering its internal testing practices and rolling out software updates in batches (see: CrowdStrike Debuts Safeguards, Seeks to Blunt Outage Impact).

“They’re an open ecosystem provider. And we’re one player in the security market,” CrowdStrike co-founder and CEO George Kurtz said at the Goldman Sachs Communacopia and Technology Conference on Wednesday. “But how does the security market come together to think about other ways to extend that ecosystem and build more resiliency?”

Weston said the endpoint security vendors at Tuesday’s summit aim to create standardized processes for sharing product health information and coordinating recovery efforts in response to major cybersecurity incidents. He emphasized the need for increased testing, better computability across diverse configurations and more effective incident response for Microsoft’s security ecosystem partners.

“Our mutual customers benefit when there are options for Windows and choices in security products,” Weston said in the blog post. “It was apparent that, given the vast number of endpoint products on the market, we all share a responsibility to enhance resiliency by openly sharing information about how our products function, handle updates and manage disruptions.”