Takeaways From the CrowdStrike Outage
On July 19, CrowdStrike, an independent cybersecurity company whose primary technology is the Falcon platform, released a software update that began impacting IT systems globally. The outage was not a Microsoft Windows flaw directly, but rather a flaw in CrowdStrike Falcon that triggered the issue. Falcon hooks into the Microsoft Windows OS as a Windows kernel process. There was a logic flaw in Falcon sensor version 7.11 and above, causing it to crash. Due to CrowdStrike Falcon’s tight integration into the Microsoft Windows kernel, it resulted in a Windows system crash and blue screen of death (BSOD).
What's a Kernel?
- This provides the security software with high privileges and gives it the ability to monitor operations in real time across the OS. This enables the capability to block any process or action that is known to be, or appears to be (in the case of some AI powered systems), malicious.
- It also allows this process to happen much faster without a middleman negotiating the interactions, maintaining a much better user experience by not slowing down the machine and user applications.
Why Microsoft Allows This Access
According to Microsoft, the reason that CrowdStrike, and other security vendors have this access, is due to a 2009 European Commission ruling, which stipulates that Microsoft must ensure that third-party products can interoperate with Microsoft’s relevant software products using the same interoperability information on an equal footing as other Microsoft products.
Despite this, Microsoft provides several APIs that are meant to provide the same functionality without the need to directly access the kernel. For instance, the Windows Defender Application Control API and the Windows Defender Device Guard both provide mechanisms for controlling application execution, ensuring that only trusted code can be executed. Additionally, the Windows Filtering Platform (WFP) allows applications to interact with the network stack without requiring kernel level code.
Furthermore, Microsoft sources claim to have begun developing an advanced API designed specifically for security applications such as that from CrowdStrike that had promised deeper integration with the Windows operating system, offering greater stability, performance and security. But the EU ruling in 2009 halted such integration efforts as the regulators claimed it could potentially have given Microsoft an unfair advantage.
Takeaways
Test Updates Before Deploying to Production
Consider Multiple Vendors for Security Software
Develop and Document Manual Workarounds
Perform Disaster Recovery and Business Continuity Planning
How Adtech Can Help
We support organizations of all types with a complete set of IT consulting and managed services that include:
- IT strategy development
- IT risk assessment services
- Aligning your technology strategy with your business strategy
- IT process development
- Business continuity and disaster recovery planning and implementation