Microsoft is actively working on updates to Windows designed to allow endpoint security solutions to function effectively outside the operating system’s kernel. The company aims to prevent future large-scale IT outages, such as the one experienced by CrowdStrike in July. Microsoft acknowledges the calls from both customers and vendors for this move.
The company noted several challenges that need to be addressed, including performance needs outside of kernel mode and anti-tampering protections. At a no-press-allowed security summit held this week, Microsoft emphasized its focus on security sensor requirements and secure-by-design principles to enhance Windows architecture. This improvement will enable antivirus tools to scrutinize systems securely while operating in a lower-privileged environment.
Joe Levy, the CEO of Sophos, remarked, “Microsoft’s Windows Endpoint Security Ecosystem Summit was a critical call to action for endpoint security providers following the global IT outage in July. The Summit provided a platform to start a dialogue about rethinking kernel architectures, the risk of monocultures, safe deployment practices, vendor transparency, and more.”
Levy’s sentiments were echoed by other executives from Broadcom, SentinelOne, Trellix, and Trend Micro. ESET stated that maintaining kernel access for security products is “imperative.”
The changes in Windows, announced back in May before the CrowdStrike disaster, will include ensuring kernel access is available on a just-in-time basis, rather than an always-on approach.
This outage was reportedly caused by a faulty sensor update to CrowdStrike’s Falcon, leading to a massive chain reaction resulting in system crashes.
Microsoft’s plans for kernel security
CrowdStrike CEO George Kurtz, addressing the incident at Goldman Sachs’ Communacopia and Technology Conference, said, “In this particular case, we had a configuration change.
We validated all those configurations, but had an issue where the sensor understood 20 out of 21. We’ve since changed our processes to ensure validation includes more comprehensive testing and phased rollouts.”
Following the outage, there were broader critiques regarding the extent to which security can run on the Windows kernel. This concern has led to demands for answers and change from customers and experts alike.
Microsoft promised that the kernel change will come soon and will be informed by input from the wider industry. “As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security,” the company stated in its summit summary. Additionally, Microsoft and security vendors plan to develop best practices for the safe rollout of platform updates.
They aim for these to be adopted across the entire vendor ecosystem. “We face a common set of challenges in safely rolling out updates to the large Windows ecosystem, from deciding how to do measured rollouts with a diverse set of endpoints to being able to pause or rollback if needed,” Microsoft noted. In the shorter term, Microsoft is committed to making progress on testing critical components, sharing product health intel, improving incident response effectiveness, and conducting joint compatibility testing across various configurations.
Further updates are anticipated soon.
