{"id":255,"date":"2024-09-16T17:33:19","date_gmt":"2024-09-16T17:33:19","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=255"},"modified":"2024-09-16T17:33:19","modified_gmt":"2024-09-16T17:33:19","slug":"microsoft-summit-plots-end-of-kernel-access-for-edr-security-clients","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=255","title":{"rendered":"Microsoft summit plots end of kernel access for EDR security clients"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft has dropped heavy hints that change is coming to the way security products interact with the critical core of the Windows platform, its software kernel, spurred to action by <a href=\"https:\/\/www.cio.com\/article\/3476789\/crowdstrike-failure-what-you-need-to-know.html\">the IT outage<\/a> that disrupted millions of CrowdStrike customers in July.<\/p>\n<p>For security vendors, being able to load kernel (ring zero) drivers matters. If Microsoft removes that access \u2014 something Apple did for macOS in 2019 \u2014 their products will need to be heavily re-designed to implement security with lower privilege.<\/p>\n<p>What\u2019s not yet clear, however, is what form any change will take and on what timescale. Hanging over this is whether Microsoft\u2019s own Defender will be affected, or spared. Although not as fully featured as independent endpoint detection and response (EDR) clients, it would presumably continue to operate at kernel level.<\/p>\n<p>The issue of kernel access was top of the agenda at a special event in Redmond on September 10, the Windows Endpoint Security Ecosystem Summit, with representatives attending from Trend Micro, Sophos, ESET, Trellix, SentinelOne, Broadcom, as well as government.<\/p>\n<h2 class=\"wp-block-heading\">Kernel privilege<\/h2>\n<p>However, most apposite of all perhaps was the presence of CrowdStrike Counsel for Privacy and Cyber Policy Drew Bagley.<\/p>\n<p>The company earned its place at the event on July 19, when it gained unwanted fame globally after a faulty content update for <a href=\"https:\/\/www.csoonline.com\/article\/2589942\/blue-screen-of-death-strikes-crowd-of-crowdstrike-servers.html\">the CrowdStrike Falcon Sensor EDR caused millions of Windows computers to crash to a blue screen<\/a>.<\/p>\n<p>This wasn\u2019t like an application falling over. The software was operating with kernel access, which is why Windows itself crashed.<\/p>\n<p>CrowdStrike has since published <a href=\"https:\/\/www.crowdstrike.com\/falcon-content-update-remediation-and-guidance-hub\/\">an account<\/a> of what went wrong but the gist is that, as with other EDR platforms, a core element of the security on offer depends on such kernel mode access.<\/p>\n<p>The advantage of kernel level drivers is security and performance. A driver at kernel level loads early in the boot process (in Windows after validating the developer\u2019s private key via Driver Signature Enforcement), essential for detecting low-level malware such as rootkits which attempt to subvert the OS from within. Kernel loading also improves performance.<\/p>\n<p>However, as the CrowdStrike incident reminded everyone, the downside is resilience. Should something go wrong, there is no room to fail gracefully. As Microsoft <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/07\/27\/windows-security-best-practices-for-integrating-and-managing-security-tools\/?ref=thestack.technology\">put it<\/a>:<\/p>\n<p>\u201cAll code operating at kernel level requires extensive validation because it cannot fail and restart like a normal user application.\u201d<\/p>\n<p>Interestingly, one of the security vendors present, Sophos, <a href=\"https:\/\/news.sophos.com\/en-us\/2024\/09\/12\/endpoint-security-ecosystem\/\">blogged at some length<\/a> on its approach to kernel mode in the light of Microsoft\u2019s briefing. This pointed out the importance of low-level access.<\/p>\n<p>\u201cThe system access provided by kernel drivers is necessary to provide the security functions expected by users of a modern cybersecurity product,\u201d wrote VP of Engineering for Windows products, Neil Watkiss.<\/p>\n<p>This included the ability to prevent as well as simply observe possibly malicious activity while ensuring that EDR clients didn\u2019t hamper Windows performance, he said.<\/p>\n<p>The company currently uses five separate kernel level drivers as part of its EDR system, which is probably similar to other vendors. The CrowdStrike crash happened because of an issue in only one of its drivers, CSagent.sys.<\/p>\n<h2 class=\"wp-block-heading\">Additional security capabilities outside of kernel mode<\/h2>\n<p>After reminding attendees of the need for testing (it\u2019s not clear how this is done by some EDR vendors, a problem in itself), Microsoft\u2019s Summit got down to addressing the bigger issue.<\/p>\n<p>\u201cWindows 11\u2019s improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode,\u201d Microsoft\u2019s VP enterprise and OS security, David Weston, wrote in <a href=\"https:\/\/blogs.windows.com\/windowsexperience\/2024\/09\/12\/taking-steps-that-drive-resiliency-and-security-for-windows-customers\/\">a blog post about the Summit<\/a>.<\/p>\n<p>In the light of the CrowdStrike incident, he continued, \u201cour customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode.\u201d<\/p>\n<p>The Summit had discussed how this could be done while bearing in mind the need to run EDR clients without sacrificing performance, security or anti-tampering, said Weston.<\/p>\n<p>\u201cAs a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security,\u201d he added.<\/p>\n<p>In short, Windows 11 offers plenty of ways for security and performance to be maintained without the risks associated with kernel mode.<\/p>\n<h2 class=\"wp-block-heading\">Vendor omerta<\/h2>\n<p>CSO Online reached out to several vendors for their views, but none seemed keen to comment, unusually so, in fact. If any are privately critical of the downsides of losing kernel access, they aren\u2019t willing to be public about it.<\/p>\n<p>In fact, the only public negative feedback Microsoft\u2019s plans have attracted is from Cloudflare CEO, Matthew Prince, who <a href=\"https:\/\/x.com\/eastdakota\/status\/1827004459400196237\">tweeted in August<\/a> in response to news of the planned Summit:<\/p>\n<p>\u201cRegulators need to be paying attention. A world where only Microsoft can provide effective endpoint security is not a more secure world.\u201d<\/p>\n<p>Then again, Cloudflare doesn\u2019t offer EDR software so has nothing to lose in speaking out.<\/p>\n<p>Microsoft has been here before. In 2006, the company tested <a href=\"https:\/\/www.computerworld.com\/article\/1642872\/q-a-microsoft-exec-defends-company-in-vista-kernel-dispute.html\">limiting kernel access<\/a> to security clients, only to backtrack after some security vendors complained. But 2006 was a very different era for security. Meanwhile, CrowdStrike itself seems <a href=\"https:\/\/www.csoonline.com\/article\/3483641\/crowdstrike-backs-microsofts-demand-for-reducing-kernel-level-access.html\">happy to work with Microsoft<\/a> in this direction.<\/p>\n<p>Such is the delicate balancing act all parties now face. Give the economically significant EDR sector enough hooks into Windows to continue doing its job while somehow reform Windows security architecture to avoid even the theoretical possibility of another global IT debacle caused by a single update.<\/p>\n<p>As Watkiss of Sophos wrote: \u201cChange isn\u2019t easy. As both recent cybersecurity events and ongoing software trends have made clear, it is also not optional.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft has dropped heavy hints that change is coming to the way security products interact with the critical core of the Windows platform, its software kernel, spurred to action by the IT outage that disrupted millions of CrowdStrike customers in July. For security vendors, being able to load kernel (ring zero) drivers matters. If Microsoft [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":256,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-255","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/255"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=255"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/255\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/256"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}