Following July 2024 Crowdstrike incident, in which millions of Windows machines crashed due to a broken software update for its endpoint protection software, the company’s senior VP for counter adversary operations, Adam Meyers, appeared at a cybersecurity subcommittee hearing at the US House of Representatives to say the company was “deeply sorry”.
Meyers was left to testify in the absence of CEO George Kurtz who, per The Register, declined to testify. Explaining the issue to lawmakers, Meyers said that the company released 10 to 12 content updates, like the one that caused the major incident, per day, and that a “perfect storm of issues”, described in his written testimony (PDF), conspired to put much of the world’s IT’s systems into meltdown, requiring a manual fix.
He claimed these content updates were now under increased scrutiny to ensure quality control, but lawmakers remain unconvinced that kernel-level access to Windows – what enabled the incident to occur – is necessary, but Meyers explained that he sees visibility into all aspects of the operating system as vital for Crowdstrike to function.
Kernel-level access in endpoint security
“You can provide enforcement, in other words, threat prevention, and ensure anti-tampering,” said Meyers, stressing tampering at the Kernel-level was exactly the cause of ransomware attacks on MGM Resort International’s computer systems linked to their casinos and hotels.
Despite the fact these attacks still took place (though it’s unclear as to exactly what cybersecurity measures MGM Resorts had in place) , Meyers continued to advocate for Kernel-level access by claiming that the group of threat actors responsible, Scattered Spider, are “using new techniques to elevate their privilege in order to disable security tools on a regular basis.”
“In order to stop that from happening,” he said, “we will continue to leverage the architecture of the operating system.”
So, ultimately, nothing has changed, but security experts at other cybersecurity software companies argue that it’s not kernel-level access that’s the issue, but how it’s managed, with The Register noting that Trellix pushes kernel-level updates just once a quarter.
Given the extent of the damage to vital systems infrastructure; including cancelled Delta flights affecting half a million people, perhaps it’s unsurprising that Microsoft is looking to provide additional security capabilities outside of kernel mode in the future.