Security News > 2024 > July > Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools
Redmond shared a technical incident response write-up on Saturday - titled "Windows Security best practices for integrating and managing security tools" - in which veep for enterprise and OS security David Weston explained how Microsoft measured the impact of the disaster: By accessing crash reports shared by customers.
Weston's post justifies how Windows performed, on the grounds that kernel-level drivers - like those employed by CrowdStrike - can improve performance and prevent tampering with security software.
"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," as Weston put it.
Security vendors can use minimal sensors that run in kernel mode for data collection and enforcement, limiting exposure to availability issues," he explained.
The Microsoft veep listed the many security-related enhancements Microsoft has made over the years, and revealed the software megalith now plans "To work with the anti-malware ecosystem to take advantage of these integrated features to modernize their approach, helping to support and even increase security along with reliability."
Providing safe rollout guidance, best practices, and technologies to make it safer to perform updates to security products; Reducing the need for kernel drivers to access important security data; Providing enhanced isolation and anti-tampering capabilities with technologies like recently announced VBS enclaves; Enabling zero trust approaches like high integrity attestation which provides a method to determine the security state of the machine based on the health of Windows native security features.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/07/29/microsoft_crowdstrike_kernel_mode/
Related news
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes (source)
- 1 in 10 orgs dumping their security vendors after CrowdStrike outage (source)
- Microsoft overhauls security for publishing Edge extensions (source)
- SOC teams are frustrated with their security tools (source)
- Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild (source)
- Microsoft warns it lost some customer's security logs for a month (source)
- Microsoft lost some customers’ cloud security logs (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)