Following the July 2024 Crowdstrike incident, which crashed millions of Windows machines due to a faulty software update to its endpoint protection software, the company’s senior VP of counter-adversary operations, Adam Meyers, appeared at a U.S. House of Representatives cybersecurity subcommittee hearing to say the company “deeply apologized.”
Meyers was called to testify in the absence of CEO George Kurtz, who, according to The register, refused to testify. Meyers explained the issue to lawmakers, saying the company was releasing 10 to 12 content updates a day, like the one that caused the major incident, and that there was a “perfect storm of problems,” as described in his written testimony (PDF) caused a large portion of IT systems worldwide to meltdown, requiring manual repairs.
He claimed that these content updates are now more tightly controlled to ensure quality control, but lawmakers remain unconvinced that access to Windows at the kernel level – which allowed the incident to occur – is necessary. However, Meyers explained that he considers insight into all aspects of the operating system to be essential to Crowdstrike’s functioning.
Kernel-Level Access in Endpoint Security
“You can provide enforcement, in other words, threat prevention, and ensure anti-tampering,” said Meyers, who emphasized that kernel-level manipulation was precisely what gave rise to ransomware attacks on MGM Resort International’s computer systems connected to their casinos and hotels.
Despite the fact that these attacks were still occurring (although it is unclear exactly what cybersecurity measures MGM Resorts had in place), Meyers continued to argue for kernel-level access. He claimed that the cybercriminal group responsible, Scattered Spider, “is using novel techniques to escalate their privileges to regularly disable security tools.”
“To prevent that,” he said, “we will continue to leverage the operating system architecture.”
So in the end, nothing has changed, but security experts at other companies that provide cybersecurity software argue that it is not the kernel-level access that is the problem, but the way it is managed, with The register noting that Trellix only releases kernel-level updates once per quarter.
Given the scale of the damage to critical systems infrastructure, including canceled Delta flights affecting half a million people, it is perhaps not surprising that Microsoft would want to provide additional security features outside of kernel mode in the future.