Following the July 2024 Crowdstrike incident, in which millions of Windows machines were bricked due to a faulty software update for its endpoint protection software, the company’s senior vice president of adversary operations, Adam Meyers, appeared at a cybersecurity subcommittee hearing in the U.S. House of Representatives to say the company was “deeply remorseful.”
Meyers had to testify in the absence of CEO George Kurtz, who, according to The RegistryHe declined to testify. Explaining the problem to lawmakers, Meyers said the company was issuing 10 to 12 content updates, like the one that caused the main incident, per day, and that a “perfect storm of problems,” described in his written testimony (PDF), conspired to cause a large portion of the world’s computer systems to crash, requiring a manual fix.
He said these content updates were now under increased scrutiny to ensure quality control, but lawmakers remain unconvinced that access to the Windows kernel level (which allowed the incident to occur) is necessary, but Meyers explained that he sees visibility into all aspects of the operating system as vital for Crowdstrike to work.
Kernel Level Access in Endpoint Security
“It can provide compliance, in other words, threat prevention, and ensure anti-tampering,” Meyers said, emphasizing that kernel-level tampering was exactly the cause of the ransomware. attacks on MGM Resort International's computer systems linked to its casinos and hotels.
Despite the fact that these attacks still took place (although it's unclear exactly what cybersecurity measures MGM Resorts had in place), Meyers continued to advocate for kernel-level access by stating that the threat actor group responsible, Scattered Spider, are “using new techniques to elevate their privileges in order to disable security tools on a regular basis.”
“To prevent that from happening,” he said, “we will continue to leverage the architecture of the operating system.”
So, ultimately, nothing has changed, but security experts at other cybersecurity software companies argue that the problem is not kernel-level access, but how it is managed, with The Registry considering that Trellix sends kernel level updates only once per quarter.
Given the scale of the damage to vital systems infrastructure, including the cancelled Delta flights that affected half a million people, it is perhaps not surprising that Microsoft is looking to provide additional security capabilities outside of kernel mode in the future.