Crowdstrike Post-Incident: Microsoft Redesigns EDR Vendor Access to Windows Kernel 

In the wake of a major global IT outage caused by a faulty CrowdStrike software update, Microsoft has announced plans to overhaul how anti-malware and endpoint detection, and response (EDR) products interact with the Windows kernel. This move aims to prevent future disruptions and enhance overall software reliability for Windows users. The July 2023 incident, which crippled thousands of systems globally and led to billions of dollars in losses, highlighted the risks associated with kernel-mode operations and software updates in highly interconnected IT environments. 

Moving Security Vendors “Outside of Windows Kernel Mode” 

While specific technical details of the upcoming changes are not yet available, Microsoft has revealed that the redesign will be part of a broader initiative to improve the security and stability of its platform. The world’s largest software company plans to introduce “new platform capabilities” into Windows 11, enabling security vendors to operate their software “outside of kernel mode.” This shift aims to bolster the reliability of the operating system by minimizing potential conflicts between third-party security tools and the core components of Windows.  David Weston, Vice President of Enterprise and OS Security at Microsoft, emphasized the importance of these changes, describing them as a significant step toward building resilience in the Windows ecosystem. Following a one-day summit in Redmond, Washington, where Microsoft met with EDR vendors, Weston outlined the company’s long-term vision to achieve both security and performance goals.  “We examined new platform capabilities that Microsoft intends to introduce in Windows, building on the security advancements we’ve already implemented in Windows 11. The enhanced security posture and defaults in Windows 11 will allow the platform to offer more robust security features to solution providers, now operating outside of kernel mode,” Weston stated 

CrowdStrike Incident Spurs Urgency 

The redesign efforts stem from the critical need to avoid a recurrence of the CrowdStrike mishap, which occurred when a faulty software update interfered with Windows kernel operations, leading to a significant global IT outage. The incident not only affected a broad range of organizations but also highlighted the vulnerabilities of allowing third-party software deep access to kernel-mode functions, the most privileged level of system access within Windows.  Weston pointed to the CrowdStrike incident as a wake-up call for the EDR industry, stressing the importance of adopting Safe Deployment Practices (SDP) when rolling out software updates. SDP emphasizes a measured, cautious approach to software deployments, ensuring that any new updates are thoroughly tested and gradually rolled out across a variety of system configurations.  “A core SDP principle covers the gradual and staged deployment of updates sent to customers,” Weston explained. He further elaborated that this includes “measured rollouts with a diverse set of endpoints” as well as the capability to pause or rollback updates when necessary to prevent widespread system issues. 

Enhancing EDR Vendor Collaboration 

The summit in Redmond also provided a forum for Microsoft and its EDR partners to discuss performance needs and challenges related to operating outside of Windows kernel mode. Key issues included ensuring anti-tampering protection for security products, defining security sensor requirements, and designing future platforms with security-first principles.  Weston noted that the discussions focused on ways Microsoft and its partners could enhance testing of essential components, strengthen compatibility assessments across various configurations, promote more effective information sharing on both in-development and current product health, and improve incident response efficiency through closer collaboration and more streamlined recovery processes.  By fostering greater collaboration between Microsoft and security vendors, the company aims to improve the ecosystem’s overall resilience to future incidents. The shift to operating security products outside of kernel mode not only addresses potential reliability issues but also creates new challenges, such as balancing performance needs with security requirements. 

Looking Ahead: Secure-by-Design Platforms 

As part of its redesign efforts, Microsoft is pushing for more stringent security practices and better coordination across the industry. At the core of these initiatives is the goal of building platforms that are secure by design, meaning that security features and considerations are integrated at every stage of the development process.  The planned changes in Windows 11 align with Microsoft’s broader focus on creating a more secure and robust operating system that can withstand the increasingly complex cyber threats facing organizations today. Weston and his team are working to ensure that the next generation of Windows platforms will not only deliver better security capabilities but also minimize the risk of software-induced outages like the one caused by CrowdStrike.  While the timeline for implementing these changes remains unclear, Microsoft’s proactive steps toward redesigning its kernel access architecture signal a strong commitment to safeguarding its user base. By bringing together EDR vendors and emphasizing the importance of collaboration, Microsoft hopes to create a more secure, stable, and resilient Windows ecosystem that can adapt to the ever-evolving landscape of cybersecurity threats. 

How Technijian Can Help 

Technijian, a leading managed IT services provider, is well-positioned to help businesses navigate the complexities of cybersecurity in the wake of the CrowdStrike incident and Microsoft redesigns EDR of kernel access. Here’s how Technijian can assist your organization: 1. Proactive Security Assessments  Technijian can evaluate your current security infrastructure to identify vulnerabilities, ensuring that your systems are well-protected against similar issues that caused the CrowdStrike incident. This proactive approach can help prevent future disruptions and improve overall resilience. 2. Managed Endpoint Security Solutions  With Microsoft shifting security vendors outside of kernel mode, it’s essential to have reliable endpoint security. Technijian provides comprehensive endpoint protection services that align with Microsoft’s new security model, ensuring compatibility and stability. 3. Safe Deployment Practices  Technijian follows industry best practices, including Safe Deployment Practices (SDP), to ensure all software updates are thoroughly tested and deployed in a controlled manner. This reduces the risk of faulty updates causing system outages or conflicts with other applications. 4. Advanced Incident Response and Recovery  In the event of a security breach or software failure, Technijian’s expert team can quickly respond to mitigate the damage, restore affected systems, and implement long-term solutions. With tighter coordination between Technijian and security vendors, your business will benefit from faster recovery times and more effective incident response. 5. Continuous Monitoring and Support  To ensure your business remains secure, Technijian offers 24/7 monitoring and support. This allows potential issues to be detected early and resolved before they escalate into major problems, such as those seen in the CrowdStrike incident. 6. Tailored Cybersecurity Strategies  Technijian works closely with each client to develop customized cybersecurity strategies. Whether you need to comply with industry regulations or enhance your security posture in line with Microsoft’s new platform capabilities, Technijian can tailor a solution to meet your specific needs.  In a rapidly evolving threat landscape, Technijian’s expertise and proactive approach to cybersecurity will help ensure your business remains secure, resilient, and prepared for whatever comes next.   

FAQs

1. What caused the global IT outage in July 2023? The outage was triggered by a faulty update from CrowdStrike, a leading cybersecurity company, which interfered with Windows kernel operations. This led to widespread system failures and billions of dollars in damages. 2. What is Microsoft doing to prevent similar incidents in the future? Microsoft is redesigning how security vendors, such as Microsoft redesigns EDR and anti-malware providers, interact with the Windows kernel. The new design will shift security operations outside of kernel mode to improve reliability and security. 3. What does “operating outside of kernel mode” mean? Operating outside of kernel mode means that security products will no longer have direct access to the most privileged part of the Windows operating system. Instead, they will operate in a less sensitive environment, reducing the risk of conflicts and system failures. 4. How will this Microsoft redesigns EDR benefit businesses and users? By shifting security vendors out of kernel mode, Microsoft aims to enhance the stability of Windows systems, minimize the risk of system crashes due to faulty updates, and improve overall security performance. 5. What are Safe Deployment Practices (SDP)? Safe Deployment Practices are a set of guidelines that ensure software updates are rolled out gradually and cautiously. This includes staged deployments, rollback capabilities, and rigorous testing across diverse system configurations to prevent widespread issues. 6. How does Microsoft plan to collaborate with EDR vendors on this redesign? Microsoft redesigns EDR vendors to improve testing, compatibility, and information sharing. Together, they aim to develop more robust security systems that do not rely on kernel access, improving response and recovery processes for future incidents. 

About

Technijian is a premier provider of managed IT services in Orange County, delivering top-tier IT solutions designed to empower businesses to thrive in today’s fast-paced digital landscape. With a focus on reliability, security, and efficiency, we specialize in offering IT services that are tailored to meet the unique needs of businesses across Orange County and beyond.

Located in the heart of Irvine, Technijian has earned a reputation as a trusted partner for businesses seeking robust IT support in Irvine, Anaheim, Riverside, San Bernardino, and across Orange County. Our dedicated team of IT experts ensures that your technology infrastructure is always optimized, secure, and aligned with your business goals. Whether you require managed IT services in Irvine, IT consulting, or cloud services in Orange County, we’ve got you covered.

As a leader in IT support in Orange County, we understand the challenges businesses face when maintaining and advancing their IT environments. That’s why our comprehensive suite of services includes IT infrastructure management, IT support in Anaheim, IT help desk, and IT outsourcing services. With proactive monitoring, disaster recovery, and strategic consulting, our goal is to minimize downtime, enhance productivity, and provide IT security services that give you peace of mind.

At Technijian, we take pride in offering customized managed IT solutions that exceed client expectations. From small businesses to large enterprises, our IT services in Irvine are designed to scale with your needs and support your growth. We specialize in cloud services, IT systems management, business IT support, technology support services, IT network management, and enterprise IT support. Whether you’re looking for IT support in Riverside, IT solutions in San Diego, or managed IT services in Anaheim, Technijian has the expertise to meet your requirements.

Whether you need help with IT performance optimization, IT service management, or IT security solutions, we provide comprehensive services that enable businesses to remain agile in today’s competitive market. Our IT solutions provider services ensure your operations remain secure, productive, and future-ready.

Experience the difference with Technijian—your trusted partner for IT consulting services, managed IT services, and IT support in Orange County. Let us guide you through the complexities of modern IT infrastructure and help you achieve your business objectives with confidence.  

Ravi JainAuthor posts

Technijian was founded in November of 2000 by Ravi Jain with the goal of providing technology support for small to midsize companies. As the company grew in size, it also expanded its services to address the growing needs of its loyal client base. From its humble beginnings as a one-man-IT-shop, Technijian now employs teams of support staff and engineers in domestic and international offices. Technijian’s US-based office provides the primary line of communication for customers, ensuring each customer enjoys the personalized service for which Technijian has become known.

Comments are disabled.