Microsoft Talks Kernel Drivers Post CrowdStrike Outage

UPDATED

Microsoft has released more details around its assessment of the CrowdStrike Falcon outage nearly two weeks ago, noting that one takeaway is the need to reduce infosec vendors' reliance on the kernel drivers.

In a blog post published over the weekend, David Weston, vice president of enterprise and OS security at Microsoft, detailed that the company measured the impact of the incident through accessing crash reports that were voluntarily shared by customers. 

As not every customer opts to share crash reports, those are just "a subset of the number of impacted devices previously shared by Microsoft," Weston wrote. 

But the consensus that emerged was that while kernel drivers such as those employed by CrowdStrike can actually improve performance and prevent software tampering, those advantages must be rationalized against potential risk posed by their innate privileges.

"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote.

He said he believes that if security vendors can strike the right balance, organizations can minimize kernel usage while also maintaining a strong security position.

This story was updated at 9:15 a.m. ET on July 30, 2024 to correct inaccurate reporting that Microsoft revised the original 8.5 million device estimate for how many machines were affected by the CrowdStrike outage.