News
Microsoft, Security Vendors Talk Windows Kernel Improvements Post-CrowdStrike
Microsoft recently met with executives from some of its biggest security partners, including beleaguered CrowdStrike, to discuss ways to protect their mutual customers from another crippling outage.
"Together with our Microsoft Virus Initiative (MVI) partners -- companies who develop endpoint protection and additional security products for Windows, covering client, server and IoT -- we discussed the complexities of the modern security landscape, acknowledging there are no simple solutions," Microsoft said in a blog post summarizing the discussions.
The meeting was a direct response to this summer's CrowdStrike outage, which took down millions of Windows systems worldwide. Microsoft said the incident "underscored the responsibility security vendors have to drive both resiliency and agile, adaptive protection."
Besides CrowdStrike, represented companies included Trend Micro, ESET, Sophos, Broadcom, Trellix and SentinelOne.
Microsoft emphasized that the meeting was not focused on decision-making, though attendees appeared to reach a provisional agreement to explore ways to improve Windows 11 security outside the kernel. Microsoft has long touted Windows 11's security protections in kernel mode, but the CrowdStrike incident has exposed the need for "a new platform which can meet the needs of security vendors," Microsoft said.
Such a platform will need to address the following factors:
- Performance needs and challenges outside of kernel mode
- Anti-tampering protection for security products
- Security sensor requirements
- Development and collaboration principles between Microsoft and the ecosystem
- Secure-by-design goals for future platform
Microsoft said it intends to develop a platform with these capabilities, though it did not give further specifics.
The meeting attendees also discussed best practices for deploying Windows updates en masse, "from deciding how to do measured rollouts with a diverse set of endpoints to being able to pause or rollback if needed." Pointedly, Microsoft noted that gradual update rollouts are a longstanding best practice.
Microsoft foresees these discussions resulting in more information-sharing between security vendors, improved component and compatibility testing, and more effective vendor coordination in recovery situations.
Collaboration is all, the meeting attendees concluded.
"We're competitors, we're not adversaries," said Microsoft. "The adversaries are the ones we need to protect the world from."
End users can help themselves, too, Microsoft pointed out. For instance, businesses should develop plans for business continuity and incident response, as well as schedule frequent backups.