The consequences of the massive CrowdStrike failure for Windows are slowly coming into focus. Microsoft recently held a security summit with some of the large security software vendors, and the company is making several rather vague promises about what it’s going to do to make sure an incident like CrowdStrike never happens again. A key part of these promises is the realisation that security software really shouldn’t be running in the kernel, and to make that possible, MIcrosoft will need to add several security features in userspace.
Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with SDP, can be used to create highly available security solutions. At the summit, Microsoft and partners discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors.
↫ David Weston at the Windows Blogs
This is easier said than done, as moving things from kernel to userspace tends to incur a performance penalty, as well as making it harder to detect software with bad intentions early enough. Microsoft is going to have do some serious reworking of both the kernel and userspace when it comes to security before it’ll be able to completely close up the kernel and make it impossible for security software to mess around in kernelspace. Microsoft doesn’t offer any concrete steps or measures quite yet, so we’ll have to wait and see just how far they’re willing to go.
There’s really not much else to say at this point – empty platitudes, vague promises, and tons of marketing speak don’t secure an operating system, after all.