Microsoft recently hosted a summit to address the importance of reducing kernel-mode dependencies and implementing safe deployment practices to enhance the security of endpoint systems for Windows users. By collaborating with government officials and leaders from various endpoint security vendors, including CrowdStrike, SentinelOne, Broadcom, and Sophos, Microsoft aimed to tackle common challenges in securing the Windows ecosystem. The meeting followed a recent incident where a faulty CrowdStrike update disrupted millions of Windows machines, resulting in significant financial losses.
David Weston, Microsoft’s vice president of enterprise and OS security, emphasized the need to shift security capabilities away from kernel mode to reduce risks associated with deep system access. Improvements in Windows 11 focus on providing better protection without relying heavily on kernel mode operations, which could potentially expose vulnerabilities. Third-party security vendors like Sophos have also expressed the importance of minimizing kernel-level dependencies by utilizing built-in APIs for security operations such as file access control, registry access, network interception, and process behavior monitoring.
Sophos, for example, currently relies on five kernel drivers on Windows to maintain security and system performance, enabling critical functions like anti-malware protection, process journaling, tamper-proofing, and network security. While these kernel drivers are essential for ensuring system security, Sophos recognizes the need to reduce the reliance on kernel drivers and promote interoperability with the Windows platform.
In addition to addressing kernel-mode security, the summit also discussed the importance of gradually rolling out software updates to minimize disruptions and ensure system resiliency. Microsoft and other endpoint security vendors shared best practices for safely deploying updates and managing potential rollbacks in case of issues. Creating a common framework for security vendors to follow will improve customer safety and enhance system resilience across the Windows ecosystem.
CrowdStrike’s recent software update outage highlighted the significance of implementing safe deployment practices, as pushing out updates to all customers simultaneously can lead to widespread disruptions. By adopting gradual and staged deployment processes, companies can mitigate risks and prevent large-scale outages. CrowdStrike has already taken steps to improve its internal testing practices and update rollout procedures to prevent similar incidents in the future.
Overall, the summit emphasized the importance of collaboration among security vendors to enhance resiliency, promote information sharing, and coordinate recovery efforts in response to cybersecurity incidents. By working together to standardize processes and improve incident response capabilities, Microsoft and its security ecosystem partners aim to provide customers with a safer and more secure computing environment.