It sucks that this happened. It sucks that there are wildfires too, but we’re too late to change the causes so we live and sometimes die with the results. As with smoky skies and the occasional torching of a community, so with annoying security products and the occasional loss of an organization’s data. Well, we could always unravel several decades worth of brittle interdependence by ignoring well understood short term goals in favor of poorly understood long term goals… that might be neat to see but I’m not holding my breath.
Information systems security is a perpetual (or at least very long-lived) bubble market, powered by regulatory requirements. For what it’s worth, I have worked in this industry and know people at these companies but am not using any non-public knowledge. Crowdstrike has cracked this market very well for EDR (endpoint detection and response) and by extension a lot of SIEM (security incident and event management). To explain that extension: most of your interesting stuff for SIEM is from EDR, and munging them together is a useful move. Integration of systems is economically valuable. Working within the higher risk envelope of a driver is absolutely required to do the job on Windows. One could try to stay out of kernel, but performance sucks for the things you’re expected to do, and there’s OS stuff that slows you down even more, before checking any allowlist… so your product is unable to do the job within the resource allocation that admins are willing to give it. There’s EDR products that stick to WMI (Windows management interface), but you probably haven’t heard of them because they’re unpopular because they’re resource hungry. On Linux there’s eBPF, and whispers of it someday happening for Windows, that’d be neat. Though I recall lots of arguments about the degree to which eBPF is “safe” as deployed and used in real life, not to mention the examples of things like POSIX support in Windows. Sometimes a compliance checkbox is just that, and no more.
Once you’re into the kernel, your separation of code and content (which was never really strong on a general purpose computer) is toast, and the blast radius of a mistake is massive. C’est la vie en guerre.
An operational mistake like Crowdstrike’s only opens doors for companies that can say “we wouldn’t make that mistake because we are [bigger|smarter|magical]”. That door is not guaranteed to be open very wide or open for very long; the size of the opportunity depends on how well or poorly Crowdstrike responds. If memory serves, when Symantec did the same thing in 2010 (quarantining svchost.exe and shutting down tons of stuff across Europe and the Eastern US) and McAfee did it in, what, 2014?… I think some kind of small token was part of the larger response package, but the real response was “big discount from next year’s renewal, probably delivered by giving you more of our software at the same price.” So as a customer, you can embrace that offer from Crowdstrike (probably with some change control), accept Microsoft’s embrace, gamble on a smaller company doing a better job of DevOps, or go hog wild and replace all your general purpose computers with compute appliances (which is just another set of hidden dependencies and brittleness).
Something that has actually changed a bit from when McAfee and Symantec ruled the endpoint, is exposure to liability. Crowdstrike is getting hauled in front of Congress, that didn’t happen to the old school EPP vendors. Could that be forecast of a disruption of the Teflon coating on US software firms? Seems unlikely, but a guy can dream. Rather, I expect the US will wait and see how EU regulations affect EMEA software market profitability. In the meantime, something must be done… as long as it doesn’t bother any production systems or make anyone alter processes… and there’s good money to be made in shouting “here’s something!” So Congressional grandstanding, maybe some advertisement of better DevOps practices in security firms, but most likely a rapid sweeping of the whole conversation under the nearest rug.
Monkeynoodle.Org 