Now that the industry has survived the largest IT outage in history, it begs the question: How could such a disaster be propagated by a security company that’s used by more than half of all Fortune 500 businesses? How could such a well-known brand so easily trigger such a vulnerability in Microsoft’s operating system?
As we’ve seen, one of the things that brought down CrowdStrike (and approximately 8.5 million Windows workstations) is the intrinsic level at which this solution interacts with Microsoft’s core system. A traditional SEG-based (secure email gateway) software package like CrowdStrike interconnects with Microsoft’s “kernel,” which directly oversees management of system resources including memory, processing, and things as basic as input and output operations.
From the perspective of email cybersecurity, CrowdStrike’s email data filters are embedded along the same path that the email data itself travels, within a network’s security gateway. Surprisingly, many of the market’s largest cybersecurity brands are SEG-based, providing email security that is embedded within a network’s email server, and with accompanying access to Microsoft’s kernel—including other cybersecurity behemoths like Proofpoint.
This approach is in direct contrast with an API-based (application programming interface) cybersecurity solution. An API is more along the lines of a plug-and-play integration, which does not impede the user company’s core operating systems.
“When the application code crashes, the application crashes,” began David Plummer, a former Microsoft Windows developer, in a recent CrowdStrike outage video. “When kernel mode crashes,” he continues, “the system crashes.” Therefore, traditional SEG-based solutions—many of which are household-name software providers—are creating a susceptibility that API-based software simply doesn’t produce.
An API allows system administrators to disable the program with a simple click, at the interface level. Which means if a patch or an update were to go wrong with an API-based, specialized cybersecurity solution, the issue could be nipped in the bud by disabling the application.
The Falcon Update was a Single Point of Failure
As an industry, we should consider the CrowdStrike Falcon update fiasco as a single point of failure scenario. Email security solutions that extend through the security email gateway make it more difficult, if not impossible, for end-user administrators or even managed services providers to override or disable that solution in such scenarios. However, API-based email security doesn’t require an inline deployment. A more flexible API-based security integration therefore provides a better course of defense during a single point of failure situation.
In the case of a compromised update, disabling the API would have terminated the “endless reboot loop” created by the erroneous bit of Falcon code, which led to countless non-functional blue screens across the globe. Yet the huge institutions that control our global infrastructure—hospitals, airlines, banks, and government offices—depend on traditional SEG-based solutions, not realizing that next-generation, API-based security may provide greater advantages.
On top of all the malicious threats that are flooding the market, it’s unfortunate that end-user companies now need to worry whether their branded security providers are positioning them for widespread system failures. Acknowledging this flaw, Microsoft has announced it is “prioritizing” a reduction of kernel-mode access by third-party software, to improve resilience. Although, the ability to divorce these conventional solutions from kernel access may be limited, due to how these existing solutions are designed. Without a fundamental shift in security architectures, Microsoft can only create so many protections in this case.
The CrowdStrike breakdown is reminiscent of what the industry feared would happen with Y2K, when the Millennium turned-over and date ranges within computer systems worldwide needed to be readjusted. But global failures never came to pass. Maybe just having the foresight to prepare is what kept us all from falling into the blue screen of death back then. Having the foresight to depend on API-based software may help in light of this new potential for system failures as well.
About the Author
Maor Dahan is Chief Technical Officer at Trustifi, a cybersecurity firm featuring solutions delivered on a software-as-a-service platform including sophisticated AI-driven tools. Trustifi leads the market with the easiest-to-use and deploy email security products providing both inbound and outbound email security from a single vendor. Maor can be reached through Trustifi or through LinkedIn
