I wonder if the root cause of this is the notion that one can tack "security" onto a system or inject it into a system, instead of it being a holistic perspective, with appropriate use of sub-components and rules.
The proximate cause is companies handing over total control of their systems to opaque security racketeering quacks. And the root cause of why a company would do that gets right to the heart of the reason why "security to check the boxes" is the phrase that's been going around in the past few days.
Any security that isn't done layer by layer in depth must be "tacked on" and try to know everything about a system at once and adapt in situ. Which is of course impossible on any given machine, you say. "But what if we leverage the power of the crowd?" said someone.
Many compliance frameworks require tools like crowdstrike. If you don't have endpoint detection, no SOC2. No SOC2, and you'll be excluded as a vendor from many places
Except for owner consent, which in the case of corporate machines is unambiguously and irrefutably the corporation, as much as everyone here seems to despise that reality.
All these “blah blah blah is indistinguishable from malware” things aren’t profound, smart, or even witty. They’re spouted by the peanut gallery that has the luxury of not being responsible for deciding whether or not to use one of these systems.
Needing to explain to techies that ‘informed consent matters’ speaks to an utterly saddening stereotype.
Techies are the only ones who can give informed consent and we're constantly over ruled by the risk department, because the glue eaters over there think that a sleek presentation means the saleswoman on the other end knows what she's talking about.
There isn't any. None that is meaningful. Sure, you can trick someone
into 'signing' something, out of desperation and confusion. But the
average person has no capacity. It's not that people are stupid, they
are simply not informed nor are they ever entreated to anything that
even looks like an actual contract. This is the colossal elephant in
the room of digital tech.
Crowdstrike isn’t installed by the average person. It’s selected and installed by an organization’s IT and/or Infosec teams. Just like everything other enterprise security software.
Those teams 100% have the capacity to make an informed decision.
Not sure about that. Groups of professionals don't appear better at
navigating this space than individuals. I'm sure you've sat in such
agonising meetings too. Common experience: They're hellholes of
group-think, risk aversion, inertia, legacy constraints, resistance to
change, pressure to reach fast decisions, duress or undue influence
from salesmen and 'partners'.
Have you ever seen a company of any size actually sit down,
open-mindedly weigh up a real and serious evidence-based long term
security plan built around risk analysis, a full network and service
overview, with all real software options on the table and all
stakeholders present. Companies made up of well educated people with
impressive job titles are as vulnerable to pitfalls and shortcuts as
anyone else. They just operate, and fall victim to scams, on an
organisational scale. Crowdstrike and other protection rackets are a
way to make a problem go away, not to face its complexity head on.
For sure. After something that looked like a data breach (but turned out to be a hilariously funny glitch caused by a Chrome update that suddenly started translating one part of an app into Romanian) I was in on a lengthy pitch meeting for a similar endpoint security package from a company larger and more recognizable than CrowdStrike. After which I told the CEO of the company I worked for hell no there is no way we are putting this on all our machines and giving these idiots root access. They have no clue what they're talking about. Most of these machines don't even face users and they're talking about checking for suspicious links in emails employees open.
The US government has given it's stamp of approval, and a big push to install such solutions.
FedRAMP-authorized: CrowdStrike's cloud-delivered solution meets the strictest federal standards.
DoD IL5-authorized: CrowdStrike's solution is approved for use on the Department of Defense’s (DoD) Impact Level 5 (IL5) systems.
JAB High-ready: CrowdStrike's solution is validated, tested, and certified for use in hybrid, multi-cloud environments, meeting the Joint Authorization Board (JAB) High requirements.
OMB Memo M-22-09: The Office of Management and Budget (OMB) mandates a Zero Trust security approach for Federal Civilian Executive Branch (FCEB) and DoD systems.
OMB Memo M-21-31: The OMB directs investigative and remediation capability improvements.
From national security perspective this sort of backdoor is extremely great idea as long as you think you are only one with the keys. Get to inject your own stuff any system with approval of some secret court... What is better than that?
What are they in on? The fact that bad actors are constantly targeting government infrastructure and that this kind of antimalware is a key part of the tools for defending against it?
If you run a properly designed operating system your anti-malware will not need ring-0 access. See mac OS which has now deprecated kexts altogether and will only load them if you explicitly turn off system integrity settings.
I don't think this follows. Those vendors are third parties and reach for whatever they can get. Yes, if microsoft didn't allow kernel extensions then crowdstrike would run as SYSTEM in userspace, but that doesn't tell use whether they need it or not, it only tells us that they want it.
Based on other comments it can run as kernel module or as eBPF filters on linux. So I guess to them it's a less invasive/more power tradeoff which they'll take whenever it's available.
Mac OS only doesn't need driver loading because they know exactly which hardware it runs on and link those drivers into the kernel. This is not applicable to Windows systems.
There is a perspective that the architecture of much anti-malware in general and this anti-malware in particular actually introduces new back doors where there weren't any before.
So while anti-malware might have some merits, on balance much of it would be a detriment to security, from this perspective.
People with this perspective are feeling spectacularly validated today!
As often, it's wise to have a nuanced view of course.