Windows Endpoint Security: Insights from Microsoft Summit

Windows Endpoint Security Ecosystem Summit

Microsoft held a Windows Endpoint Security Ecosystem Summit at their headquarters in Redmond, Washington on Sept. 10, 2024 with key partners. It turns out that the meeting was not meant to communicate any immediate changes. It was rumored that Microsoft would take away kernel mode access from the vendors and have them operate in user mode to minimize the potential of a system crash. It turns out that this summit was more to gather feedback from discussions with the vendors in attendance.

Vendor Responsibilities and Feedback

A key theme that was agreed to by all was that choice of security solutions would benefit MS customers. The security vendors do need to share and follow safe deployment practices (SDP) and to share best practices, data, tools and processes. All vendors need to safely rollout updates in a phased or gradual manner with the ability to pause or rollback if necessary to prevent widespread impact.

The vendors have asked Microsoft to provide more security features outside of kernel mode. While this would provide benefits to the security vendors, most of the vendors have indicated that kernel mode is still required for performance, anti-tampering protection and for innovation.

Customer Obligations

Customers or users of these types of solutions should be asking the vendors how updates are provided and what steps they should be taking to ensure the update process goes smoothly. These customers should also have business continuity plans that include regular backups and testing recovery. It was clear that some of the effected customers of the CrowdStrike incident did not follow this and know how to or have the capability to restore or recover in a timely manner. I have been in IT for a long time and have gray hair to prove it. I remember one of the first things I was taught as an admin starting out was that you are only as good as your last backup. Unfortunately, I have seen many times over the years how terribly wrong it can go when not followed. This adage still holds true today even though technology and processes have evolved.

Cygna Labs does not automatically update our software, and we recommend that our customers test updates and phase their rollout. Our security and compliance platform has features to help our customers with this. The platform indicates when components need to be updated, and you can also tag resources so the updates can be done in a phased approach without needing to do them one by one manually. The platform also has Cygna Recovery solutions for Active Directory and Entra ID that allow you to quickly rollback or recover from unwanted or accidental changes.

We will see what if any changes result from the summit. At least this should be a wakeup call for both vendors and customers that if you are not diligent, a simple update can have disastrous results.