Brendan Gregg on the Crowdstrike incident

I guess I HAD to write about Crowdstrike, and I find this article by Brendan Gregg to be the right reason for jumping on the bandwagon. I love how Brendan shows us a path forward that does not rely on static code analysis, or more tests, or more QA, or no more automatic updates, but instead solves the problem by changing the approach entirely.

Instead of writing a kernel driver to perform whatever security checks are necessary, Brendan suggests we'll use eBPF instead which is designed to run custom programs within the kernel. AFAIU Brendan has been one of the major proponents of eBPF for monitoring and has some awesome tooling to show for it: https://github.com/iovisor/bcc

The idea is that since eBPF has been designed to run custom programs it is designed and hardened against errors that could cause the kernel to crash. Of course it won't be completely effective against code with poor performance and that is ok.

What I did not know was that Microsoft has a port of eBPF for Windows in the making, which goes a long way in proving how different MS is from the old days.

Also, it's interesting to learn that eBPF is in fact already being leveraged by other security startups.

Search This Blog

unicolet.org

Brendan Gregg on the Crowdstrike incident