Recently, CrowdStrike, a prominent XDR (Extended Detection and Response) provider, encountered a significant technical issue that affected numerous organizations. This article examines the CrowdStrike incident and details how the architecture of Wazuh avoids similar risks.
The CrowdStrike incident
On July 18, 2024, a Blue Screen of Death (BSOD) issue associated with CrowdStrike’s Falcon sensor update caused widespread disruptions to its users. The BSOD is a critical system error in Windows operating systems that forces a restart, often leading to data loss and operational downtime. In this case, the usual restart did not resolve the problem, leaving systems in a continuous crash loop. The error impacted hundreds of thousands of devices globally, affecting sectors such as healthcare, banking, transportation, and government services. Organizations relying on CrowdStrike for endpoint protection experienced system crashes, leading to significant operational disruptions.
This issue is not the first for CrowdStrike; a similar BSOD problem occurred in July 2023 with their Falcon sensor version 6.58.
Response and fixes
CrowdStrike has acknowledged the issue and is actively working on a resolution. They have identified the problem with their Falcon sensor and have provided interim solutions, such as booting in Safe Mode to delete or rename the problematic driver file and modifying the registry to prevent the faulty service from starting automatically. Full recovery efforts are ongoing, with patches and updates being developed and deployed to affected systems.
The Wazuh approach to endpoint protection
Unlike CrowdStrike, Wazuh is designed to operate primarily in the user space, eliminating the risk of failures like BSODs. Here are the key aspects of the approach Wazuh uses:
- User space operations: Wazuh agents run in the user space rather than the kernel space. This implementation avoids direct access to the core operating system and mitigates the risk of critical system errors.
- Standard kernel APIs: Wazuh interacts with the operating system using standard kernel APIs. This ensures compatibility and stability without the complexities of high-risk kernel drivers.
Advantages of user space operations
Operating in the user space offers several benefits:
- Enhanced stability: User space applications are less likely to cause system-wide crashes, providing a more stable environment.
- Easier debugging: Issues in the user space are easier to diagnose and fix compared to those in the kernel space.
- Improved security: Limiting access to the core operating system reduces the attack surface for potential exploits.
The open source benefits of Wazuh
Being an open source platform, Wazuh offers additional advantages that help mitigate issues similar to the CrowdStrike BSOD incident:
- Transparency: Open source code offers users and contributors the ability to inspect, audit, and verify the codebase, ensuring that potential bugs and vulnerabilities are identified and addressed promptly.
- Community collaboration: A broad community of developers and security experts contribute to Wazuh, enhancing the platform’s robustness and reliability through continuous feedback and improvement.
- Flexibility: Organizations can tailor Wazuh to meet their specific security needs, reducing the risk of unanticipated failures due to unnecessary or conflicting features.
Conclusion
The recent CrowdStrike BSOD incident highlights the risks of kernel drivers in security software. The architecture of Wazuh emphasizes on user space operations and standard kernel APIs, providing a safer and more reliable alternative. This approach provides security monitoring and threat protection without compromising system stability. Additionally, the open source nature of Wazuh fosters transparency, community collaboration, and flexibility, further enhancing its reliability and security.