←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 1 comments | 22 Jul 24 02:22 UTC | HN request time: 0.001s | source
Show context
ykonstant ◴[22 Jul 24 06:05 UTC] No.41031312[source]
Sorry to hijack this post, but for affected admins reading this: how is the recovery process going? What is your estimated time to normalcy?

Also, for Linux and especially BSD admins: has this incident affected your perspective on EDR/XDR systems in the kernel? What would you suggest as an alternative to ensure regulatory compliance?

replies(2): >>41031360 #>>41041546 #
tgv ◴[22 Jul 24 06:15 UTC] No.41031360[source]
I do manage a few Linux machines (firewall passes only http and https -> nginx -> custom backend), but I'd never heard of Crowdstrike before. I don't even know what their product is supposed to do. As far as I can see, kernel level protection could only help prevent someone bypassing the firewall and trigger an exploit in nginx. But if Crowdstrike knows about such exploits, everyone does, and the firewall or nginx gets patched.

What am I missing?

Edit: I know it is supposed to implement "EDR", but it's always explained in the vaguest of terms.

replies(5): >>41031414 #>>41031431 #>>41031453 #>>41033240 #>>41034207 #
1. Khaine ◴[22 Jul 24 06:26 UTC] No.41031414[source]
It is primarily aimed at workstations, although it does run and is run on servers. The idea is to be able to identify malware based on behaviour, rather than rely on signatures.

EDR solutions hook into the kernel to log, and block system calls. They use this information to try and generically identify malware. For example you could detect ransomware by identifying a process that is enumerating a large number of files, reading from those files, and then saving those files.

For a SOC, you can also use an EDR to identify files, hashes, connections to given IPs across your fleet of servers. This can allow you to see what devices have been compromised. The EDR can then isolate them, by blocking network syscalls and allow only the SOC to access to investigate and remediate.

This is the value they provide (or at least claim to) to a cyber team