←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 1 comments | 22 Jul 24 02:22 UTC | HN request time: 0.232s | source
Show context
ykonstant ◴[22 Jul 24 06:05 UTC] No.41031312[source]
Sorry to hijack this post, but for affected admins reading this: how is the recovery process going? What is your estimated time to normalcy?

Also, for Linux and especially BSD admins: has this incident affected your perspective on EDR/XDR systems in the kernel? What would you suggest as an alternative to ensure regulatory compliance?

replies(2): >>41031360 #>>41041546 #
tgv ◴[22 Jul 24 06:15 UTC] No.41031360[source]
I do manage a few Linux machines (firewall passes only http and https -> nginx -> custom backend), but I'd never heard of Crowdstrike before. I don't even know what their product is supposed to do. As far as I can see, kernel level protection could only help prevent someone bypassing the firewall and trigger an exploit in nginx. But if Crowdstrike knows about such exploits, everyone does, and the firewall or nginx gets patched.

What am I missing?

Edit: I know it is supposed to implement "EDR", but it's always explained in the vaguest of terms.

replies(5): >>41031414 #>>41031431 #>>41031453 #>>41033240 #>>41034207 #
1. skywhopper ◴[22 Jul 24 13:35 UTC] No.41034207[source]
In the ideal case, it logs everything your computer does, every process that's running, every system call they make, every Internet connection made, website visited, etc, and reports it all back to a central data repository that's constantly being scanned for suspicious behavior. But more importantly, when a hack does occur, the security team can go back to that data lake and figure out exactly what happened.

In reality, that's way too much data for anyone to make sense of, but giant companies spend tens of millions of dollars per year to deploy all the things so they can say they're doing it.

On the other hand, funny things can happen. I got called out by the security team at one job because the EDR agent on my workstation registered that I had put a file on disk that had a malware signature. Well, it turns out that I had checked out the security team's git repo containing malware signatures...

But I did get called out in about 20 minutes by a random security engineer I'd never met who told me the exact path on my PC where the file was. Is that a good thing? I'm not sure.