News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
July 25, 2024 securitydeploymentannouncement

The CrowdStrike incident and how the NXLog agent operates

By Botond Botyanszki

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

Automatic updates are recommended by many vendors as they are considered essential for safeguarding against security threats and maintaining system performance. Updates not only enhance security but also deliver bug fixes and new features, contributing to improved user experience. Software updates, however, come with the inherent risk of breaking existing functionality and can potentially interfere with other software or the operating system itself causing unintended side effects. Automatic updates that the user has no control over escalate the risk further.

The CrowdStrike incident

Last Friday, July 19, 2024, the automatic update published for its Falcon sensor endpoint protection product by the American cybersecurity company CrowdStrike caused a worldwide outage disrupting governments and businesses in many industries. The update triggered a bug in the Windows kernel driver of the Falcon Sensor resulting in a "blue screen of death" that left devices in a continuously crashing state requiring a manual remedy on each affected machine.

The recovery efforts are still ongoing and the incident is estimated to cause billions of dollars in damage. Following is a list of problems with CrowdStrike software that together led to one of the biggest IT outages of history:

Use of a kernel driver

A Windows kernel driver has the same permissions and access to the machine as the operating system itself. A bug in the Windows kernel driver most often causes the infamous blue screen of death which can be only fixed by booting into safe mode.

Privileged code using external content

The bug was triggered by a content file that was pushed to the endpoints. Such "configuration" content should not be allowed to trigger bugs in code running in privileged mode, i.e. kernel space.

Automated updates

IT teams and users have limited control over automated updates as these are pushed to production systems directly without the possibility of doing tests before rolling out into production.

Insufficient testing

Following secure software development practices and having proper quality assurance processes can significantly reduce the chances of releasing such software. Various testing methodologies and software development practices such as unit tests, integration and end-to-end tests, fuzzy testing, code coverage, static code analysis, and even formal verification can be carried out to detect problems early during development.

Due to what happened there are now jokes on the internet that categorize "software updates" along with "phishing" and "malware" as the biggest IT security risks.

No software is free of bugs and all people make mistakes. However, with a well-designed software architecture and secure software development practices, the risks of such incidents can be significantly reduced.

How NXLog works

Similarly to other endpoint security software, our NXLog Enterprise Edition product is often deployed to endpoints when used as a log collector agent. We would like to highlight a few things about how the NXLog Enterprise Edition agent works and how NXLog, our company, operates in order to eliminate the risk of similar failures of high impact.

No kernel drivers

The NXLog Enterprise Edition does not contain and install any custom-developed kernel drivers on any of the supported operating systems. This ensures that code is never executed on the same privilege level as the OS and kernel.

Service running in user-space

The service runs in user-space to reduce the risk and impact of potential issues. In case of an issue such as a high CPU usage, service crash, or a compatibility problem with another software component, the service can be stopped and uninstalled even remotely through standard management tools, as a software failure should not block access to the host operating system.

Principle of least privilege

NXLog software was designed with the principle of least privilege. On Linux, macOS, and Unix systems the service runs under a non-root account by default, only retaining the privileges it needs. On Windows, our Hardening NXLog guide provides details on how to configure the NXLog agent to run under a regular non-system account.

Standard APIs

Some log types need to be collected directly from the operating system. The NXLog Enterprise Edition agent uses standard kernel APIs to interact with the OS that are well tested by the operating system vendor and this provides compatibility without the risk of using kernel drivers.

Agent-less log collection mode

The NXLog Enterprise Edition can be configured to collect event log data remotely in an agent-less mode without directly installing it on the endpoints and utilizing the log forwarding capabilities of the host operating system. While the agent-based mode provides more flexibility and access to more log sources, using it in an agent-less mode completely eliminates the potential for any problems and interference on the host operating system generating the logs.

No automatic software updates

The NXLog Enterprise Edition has no embedded auto-update mechanism and software updates cannot be initiated by NXLog in an automatic fashion. We always recommend our customers and users to use traditional software update tools and mechanisms. This allows rigorous update cycles and testing processes to be implemented, giving you full control over how and when updates are rolled out using your own automation tools. Remote configuration updates through NXLog Manager and NXLog Platform are also user-controlled and provide total visibility to you over what configuration changes would be pushed to the agents.

Quality assurance

Our release process includes a rigorous quality assurance stage to ensure that functional, stability, and performance requirements are met and no major or critical bugs are included in the release. Our automated testing pipelines execute hundreds of unit, functional, end-to-end, fuzzy, performance, stability, upgrade/downgrade, code analysis, memory leak, and concurrency checks across dozens of supported platforms and CPU architectures that the NXLog Enterprise Edition supports.

To plan an upgrade or test new features you may always refer to change logs and release notes published on our website, that include all known issues. The following resources should help:

  • NXLog Enterprise Edition release notes

  • NXLog Enterprise Edition change log

  • NXLog Enterprise Edition upgrade for Microsoft Windows

  • NXLog Enterprise Edition upgrade for Linux

  • Product life cycle

Feel free to reach out to our team if you have questions or need assistance.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • security
  • announcement
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Using Raijin Database Engine to aggregate and analyze Windows security events
11 minutes | July 29, 2021
DNS Log Collection on Windows
8 minutes | May 28, 2020
Announcing NXLog Enterprise Edition 6.3
3 minutes | May 13, 2024

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us