all running as root (or worse), sucking up absurd amounts of resources, often more than the software running on the machine (but advertised as "LOW IMPACT")
they also cause reliable software to break due to bugs in e.g. their EBPF
also often serialises all network and disk on the machine through to one single thread (so much for multi-queue NVMe/NICs)
the risk and compliance attitude that results in this corporate mandated malware being required needs to go
Yes it works very well for the intended purpose (which isn't actually security). The intended purpose is CYA. As head of security, if you install CrowdStrike or some other vendor, then a compromise becomes that vendor's problem, not yours.
When has Crowdstrike taken responsibility for a hack?
I think it's more like, security is heavily check mark based. Crowdstrike and friends have managed to get "endpoint security"[1] added as a "standard security best practice" which every CSO knows they must follow or get labeled incompetent. Therefore "endpoint security" must be installed everywhere with no real proof that it makes things more secure, an arguable case that it makes things less secure, and an undeniable case that it makes things less reliable.
[1] I also never understood how "endpoints" somehow are defined as "any computer connected to any network." I tried to fight security against installing this crap on our database servers with the argument that they are not endpoints. Did not work.
How do you objectively assess an operating system's security? I wanted to convince friends that Windows is insecure but I couldn't find unassailable evidence. Got some? There are confounding variables like the age of the operating system and size of the userbase (distorting the event volume), its attractiveness to attackers, and the tendency of organizations of different levels of technical ability to prefer different operating systems...
I'm a pretty die hard linux guy, and I think Windows is a bloated nightmare, but it's not insecure IMHO (unless you consider "privacy" to be security, but most people do not (even though I think they should)). There was a time when that wasn't as true, though. If Windows were rewritten from scratch today, I'm certain there would be some different architectural/design decisions made, but that's true for pretty much every piece of software ever written.
None of this matters. For example, you could build an operating system with security signatures that are generated by the intrusion detection system and only executables with valid signatures can be executed. This would get rid of a lot of pointless online security scans since a secure system mostly consists of already vetted executables. Interpreters must let the operating system verify signatures of the source files.
Note how the intrusion detection system here only needs to do offline scans that are unaffected by security updates.
Here is the official Windows security certification page [1]. They certify against this standard [2]. The maximum security they certify is provided is:
Page 53: “The evaluator will conduct penetration testing, based on the identified potential vulnerabilities, to determine that the OS is resistant to attacks performed by an attacker possessing Basic attack potential.”
That is the lowest level of security certification outlined in the standard. The elementary school diploma of security.
To see what that means, here is a sample of the certification report [3].
Page 14: “The evaluator has performed a search of public sources to discover known vulnerabilities of the TOE.
Using the obtained results, the evaluator has performed a sampling approach to verify if exists applicable public exploits for any of the identified public vulnerabilities and verify whether the security updates published by the vendor are effective. The evaluator has ensured that for all the public vulnerabilities identified in vulnerability assessment report belonging to the period from June 8, 2021 to July 12, 2022, the vendor has published the corresponding update fixing the vulnerabilities.“
The "hardcore" certification process they subject themselves to is effectively doing a Google search for: “Windows vulnerabilities” and checking all the public ones have fixes. That is all the security they promise you in their headline, mandatory security certification that is the only general security certification listed and advertised on their official security page.
When a company puts their elementary school diploma on their resume for “highest education received”, you should listen.
That is not to say any of the names in general purpose operating systems such as MacOS, Linux, Android, etc. are meaningfully better. They are all inadequate for the task of protecting against moderately skilled commercially minded attackers. None of them have been able to achieve levels of certification that provide confidence against such attackers.
This is actually a good sign, because those systems are objectively and experimentally incapable of reaching that standard of security. That they have been unable to force a false-positive certification that incorrectly states they have reached that standard demonstrates the certification at least has a low false-positive rate.
All of the standard stuff is inadequate in much the same way that all known materials are inadequate for making a space elevator. None of it works, so if you do want to use it, you must assume they are deficient and work around it. That or you could use the actual high quality stuff.
Unreasonably idealistic solutions are some of the worst kind of solutions because they make you feel like you have the answer but the benefits never materialize. The moment you pick any other OS to be the "80% of the world" one, reality will quickly deflate any sense of superiority.
And whether you can see it or not, they're all still some form of dumpster fire, be it security, usability, price.
What makes you think windows is "a security dumpster fire"? The fact that most infections are on windows machine doesn't really count because most machines are also windows machines.
sentinelone, tanium, guardicore, defender endpoint, delina
all running as root (or worse), sucking up absurd amounts of resources, often more than the software running on the machine (but advertised as "LOW IMPACT")
they also cause reliable software to break due to bugs in e.g. their EBPF
also often serialises all network and disk on the machine through to one single thread (so much for multi-queue NVMe/NICs)
the risk and compliance attitude that results in this corporate mandated malware being required needs to go
this software creates more risk than it prevents