• remotelove
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    4 months ago

    It goes beyond Windows in this case. All the EDR tools I have worked with generally require kernel extensions for macOS and also Linux. Carbon Black and Apple never played nice together and it always took a week or so for Carbon Black to get an update after Apple did a kernel change. (Apple wouldn’t pre-release a kernel map for third-party vendors, I think.)

    Tcpdump and Falco in your example are detection/read-only. Response tools like CrowdStrike or Carbon Black are also response tools that need to block actions across the entire system.

    I am not sure about CrowdStrike’s functionality in this regard, but I used Cabon Black’s response shell quite a bit which gives a responder ring 0 without needing root credentials.

    There is still a case to be made about security tools not needing kernel drivers I believe. I am not smart enough to do that though.