The release of the latest version of macOS, known as Catalina, comes with some significant changes in how the operating system interacts with third-party applications – herein referred to as the “Catalina security gap.” And the fallout is sending considerable stress through organisations that rely on third-party security tools to protect their data.
Apple's intentions are well-founded. Their move stems from an effort to make Catalina the most natively secure Mac operating system. But in doing so, Apple has elected to entirely disallow what are known as kernel extensions, or kexts. Of course, this move doesn’t technically qualify as a kernel panic. Still, it certainly has created a full-blown kernel crisis among security vendors and their customers whose products have historically required access to those kexts.
While there is no need to panic, there is a need for concern. Even though traditional security products, such as anti-malware and data loss prevention (DLP) tools do — technically — still operate on Catalina, a considerable amount of their functionality may be crippled for some time. As a result, vendors and enterprise practitioners alike are nervously trying to figure out how they will continue to secure their systems and users going forward.
I urge all users to check with their security vendors to understand the direct impact on their specific toolsets.
These changes come at a risky time, a time when the insider threat is clear amid rising enterprise security risk. According to a recent Verizon Data Breach Investigations Report, the per cent of data breaches caused by insiders rose to 34 per cent in 2018 from 28 per cent in 2017. That’s now more than one-third of all data breaches coming from insider actions. Now, in effect, the “Catalina data security gap” could create a gap in enterprise security, just as the percentage of macOS endpoints in the enterprise continues to grow.
The security community reacts
When it comes to the “Catalina data security gap,” there’s been a considerable reaction from the security community and enterprise practitioners.
Many see the changes around kexts as making it harder for traditional vendors that rely on those kernel-level extensions for their security products. On the other hand, many in the Mac community have a general understanding that with every macOS update, the operating system is also growing more secure.
How are security vendors advising their customers to manage their way through this security kernel crisis? Mostly, they are directing their customers not to upgrade — at least not right now. When will they call it safe to upgrade to Catalina? Who knows. For now, it's an indefinite period until these vendors manage to figure out a workaround. And while I'm confident that they will achieve a fix, I'm not as optimistic that it will be a lasting one. Apple is known to move quickly with its updates, and the next significant update (or the one after that) is likely to break whatever fix they put into place, and we'll be right back to where we are today.
Of course, not upgrading to the last version of macOS isn’t a viable option. Instead, companies must find alternatives to their "broken" security and data loss prevention tools.
In the meantime, I think a lot of enterprises may get creative as they attempt to close their “Catalina data security gap.” Some may decide to avoid data loss prevention technologies altogether or simply disable features that don’t result in kernel panics. They may instead look at alternative monitoring technologies, such as Splunk or user behaviour analytics software to analyse their file and traffic data and build their own custom alerts to spot anomalous behaviour. While such technologies have their value, they don’t alone solve the challenges associated with monitoring and securing insider data movements.
Caught between data security and usability
I expect there to be angst among users of traditional security tools. For instance, Code42 recently attended the Jamf Nation User Conference (an Apple device management user conference) held in the U.S. Every time we heard Mac and traditional DLP technologies mentioned, there was a clear sense of frustration. These users expressed irritation over their experience surrounding traditional DLP on macOS Catalina. Security professionals and administrators described how they felt caught between their security vendors, who were telling them to hold off on their upgrades, whilst their users demanded that their endpoints be upgraded to Catalina.
There's a good reason for the frustration as none of the available options seem ideal. Organisations certainly can't accept the risk of doing nothing when it comes to insider threat and protecting their data.
Fortunately, all is not lost for enterprises that rely on macOS endpoints and want to protect their data from loss, leak and theft. Of course, enterprises can’t prevent all data risks and movement, but they certainly can get better at detecting, investigating and intelligently responding to suspicious activity. There are efficient technologies that provide these capabilities in real-time so that threats can be swiftly mitigated.
And that’s good news for existing and future Mac users, especially when the number of macOS enterprise users could very well rival Windows users within the next decade.
Richard Agnew, VP EMEA, Code42