Meltdown and Spectre: Mitigation and Forward Looking Threat Prevention Strategies
UPDATE JAN 23, 2018: Multiple vendors including Intel have advised partners and customers to stop issuing Spectre patches, citing 'Unpredictable System Behavior'. Burwood Group customers should reach out to your Account Executive or Technical Account Manager should you have any questions.
Read: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners from Navin Shenoy Executive Vice President and General Manager of the Data Center Group at Intel Corporation.
The Meltdown and Spectre bugs are exploiting critical vulnerabilities in modern microprocessors that power computers, smartphones, tablets, and even cloud servers. Hardware vulnerabilities are allowing programs to steal data being processed on your computer – such as passwords, photos, business-critical documents, and other sensitive data.
As we have seen with recent threats, there may be a push by many security technology vendors discussing the ways their products would have prevented the threat. Our advice? The threat is serious, but a layered security architecture will make all the difference going forward.
The vulnerability with Meltdown and Spectre requires local system access, therefore having a layered security strategy built with robust endpoint protection, network segmentation, and strong identity management will help mitigate this attack if patches are not immediately available.
A quality, layered security architecture provides the necessary technical controls and an effective Information Security Risk Management Program provides the priorities to ensure it is appropriately implemented. Before your organization starts to evaluate new security technologies, consider reviewing the effectiveness of your existing risk management processes and the impact that can have on your organization's security posture.
Near Term Mitigation Tactics
The bugs exploit a hardware vulnerability, and therefore require OS vendor-released patches. Apple, Microsoft, and Linux have released patches and these should be downloaded and installed as soon as possible to avoid the potential for exploitation. As Meltdown primarily affects Intel chipsets, Intel is distributing firmware updates, but those should be distributed through the vendor based on chipset and computer model.
For official status and security advisories, see below. Keep in mind that current fixes may introduce new performance issues due to the nature of the changes (There are potentially code-breaking changes in some of these fixes – this varies by patch mechanism and platform).
For instance, our consultants are seeing firsthand, performance issues with public cloud following patching. Clients should be prepared to increase the size and processing capability of systems deployed in those infrastructures. For internal systems, clients should closely monitor the system after applying patches and be prepared to increase VM resources. Our consultants advise that all applications be tested post-upgrade.
- Apple – Support
- Cisco – UCS estimated release date for patches is 2/18 / Security Advisory
- Citrix – Security Bulletin / Security Bulletin (XenServer)
- Dell – Knowledge Base
- Linux – Blog
- Microsoft – Security Guidance
- Nutanix – Security Advisory (login required)
- Palo Alto Networks – Security Advisory
- VMWare – Security Advisory