To Patch or Not to Patch: The Latest on Fighting the Spectre and Meltdown Vulnerabilities

BY

A few months ago, we wrote about the Spectre and Meltdown vulnerabilities discovered in Intel processors and how to address them: primarily, by deploying software patches. But recently, the plot thickened. Microsoft’s Meltdown patch actually made the original vulnerability worse, creating the new “Total Meltdown” vulnerability that puts its predecessor to shame.

While the original Meltdown vulnerability could read kernel memory at around 120 KB/s and was read-only, Total Meltdown can read complete system memory at gigabytes per second and provides hackers with complete write access. The vulnerability stems from a programming oversight that’s relevant to Windows 7 and Windows Server 2008 R2.

This isn’t the first or only issue with patches intended to mitigate Spectre and Meltdown (see here and here), but it is one of the most dramatic. It also puts IT departments between the proverbial rock and hard place. What should you do when you need to fix a security vulnerability but the patch impacts performance, or worse, makes the vulnerability worse? How do you know if you should patch or not, where, when, and how?

These aren’t easy questions and the answers aren’t cut and dry. It is, however, a critical issue to address. These “side channel” attacks are a new vector for hackers, so they aren’t as well understood by security specialists, yet their prevalence is quickly growing. You need a strategy to ensure that your fix helps, instead of hurts, your business.

3 steps to mitigating security vulnerabilities

While there is no foolproof path to protecting your company against security vulnerabilities, there are steps you can take to prevent attacks before they occur and quickly address them when they happen—because let’s face it: it’s not an “if,” it’s a “when.”

  1. Be as informed as possible. You need to know what you have in order to make smart decisions about how to protect it. This starts with a holistic view of all your systems and assets, from the data center to the cloud, but doesn’t stop there. Your insight should be both complete and contextual so you know which machines are most critical and how to prioritize your efforts based on business impact. It’s important to understand how they work together as well, since relationships between assets play a big role in their security status.
  2. Be ready to take informed action. Once you know where you’re vulnerable and which vulnerabilities take top priority, you need to be ready to act. That means an integrated approach to discovery and patching, in which you can easily deploy or remove patches based on your understanding of your environment from all angles.
  3. Upgrade. Vulnerabilities are often worse for older systems, like Total Meltdown’s attack on Windows 7 and Windows Server 2008 R2. Upgrading to newer versions not only brings performance enhancements, but also additional security protection. This is part and parcel with steps 1 and 2. When you have deep, real-time knowledge of what you have and how it all works together, plus the ability to act on that knowledge, upgrading becomes a regular part of business as usual and not a special event.

How BMC can help

BMC offers multiple paths to the knowledge you need to stay secure.

  • BMC Discovery addresses security challenges with a complete view of your environment, including data center servers, cloud services, network, storage, and the mainframe. It streamlines data inventory, provides deep business service awareness, and acts as a single point of reference for understanding resources across your infrastructure to help you prioritize actions.
  • BMC Client Management. Like BMC Discovery, BMC Client Management provides robust, automated inventory management. It also integrates endpoint management with your service desk or CMDB, and enables you to maintain current patches and deploy new ones – critical to step 2 listed above. With BMC Client Management, you can assess, manage, deploy, and report on patches so you can reduce patch time by 30%—and ensure your systems remain safe and secure.
  • BMC SecOps Response Service helps you understand and prioritize risks and reduce your overall attack surface by providing operations teams with prescriptive and actionable data to address vulnerabilities based on perceived impact. Through integration with BMC Discovery, security and operations teams can identify blindspots—systems previously unknown or unmanaged—and make adjustments. Through integration with BladeLogic Server Automation or Microsoft System Center Configuration Manager, you can trigger remediation actions like patching.
  • BladeLogic Server Automation helps server administrators manage the full server life cycle including provisioning, configuration, compliance, software deployments, and patching. It works across multiple server platforms to address vulnerabilities in a consistent manner. It’s also integrated with BMC SecOps Response Service and operationally aware so that patching can be targeted to maintenance windows that match business requirements.

For more information, check out our BMC Discovery, BMC Client Management, and BMC SecOps Response Service web pages, or contact a BMC representative.

Related posts:

Start Discovering Now

Start your trial experience in a data center we have created for you, then download Discovery and see for yourself how quickly you can start using it.

Try it now ›

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

Share This Post


Antonio Vargas

Antonio Vargas

Antonio Vargas is a Principal Product Manager for BMC Discovery. In this role, Antonio is responsible for gathering requirements and feedback from customers, sales, engineering, support, and R&D to shape future releases of BMC Discovery. Antonio joined in January 2016 and was previously a customer of BMC Software. He has a wealth of experience with BMC Discovery deploying over 600+ App Models and discovering consistently 95+% of infrastructure (Servers, Network Devices, etc.) for his previous company. He is also a subject matter expert in the BMC Atrium CMDB, with 28 service models configured and integrated to monitoring, SIEM, analytics, DevOps, asset management, and portfolio management solutions.