A few months ago, we wrote about the Spectre and Meltdown vulnerabilities discovered in Intel processors and how to address them: primarily, by deploying software patches. But recently, the plot thickened. Microsoft’s Meltdown patch actually made the original vulnerability worse, creating the new “Total Meltdown” vulnerability that puts its predecessor to shame.
While the original Meltdown vulnerability could read kernel memory at around 120 KB/s and was read-only, Total Meltdown can read complete system memory at gigabytes per second and provides hackers with complete write access. The vulnerability stems from a programming oversight that’s relevant to Windows 7 and Windows Server 2008 R2.
This isn’t the first or only issue with patches intended to mitigate Spectre and Meltdown (see here and here), but it is one of the most dramatic. It also puts IT departments between the proverbial rock and hard place. What should you do when you need to fix a security vulnerability but the patch impacts performance, or worse, makes the vulnerability worse? How do you know if you should patch or not, where, when, and how?
These aren’t easy questions and the answers aren’t cut and dry. It is, however, a critical issue to address. These “side channel” attacks are a new vector for hackers, so they aren’t as well understood by security specialists, yet their prevalence is quickly growing. You need a strategy to ensure that your fix helps, instead of hurts, your business.
3 steps to mitigating security vulnerabilities
While there is no foolproof path to protecting your company against security vulnerabilities, there are steps you can take to prevent attacks before they occur and quickly address them when they happen—because let’s face it: it’s not an “if,” it’s a “when.”
- Be as informed as possible. You need to know what you have in order to make smart decisions about how to protect it. This starts with a holistic view of all your systems and assets, from the data center to the cloud, but doesn’t stop there. Your insight should be both complete and contextual so you know which machines are most critical and how to prioritize your efforts based on business impact. It’s important to understand how they work together as well, since relationships between assets play a big role in their security status.
- Be ready to take informed action. Once you know where you’re vulnerable and which vulnerabilities take top priority, you need to be ready to act. That means an integrated approach to discovery and patching, in which you can easily deploy or remove patches based on your understanding of your environment from all angles.
- Upgrade. Vulnerabilities are often worse for older systems, like Total Meltdown’s attack on Windows 7 and Windows Server 2008 R2. Upgrading to newer versions not only brings performance enhancements, but also additional security protection. This is part and parcel with steps 1 and 2. When you have deep, real-time knowledge of what you have and how it all works together, plus the ability to act on that knowledge, upgrading becomes a regular part of business as usual and not a special event.
How BMC can help
BMC offers multiple paths to the knowledge you need to stay secure.
- BMC Helix Discovery addresses security challenges with a complete view of your environment, including data center servers, cloud services, network, storage, and the mainframe. It streamlines data inventory, provides deep business service awareness, and acts as a single point of reference for understanding resources across your infrastructure to help you prioritize actions.
- BMC Helix Client Management. Like BMC Helix Discovery, BMC Helix Client Management provides robust, automated inventory management. It also integrates endpoint management with your service desk or CMDB, and enables you to maintain current patches and deploy new ones – critical to step 2 listed above. With BMC Helix Client Management, you can assess, manage, deploy, and report on patches so you can reduce patch time by 30%—and ensure your systems remain safe and secure.
- BMC SecOps Response Service helps you understand and prioritize risks and reduce your overall attack surface by providing operations teams with prescriptive and actionable data to address vulnerabilities based on perceived impact. Through integration with BMC Helix Discovery, security and operations teams can identify blindspots—systems previously unknown or unmanaged—and make adjustments. Through integration with BladeLogic Server Automation or Microsoft System Center Configuration Manager, you can trigger remediation actions like patching.
- BladeLogic Server Automation helps server administrators manage the full server life cycle including provisioning, configuration, compliance, software deployments, and patching. It works across multiple server platforms to address vulnerabilities in a consistent manner. It’s also integrated with BMC SecOps Response Service and operationally aware so that patching can be targeted to maintenance windows that match business requirements.