The Other Side of Meltdown and Spectre Defense

I have been very surprised by how there has been so much talk about resolving the Intel speculative execution bugs (aka ‘meltdown’ and ‘spectre’), but so little talk about detection and prevention of the actual attack vectors.

Patches have had issues, been rolled back, blocked from being applied, and evaluated as outright useless, yet no one has advocated a strong protection strategy in the meantime. I continue to hear from vendors that there are no exploits in the wild so the threat is low. At the time I believed that to be true as well, and stated the same in my communications to our partners.

However, while that statement was understandable in early January, it is becoming more negligent to continue with that rhetoric with every day that goes by with explanations of the exploit path and proof of concept in the wild. It’s almost certain that by now attacks are developed, planned and most likely being launched silently. It’s important to remember that while this vulnerability requires local execution to exploit, local access is not necessarily required. This means not only protecting at the OS and application level with real time application scanning virus or behavioral tools, but protecting remote code execution vectors such as JavaScript browser based attacks, or preventing the piggybacking on an open remote code execution vulnerability are becoming more critical.

So what am I getting at? Simple: other than its scale, this vulnerability is no different than any other. As always, it is just as important (if not more) to detect and protect as it is to remediate. The bigger the vulnerability the longer it takes to fully resolve, and the more important it is to watch the wall while you are exposed.

You cannot depend solely on OEMs and providers to save the day because their hands are tied by the complexity of solving the problem without rushing and causing further issues. All IT professionals have the responsibility of not only applying OS and firmware patches, but also ensuring that IDS platform signatures are up to date and working, firewalls and WAFs are isolating systems that need not be exposed externally, OS level agents are updated with signatures, browser protections are updated, SIEM rules and views are current, etc. The bottom line? A strong, actively maintained defensive posture is always required. There is ALWAYS an imminent threat, so if you operate with vigilance during a perceived time of peace you are ready for war time when it comes.

None of this is meant to imply that Green Cloud, Intel or any other vendor has no responsibility to protect you as diligently as they can. It’s simply the case that a multi-layered, in depth defense is required in the modern world of complex vulnerabilities. A sieve approach where there are many opportunities to possibly catch an attack early in its lifespan while remediation steps are being developed is always the safest course of action.

Stay tuned for a follow up on exactly how to implement such an approach.

Cloud Services Provider Eric Hester

by Eric Hester, Green Cloud Co-Founder and Chief Innovation Officer