Another day, another vulnerability. Instead of melting down, let’s take this latest (admittedly significant) announcement for what it is: a clarion call for basic security hygiene. Answering that call, and not short-term fear-mongering, will serve you and your enterprise best.
No security hardware or software solution can replace good blocking and tackling – executing basic security best practices, such as strong security architecture, security operations, robust patch management, continuous monitoring, widespread visibility (e.g. SSL decryption) and mature incident response process. Together, it’s these controls that ensure your ability to respond not just to Meltdown and Spectre but to the plethora of other vulnerabilities that exist – and will release in the future.
Meltdown and Spectre are named hardware bugs that potentially allow for the exploit of critical vulnerabilities in modern processors. An attacker that exploited one of these vulnerabilities could steal data being processed on the computer, which might include your passwords, your personal photos, or business-critical documents.
What should you do right now? You should add Meltdown and Spectre to your list of identified vulnerabilities and have a plan in place to remediate them. Enlist trusted experts to help craft a roadmap to success.
1. Install the latest updates (for your software and hardware), but more importantly ensure you have a robust patch management capability to deploy all future patches.
2. Build detection and response capabilities to be able to respond to security events in real-time.
3. Identify and close gaps in your security operations and incident response program.
Information security is not about fixing yesterday’s bug tomorrow. It’s about making sure you can respond to real events in real-time. There’s going to be another branded bug after these two. And another. And another.
The reality is security is hard. The market demands functionality – whether in the form of speed or features or whatever else – and generally doesn’t incentivize security. Other than a small number of exceptional organizations, security today generally happens when people are forced to implement security via regulation (OCC, PCI, SOX, etc.) or direct similar incentive (e.g. ransomware disrupting business and not covered by most cyber liability policies).
Real security is not about magically preventing the unknown. It’s about doing the basics, having the basics of architecture and tools in place, being able to patch quickly, and being able to effectively detect and respond to threats in real-time.
For the immediate concern of how to mitigate these vulnerabilities, follow the links to the individual vendors at the bottom of the page on the official advisory page at https://spectreattack.com/
For organizations still running on-premise architectures, that mostly means: Microsoft (summary = apply patches), RedHat (summary = apply patches), and your web browser of choice (for Chrome, that means apply patches and change a configuration setting).
For those with significant infrastructure in the cloud: while the attack surface was larger, Meltdown and Spectre effectively demonstrate a primary security advantage inherent to the cloud. While I know firsthand a lot of organizations that are currently scrambling to apply the patches for these vulnerabilities in on-premise infrastructure, all Amazon customers are already protected. Amazon was able to deploy fixes across their entire cloud infrastructure in record time thanks to the tremendous efficiencies of scale and centralization.
Spend now on the basics or spend more after a breach – when you’ll also lose data, good standing, and sleep. Instead of chasing solutions to the latest vulnerability, strengthen your security architecture and operations, so you can respond effectively to the next event. And the ones that come after.
Eric Foster is Chief Information Security Officer (CISO) at Fishtech Group, where he is responsible for security, governance, and compliance initiatives for the cybersecurity solutions provider as well as Fishtech’s Managed Detection and Response practice. He is the former CISO for Netsmart, the nation’s largest provider of innovative healthcare technology for the behavioral health, social services and post-acute communities, as well as former head of Customer Success for RiskIQ, the leader in digital threat management. Fishtech delivers operational efficiencies and improved security posture for its clients through cloud-focused, data-driven solutions.