cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Perspective on the Meltdown & Spectre Security Fail

Product Manager
Product Manager

We just can't have anything nice, now can we?  Oh, well. We knew there would be new vulnerabilities and ransomware attacks in 2018. However, this time hardware is the culprit, and patching is not going to be a cure-all for the situation. Consider yourself warned: expect more slowdowns in 2018.

Stop and think about this for a second: as the days progress, we are literally learning how much this new vulnerability impacts us. Anyone who says they have the full solution is not being honest with you or themselves. What I would like to do is help you to see how you can use the tools you likely already have to make you more aware of past, present, and future vulnerabilities and threats. That said, let's move on to the importance of using SolarWinds tools to do just that.

SolarWinds® Patch Manager will allow you to update your Windows® machines to their Microsoft® patches. If you are currently using this product, you should already be scheduling and looking for these. I discovered that there can be some issues with third-party Windows antivirus or you might get the BSOD. Read more here, because the awesome chart helps clarify these issues and how to prevent them from happening to you.

Further, Patch Manager will allow you to schedule and report on your Windows devices regarding updates. The reporting is key to showcase your compliance and, in this case, start your baseline. Plus, just because you update your devices does not mean you are 100% in the clear. Updating your third-party packages is an added bonus with Patch Manager, a fact that is often overlooked though desperately needed.     

SolarWinds® Server & Application Monitoring (SAM) will help you validate your business, yourself, and your vendor support for any degradation that patching may have on your applications. This is something you will want to have in place as soon as possible. It allows you to see any anomalies that may present themselves to your applications after the patching is applied. And because SAM is multi-vendor, you’ll be able to address even broad-scale hardware issues. The avid SAM users among you will likely know even more tricks for using the software, and I encourage you to share your knowledge in the comments to help us all be more aware in terms of application-centric monitoring.

SolarWinds® Network Configuration Manager (NCM) comes helps when there are firmware upgrades\updates that need to be applied to impacted network devices. It also helps you to roll these out. There is a compliance reporting function built into NCM that will assist with audits automatically. Remember, this incident is ongoing, which makes NCM’s ability to import very helpful. In fact, you can plug into firmware vulnerability warnings provided by the National Institute of Standards and Technology (NIST). This puts you even further ahead of future vulnerabilities.

SolarWinds® Network Performance Monitor (NPM) is all about the baseline. If you have ever been to one of our SWUGs, you have heard me preach endlessly about baselines and their extreme importance. However, I understand that sometimes you need black and white in front of you to truly understand this. The mindset I’m currently following regarding this vulnerability looks something like this:

  1. Patched and we have our checkbox
  2. Monitoring our application performances
  3. Ready for updates to needed network devices
  4. Monitoring the common vulnerabilities database
  5. Waiting for any anomaly that may present its ugly face (my favorite)

We can now show that we have implemented the patching to put a Band Aid® on the issues that could present themselves. However, as I’ve already mentioned, this is not a full fix. A hardware option would be the best solution, but is obviously not available to billions of devices at this time. YOU ARE THE THE FIRST RESPONDER!

Using NPM in combination with the other tools that I have outlined allows you to verify the patching and the results. Also, if there are ticks or drops or spikes that do NOT match your current baseline, you can share that solid reporting and documentation with your vendor to work out the possible issue, which makes you part of the solution. Is there anything better than working at the edge of technological advancements to create countermeasures to vulnerabilities? NO. The answer is a solid NO.

If you don’t already have it in place, set up threshold alerting and monitoring on critical devices that are housing your applications. That helps ensure that you are alerted to anything out of the ordinary, allowing you to get things back on track. It also shows your team and other departments that you are fully invested in the integrity of application uptime and performance. Also, if you have DevOps, you really need the documentation and baselines to prove that perhaps the performance issue is not the in-house application, but an actual patching issue. That, right there, can save a lot of unneeded cycles through rabbit holes.

Please let me know if you have additional ways to protect and help through these beginning stages of 2018 vulnerabilities. The ideas we share could literally help the many of you who act as a one-person army fighting your way to the top!

Thank you all for your eyes,

~Dez~

In case you’d like more information on any of the products mentioned above, check these out:

SolarWinds® Patch Manager

SolarWinds® Server & Application Monitor

SolarWinds® Network Performance Monitor

SolarWinds® Network Configuration Manager

Other resources:

https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac....

https://www.nytimes.com/2018/01/03/business/computer-flaws.html

Check out our Security and Compliance LinkedIn® Showcase Page for ideas on how to socialize this content: https://www.linkedin.com/showcase/solarwinds-security-and-compliance/

Follow our Federal LinkedIn page to stay current on federal events and announcements: https://www.linkedin.com/showcase/4799311/

7 Comments
Level 9

Dez, reports are out from places like PostgrSQL that after patching we can expect to see performance hits, as you mentioned.  The numbers I've seen range from 12-20%.  The most sensitive to performance degradation seem to be virtualization and database environments.  Doesn't SolarWinds have something that can help optimize these?  Database Performance Analyzer and Virtualization Manager I thought might be able to help optimize these environments so the performance impact is reduced as much as possible.

Thanks for this write-up. I forwarded it to my bosses-with-doors to let them know our high-level response strategy to this latest firedrill. They were pleased (shocker!) that my team had a plan in place and that we were able to leverage existing tools. I swear, I think they believe I wrote it. But that's another story... lol

Level 12

One of the things we tried to do right off the bat was get a census of our CPU vendors - Intel vs AMD. We ran into trouble with anything other than WIndows, though. Of course, this is a problem that all NMSes face. Each OS reports things in different ways. OIDs can move from version to version and model to model.

My dream is that the NMS (NPM in this case) would provide an independent field that could be mapped for each OS and version. Who would have thought that CPU model might be this critical? But we have similar problems with model numbers, too.

Also note that vendors are taking various positions on Spectre and Meltdown, because NIST/CERT only classified the severity as Medium - not High or Critical.

NVD - CVE-2017-5753  Spectre Bounds Check Bypass

NVD - CVE-2017-5715  Spectre Branch Target Injection

NVD - CVE-2017-5754  Meltdown

Meltdown and Spectre Side-Channel Vulnerability Guidance | US-CERT  Cert;'s Guidance - links to many vendor's pages

This all could change if someone makes a kit to exploit these vulnerabilities.

=seymour=

Product Manager
Product Manager

Yes!  So the main thing is to keep a level head on the patching.  Knee jerk reactions can breed bigger issues.  We should have a monitoring discipline in place that will help to see issues after patching when you have a strong baseline.  I have increased alerting on some devices I have tested in lab so I can be alerted to shifts outside of DANGER 90%or 95%.  There is multiple ways for you to stay on top vulnerabilities and mainly how they effect you ongoing.

~Dez~

Product Manager
Product Manager

That is fantastic!  I'm glad I could help in a time of need    Mainly for vulnerabilities past, ,present, and in the future, monitoring offers a great way to help people be aware and have the ability to keep a level headed approach to how you can monitor the situation and mitigate with appropriate tools you currently have.

Thinking outside of the box 

~Dez~

Only just found this, really good article.

MVP
MVP

Defense in depth certainly provides some breathing room.

About the Author
I started in networking and security around 2002 by taking Cisco Certified Network Associate and Security+ courses from Central Vo-tech. This is where I fell in love with technology in general. From there I venture out to internships and started using the Engineers Toolset from SolarWinds which made me wonder about software. The company I was with purchased Cirrus which is now Network Configuration Manager (NCM) and I was officially hooked. I searched out for SolarWinds and well you guessed it I started working for them and believe it or not in sales. That was the only position open but I knew I wanted to be here. So I quickly worked my way in to the support side and became the first Sales Engineer and then the first Applications Engineer. Since I am a very curious person I have since in my 9 years of being at SolarWinds decided to pursue more education. Security is always a fascination to me so I started taking classes on INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) of the NSA. Then I went and took the CIW Masters for web development and ventured to databases. MCITP SQL Server and Development certifications that led me to a database development degree in college. I’m pretty much a jack of all trades and LOVE IT! This all applied to my work with SolarWinds as I wanted to be able to help customers solve their issues or needs. So knowing more information allowed me to do this successfully. I also dabbled in Cisco UCS management and currently taking classes to venture toward a CCIE (crossing fingers). NCM is a product that I have worked with since its beginning. I even had the opportunity to fly to the NSA to create templates for some of their devices. I used to be the sole MIB database controller so I’m definitely your huckleberry on MIBs and OIDs. As an Applications Engineer I focused on Network Performance Monitor, Network Configuration Manager, Web Performance Monitor, Enterprise Operations Console, Patch Manager, User Device Tracker, and the Engineers Toolset. See why I like to constantly learn new things I had a lot to be on top of! SolarWinds is a passion of mine still to this very day. My new role as a Product Manager for NCM is home to me. Funny how I circled around back to my favorite product that got me here in the first place. :) My goal is to educate and work with customers to leverage our products to their fullest degree!