- Community Home
- >
- Services
- >
- The Cloud Experience Everywhere
- >
- Turn Spectre and Meltdown Vulnerabilities into an ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Receive email notifications
- Printer Friendly Page
- Report Inappropriate Content
Turn Spectre and Meltdown Vulnerabilities into an Opportunity to Improve Security Posture
Now that organizations have had a couple of weeks to absorb the impact of the recently announced Spectre and Meltdown microprocessor vulnerabilities, it’s time to take a step back and look at how we can use these events to improve our overall future security posture and awareness.
There are plenty of other blogs out there going into the details of what these vulnerabilities mean for the state of CPU security, including this one from HPE, so I won’t repeat things unnecessarily.
In essence, there are three parts to deal with for this particular problem, and the approach taken for these two recent vulnerabilities can be applied as a best practice to similar vulnerabilities in the future:
1) Rolling out operating system patches
Hopefully every IT administrator worth his salt has a process in place to assess, test, and deploy operating system patches on a regular basis, and the OS and application patches released for Spectre and Meltdown should fit right into that process. Some questions worth asking yourself:
- How did you handle communication and knowledge sharing amongst stakeholders and other key people in the IT organization?
- Do you have a product and process in place to be able to determine what systems were at risk and needed patching?
- Did you follow procedure to get timely approval to deploy the right patches?
- How quickly were you able to prioritize the remediation of the most critical business assets? Do you have proof that these systems are remediated?
2) Rolling out updated firmware (or System ROM for HPE ProLiant servers)
Tools like HPE OneView make this easier, but rolling out a new firmware image certainly takes a bit more planning than rolling out an OS patch. Taking into consideration that Intel, at the time of writing this blog, hasn’t released the microcode to allow vendors to create patches for all of their systems means that organizations will have a number of assets that they simply can’t patch at the firmware level - for reference, here you can find a regularly updated overview of the current status for HPE systems.
It’s also important to remember that this is not just an Intel problem, impacting AMD, and ARM CPUs amongst others as well, and due to the fundamental re-architecture that will be required to resolve the issue completely, there may never be a firmware fix for certain assets. Whilst it would be nice to think that organizations will use this as an opportunity to upgrade to the latest server hardware, realistically we all know that servers are often used until they fall over or aren’t powerful enough to do the job they need to do. It’s also important not to forget the ‘other’ devices on the network that require patching asides servers – for example OEM appliances, network devices, etc.
- What product and process do you use to roll out the necessary firmware images?
- What is your policy to deal with systems that can’t (yet) be patched?
- How does this impact your business risk? Is this considered as part of your overall risk management?
3) Performance Concerns
There has been a lot of discussion around the expected performance hits that will be introduced with the system updates. It is hoped that the performance hit will not be noticeable in most cases, as few servers run at high utilization, however there will certainly be some impact - especially for older servers running I/O intensive applications.
The performance challenges seem to be of more concern to the organizations we have spoken to than the security issues. It’s important to do appropriate testing before committing the new ROMs and OS patches into production, remembering that all applications will have different performance profiles. If necessary, redesign the application’s infrastructure to take advantage of newer and more powerful compute.
- Is performance testing part of your patch management process?
- Were you able to easily measure and deliver proof of the impact of the vulnerability fixes on your production systems?
- Do you have a performance monitoring and management system (product and process) in place?
In terms of remediation, HPE’s advice is always to apply any available security updates to your systems in a timely manner in order to mitigate any potential attack vector – HPE has released a customer guidance pack for the microprocessor vulnerabilities. But it also makes a lot of sense to address this programmatically.
Rethink Security and Protection
At HPE Pointnext we offer a number of advisory and professional services to help customers with a holistic approach to security. We help our customers with risk assessments – putting vulnerabilities into the context of business processes and risk – and using this to create standards-based security programs. We also develop defense-in-depth strategies, incorporating security technologies from our network of solution partners, and complement technical controls with non-technical measures, following our HPE Pointnext P5 Model – People, Policies/Procedures, Processes, Products, and Proof.
Hopefully you can use the way you dealt with this particular incident to improve your own security posture in order to respond faster and more efficiently the next time you need to move quickly. If you would like any advice or support on how HPE Pointnext could help you achieve holistic security for your organization, or indeed help you with the remediation of these microprocessor vulnerabilities, please reach out to your local HPE Pointnext sales contact, or contact us via this blog. For further information, visit our webiste HPE Pointnext Security and Digital Protection Services.
Additional Resources:
- "The 5 P's of Data Protection" by Security Expert Lois Boliek
- "The Adaptive Continuum: Rethinking Security and Protection in a Hybrid World" by Security Expert Lois Boliek
Featured articles:
- Can a company have too much IT security?
- Physical and data security: Two sides of the same coin
- Want to know the future of technology? Sign up for weekly insights and resources
SimonLeech
Simon is Deputy Director in the HPE Global Security Center of Excellence. He is responsible for bringing together cyber experts from across HPE to support the vision of an open and secure edge to cloud platform, and works with HPE's enterprise customers worldwide, evangelising the strategy of HPE Global Security and articulating our ‘Secure by Design’ and ‘Operationally Secure’ principles. Simon has worked in the IT security industry for over 25 years and is well versed in many areas of IT security, including network security, operational security, malware, cyber threats, vulnerability management, hybrid cloud security, container security, zero trust security, and cyber resilience. Simon is active on Twitter as @DigitalHeMan
- Back to Blog
- Newer Article
- Older Article
- Deeko on: The right framework means less guesswork: Why the ...
- MelissaEstesEDU on: Propel your organization into the future with all ...
- Samanath North on: How does Extended Reality (XR) outperform traditio...
- Sarah_Lennox on: Streamline cybersecurity with a best practices fra...
- Jams_C_Servers on: Unlocking the power of edge computing with HPE Gre...
- Sarah_Lennox on: Don’t know how to tackle sustainable IT? Start wit...
- VishBizOps on: Transform your business with cloud migration made ...
- Secure Access IT on: Protect your workloads with a platform agnostic wo...
- LoraAladjem on: A force for good: generative AI is creating new op...
- DrewWestra on: Achieve your digital ambitions with HPE Services: ...