The Cloud Experience Everywhere

Turn Spectre and Meltdown Vulnerabilities into an Opportunity to Improve Security Posture

 Server Security.jpgNow that organizations have had a couple of weeks to absorb the impact of the recently announced Spectre and Meltdown microprocessor vulnerabilities, it’s time to take a step back and look at how we can use these events to improve our overall future security posture and awareness.

There are plenty of other blogs out there going into the details of what these vulnerabilities mean for the state of CPU security, including this one from HPE, so I won’t repeat things unnecessarily.

In essence, there are three parts to deal with for this particular problem, and the approach taken for these two recent vulnerabilities can be applied as a best practice to similar vulnerabilities in the future:

1) Rolling out operating system patches 

Hopefully every IT administrator worth his salt has a process in place to assess, test, and deploy operating system patches on a regular basis, and the OS and application patches released for Spectre and Meltdown should fit right into that process. Some questions worth asking yourself:

  • How did you handle communication and knowledge sharing amongst stakeholders and other key people in the IT organization?
  • Do you have a product and process in place to be able to determine what systems were at risk and needed patching?
  • Did you follow procedure to get timely approval to deploy the right patches?
  • How quickly were you able to prioritize the remediation of the most critical business assets? Do you have proof that these systems are remediated?

2) Rolling out updated firmware (or System ROM for HPE ProLiant servers)

Tools like HPE OneView make this easier, but rolling out a new firmware image certainly takes a bit more planning than rolling out an OS patch. Taking into consideration that Intel, at the time of writing this blog, hasn’t released the microcode to allow vendors to create patches for all of their systems means that organizations will have a number of assets that they simply can’t patch at the firmware level - for reference, here you can find a regularly updated overview of the current status for HPE systems.

It’s also important to remember that this is not just an Intel problem, impacting AMD, and ARM CPUs amongst others as well, and due to the fundamental re-architecture that will be required to resolve the issue completely, there may never be a firmware fix for certain assets. Whilst it would be nice to think that organizations will use this as an opportunity to upgrade to the latest server hardware, realistically we all know that servers are often used until they fall over or aren’t powerful enough to do the job they need to do. It’s also important not to forget the ‘other’ devices on the network that require patching asides servers – for example OEM appliances, network devices, etc.

  • What product and process do you use to roll out the necessary firmware images?
  • What is your policy to deal with systems that can’t (yet) be patched?
  • How does this impact your business risk? Is this considered as part of your overall risk management?

3) Performance Concerns 

There has been a lot of discussion around the expected performance hits that will be introduced with the system updates. It is hoped that the performance hit will not be noticeable in most cases, as few servers run at high utilization, however there will certainly be some impact - especially for older servers running I/O intensive applications.

The performance challenges seem to be of more concern to the organizations we have spoken to than the security issues. It’s important to do appropriate testing before committing the new ROMs and OS patches into production, remembering that all applications will have different performance profiles. If necessary, redesign the application’s infrastructure to take advantage of newer and more powerful compute.

  • Is performance testing part of your patch management process?
  • Were you able to easily measure and deliver proof of the impact of the vulnerability fixes on your production systems?
  • Do you have a performance monitoring and management system (product and process) in place?

In terms of remediation, HPE’s advice is always to apply any available security updates to your systems in a timely manner in order to mitigate any potential attack vector – HPE has released a customer guidance pack for the microprocessor vulnerabilities. But it also makes a lot of sense to address this programmatically.

Rethink Security and Protection

At HPE Pointnext we offer a number of advisory and professional services to help customers with a holistic approach to security. We help our customers with risk assessments – putting vulnerabilities into the context of business processes and risk – and using this to create standards-based security programs. We also develop defense-in-depth strategies, incorporating security technologies from our network of solution partners, and complement technical controls with non-technical measures, following our HPE Pointnext P5 Model – People, Policies/Procedures, Processes, Products, and Proof

Hopefully you can use the way you dealt with this particular incident to improve your own security posture in order to respond faster and more efficiently the next time you need to move quickly. If you would like any advice or support on how HPE Pointnext could help you achieve holistic security for your organization, or indeed help you with the remediation of these microprocessor vulnerabilities, please reach out to your local HPE Pointnext sales contact, or contact us via this blog. For further information, visit our webiste HPE Pointnext Security and Digital Protection Services.

Additional Resources: 


Featured articles:


0 Kudos
About the Author


Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and working in the Worldwide Security, Risk and Compliance Practice within HPE Pointnext Advisory and Professional Services. Simon is active on Twitter as @DigitalHeMan