Tanium’s Technical Account Managers are working closely with our customers to address the Meltdown and Spectre microprocessor vulnerabilities. Here’s a look at some of the ways we’ve started to help with visibility, patching, performance monitoring, and detection and response.
Two major security flaws in modern processor hardware – dubbed Meltdown and Spectre – have set cybersecurity and IT professionals scrambling to harden devices. The affected microprocessors exist in virtually every computer in the world, from desktop computers to servers and even cloud-hosted infrastructure. Because Meltdown and Spectre encompass a complex set of hardware vulnerabilities, they can’t be addressed easily with any single fix. Resolving them requires a multi-phase effort across IT and security teams to complete the following actions:
- Identify and inventory hardware and other assets;
- Test for compatibility;
- Deploy patches to affected hardware, operating systems, and applications; and
- Monitor system performance.
Tanium’s Technical Account Managers (TAMs) are working with our customers to apply the Tanium platform to address these challenges. Here’s a look at some of the ways we’ve started to help with visibility, patching, performance monitoring, and detection and response.
Organizations will need to gather a complete list of all systems with hardware affected by these vulnerabilities. Spectre applies to Intel, AMD, and ARM processors, whereas Meltdown only applies to Intel processors. Tanium’s core content provides the ability to gather comprehensive hardware information, including CPU manufacturer and processor details, with simple questions like “Get CPU Details.” This can help identify systems running the Intel hardware specifically vulnerable to Meltdown.
Tanium Asset builds on this content by aggregating and consolidating dozens of endpoint attributes — including hardware, operating system, software, patch, and user data — into accurate and complete inventory reports.
The need for this data goes well beyond simple CPU details; many third-party applications, such as web browsers, are impacted by Spectre and will require forthcoming updates. Because of the breadth of the problem, organizations will need to confidently sustain visibility and control over the versions of susceptible software installed in their environments for months.
To address Meltdown, organizations will have to juggle a mixture of operating system and hardware patches provided by OEM vendors. The Meltdown and Spectre website maintains a list of links to the latest vendor notifications and updates. However, as with any patching effort, it can be challenging to quickly deploy the bits at-scale, verify installation, and take corrective action should unexpected results occur.
The Tanium architecture was designed to allow a single Tanium server to efficiently distribute and install patches and supporting files,even across hundreds of thousands of systems. Tanium Patch builds on this with powerful capabilities for Windows patch management and deployment, including scheduling, blacklists, and custom workflows. Additional Tanium content provides the ability to deploy patches and other customizable packages to Linux, OS X, Solaris, and AIX platforms. Over the past year, Tanium’s Technical Account Managers have worked with customers through prior incidents (such as WannaCry) to help transform the speed and effectiveness of their patching programs.
Adding another wrinkle to these challenges, Microsoft has indicated some anti-virus software may encounter compatibility issues with the Windows patches, leading to blue screens and other errors. To reduce the risk of an automatic update rendering systems unusable, Microsoft has required that a specific registry value be set by the anti-virus software (i.e. during a compatibility update / hotfix) to attest it can work with the patch.
Tanium customers will know in seconds, using a sensor like “Registry Key Value Exists,” to understand which systems do and do not have this value set. Paired with questions and sensors that provide Installed Applications, an organization can track the status of anti-virus updates and confirm the required registry changes occurred.
The mitigations implemented by these patches can adversely affect processor performance for certain workloads. The exact degree of overhead appears to vary significantly based on the types of software and hardware in use. This uncertainty will pose challenges for organizations that operate performance-critical systems, have virtual machines on oversubscribed hardware, or must accurately budget for cloud-hosted environments.
Tanium provides the ability to obtain detailed performance metrics, including CPU consumption per process and application usage, across Windows, Linux, OS X, and Unix systems. By trending on this data, organizations can easily visualize and track performance (and any other endpoint datasets or metrics) over time. Doing so prior to deploying the patches can help baseline the current resource utilization across each group of affected systems. After deploying the patches, it can help validate the extent of change to processor behavior and quickly identify systems that exhibit adverse performance behavior or require changes.
Detection and Response
According to researchers, the techniques that take advantage of the Spectre and Meltdown flaws can be difficult to distinguish from normal application behavior. Organizations should not expect their EDR or anti-malware tools to detect this category of attacks. However, to make use of these vulnerabilities, an attacker must first gain the ability to execute malicious code on a targeted endpoint. Because of this precondition, teams have an opportunity to mitigate attacks before they deliver post-compromise payloads utilizing Spectre or Meltdown. Organizations should continue to focus on eliminating the “lowest common denominator” tactics that permit attackers to gain initial access, establish footholds, and move throughout a targeted environment.
Tanium Threat Response provides a complete solution for detecting and investigating malicious activity – including the phases of adversary techniques categorized by the MITRE ATT&CK Framework. Tanium’s Endpoint Detection and Response (EDR) team provides customers with a regularly updated feed of Signals for real-time alerting, and Enterprise Hunting workflows to help identify anomalies. Threat Response also provides broad support for third-party IOC feeds and reputation providers.
The remarkable research behind the discovery of Meltdown and Spectre, along with the sheer scope of affected devices, more than justify their status as “landmark” vulnerabilities. Nevertheless, the security operations fundamentals required to respond and mitigate risk, from identifying impacted assets to enacting corrective action and monitoring results, remain familiar. Above, we’ve described several methods and components of the Tanium platform that are already helping our customers react to the abrupt disclosure. As this story unfolds further, we will continue our work and update accordingly.
Join the conversation in the Tanium Community for more on how we can help against Meltdown and Spectre.