When it comes to security flaws, Microsoft is in the bounty-hunting game. It will send a check of up to $250,000 to developers who can find a bugs similar to the Meltdown and Spectre CPU flaws that got exposed earlier this year. Any takers?
Maybe it’s a product of the times, but those flaws likely deserved more attention than they got. They represent a serious threat to cloud environments everywhere, and even the names were ominous (Meltdown is a collapse, Spectre suggests the super-villain gang in the James Bond universe). Technically, the two stem from the same fundamental weakness: Spectre leads to inter-process or intra-process data leaks, while Meltdown enables an application running in the user space to obtain a view of the contents of kernel memory. As a result, multi-user and multi-tenant systems such as public cloud computing environments are at risk. Malicious actors can rent cloud computing services and attack other customers using the same host.
Essentially, it’s bad news all around. But a few months into this episode, it’s clear that technology providers are stepping up. For example, just as Intel processors were initially seen as the primary problem, the company announced changes to the Xeon and Core processors that are specifically designed to guard against these vulnerabilities. The company said that Variant 1 of Spectre will be addressed with ongoing software modifications, while hardware changes will take on Spectre variant 2 and Meltdown variant 3. For its part, Microsoft isn’t only financing bounty hunters; its newest Patch Tuesday updates PCs running x86 versions of Windows 7 and 8.1 against Meltdown. This means that all currently supported Windows releases now include defenses specifically against this vulnerability.
However, it’s clear that these efforts alone, however commendable, won’t be enough. The major obstacle is that security is a shared responsibility in public cloud environments. Cloud providers must indeed implement patches for their operating system, but their clients must also patch the operating systems for the hosts they manage. Similarly, vendors that sell software-as-a-service (SaaS) solutions hosted in public cloud environments will have to implement their own patches. In fact, even personnel at these organizations need to patch their systems to prevent exploitation.
The bottom line: Even the best and fastest fixes aren’t effective unless all stakeholders do their part. It only takes one party, one weak link in the chain, for the exposure to remain. So what will it take to ensure comprehensive remediation?
First, a proactive approach to threat detection is absolutely essential. The higher level of vigilance drives up the economics of an attack and discourages hackers from exploiting emerging vulnerabilities. A real-time vulnerability management strategy enables organizations to identify systems running older versions of software.
Rapid response is needed too. This way, the enterprise can update or remove vulnerable systems before any weakness is identified by potential hackers. In particular, organizations running critical infrastructure in verticals such as financial services and healthcare should have well defined incident response processes.
Over the past few years, even with varying levels of reluctance induced by the threat of serious data breaches, we’ve seen a massive migration to the cloud. Organizations in many key industries have embraced the public cloud model as a way to build in flexibility and enhance efficiencies while reducing costs. To be clear, those benefits are undeniable.
However, research from RedLock shows that the security situation is particularly dire in public cloud environments, where 81 percent of organizations are not managing host vulnerabilities despite existing investments in third-party vulnerability scanning tools. That’s because these tools identify hosts that are missing patches by IP addresses, while IP addresses are constantly changing in the cloud. That makes much of the data unreliable. And with every vulnerability like Meltdown and Spectre, the fears become top of mind all over again.
It’s already been a while since the cloud gained mainstream enterprise acceptance. However, some associated activities, including those related to security, follow traditional norms—and that’s a big problem. The flexibility and smooth operation of a public cloud is paired with cumbersome vulnerability management.
Modern threat defenses instead require an AI-driven approach that correlates disparate security data sets—encompassing network traffic, user activities, risky configurations, vulnerability information and threat intelligence—to gain a unified view of risks across fragmented cloud environments. Without such capabilities, the potential risks could outweigh the obvious benefits.