Flexera, the company that’s reimagining how software is bought, sold, managed and secured, today announced recommendations for a standardized, risk-based approach to managing vulnerabilities such as Spectre and Meltdown. Flexera’s three-pronged approach, based upon internal expertise around vulnerability remediation and intelligence harvested from Secunia Research’s Advisories, advises organizations to:
1. Determine Criticality: Determine actual Spectre/Meltdown risk criticality using verified vulnerability intelligence
2. Prioritize: Prioritize remediation of known vulnerabilities based on criticality – not hype
3. Fix Using Conservative Mitigation Approach: Apply patches with an emphasis on testing in controlled environments
“There’s no doubt companies should be concerned about Spectre and Meltdown. But since these vulnerabilities came to light on January 3, Secunia Research at Flexera has published dozens of advisories on unrelated, highly critical vulnerabilities. If weaponized, exploitation of these vulnerabilities could have a devastating impact on organizations,” said Kasper Lindgaard, Director of Research and Security at Flexera. “With more than 17,000 vulnerabilities disclosed within the past year – how do organizations know where to allocate scarce IT sources to minimize risk? They need access to verified vulnerability intelligence and must take a common-sense, risk-based approach to applying patches. Otherwise they’ll be forever chasing shadows from one sensational news cycle to the next.”
Understanding True Spectre/Meltdown Risk
The Spectre and Meltdown processor vulnerabilities are documented in three CVE’s (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715). While these vulnerabilities are indeed pervasive and potentially harmful – to truly assess risk CIO’s need deeper vulnerability intelligence (beyond a basic CVE score). This deeper intelligence should provide product context that takes into account attack vectors and possible security impact, allowing security teams to look beyond speculation commonly hyped by the media.
To date, Secunia Research at Flexera has issued more than 35 vulnerability intelligence advisories linked to Spectre/Meltdown, and most were scored below “Moderately Critical” (Criticality scores of 1 to 3 out of a maximum score of 5). This would suggest that while Spectre/Meltdown vulnerabilities are important – other more critical unpatched vulnerabilities within the environment could present a more immediate threat.
Once CIO’s get an accurate understanding of the risk to their environments, they can put into place common-sense, risk-based remediation plans. This will ensure they’re prioritizing those risks and allocating scarce IT resources accordingly.
“Because of its massive scale, Spectre/Meltdown has dominated the headlines for the last couple weeks. But prudent CIO’s shouldn’t take their eye off the ball,” said Lindgaard. “By identifying the vulnerabilities that could pose the greatest harm and prioritizing remediation efforts to those first, organizations can most efficiently and cost effectively minimize risk.”
With risk and prioritization established, organizations should then apply patches with an emphasis on testing in controlled environments. Using established processes and tools to aid in identifying possible, unintended consequences ensures understanding ahead of time the potential performance hits and compatibility issues of patching.
“Patching is essential to reduce the attack surface, but it must be done prudently and with an understanding ahead of time of potential impacts on system performance and stability,” added Lindgaard. “Mitigation should happen carefully and conservatively, with a focus on risk-based models.”