meltdown and spectre - how to detect the vulnerabilities and exploits

Jeff Olen, Senior Product Manager, AlienVault

Kate MacLean, Senior Product Marketing Manager, Cisco

Sacha Dawes, Principal Product Marketing

Manager

Meltdown and Spectre – How

to Detect the Vulnerabilities

and Exploits

2

In this Webcast

What are Meltdown and Spectre, and their impact?

Detecting and Protecting your Environments with

AlienVault® USM Anywhere™

USM Anywhere Live Demo

Ask Us Questions!

3

The News Since Jan 3rd 2018

4

Timeline

Google informs

affected

companies of

Spectre flaw

June

2017

Google informs

affected

companies of

Meltdown flaw

July

2017

Vulnerabilities

made public

Jan

2018

First CPUs

susceptible to

Spectre/Meltdown

shipped

Jan

1995

5

Comparing Meltdown & Spectre

Meltdown Spectre

Affected CPU Types Intel, Apple Intel, Apple, ARM, AMD

Attack VectorExecute Code

on the System

Execute Code

on the System

Method

Intel Privilege Escalation &

Speculative Execution

(CVE-2017-5754)

Branch Prediction &

Speculative Execution

(CVE-2017-5715 / -5753)

Exploit PathRead Kernel Memory from

User Space

Read Memory Contents

from Other Applications

Remediation Software Patches Software Patches

Source: “A Simple Explanation of the Differences Between Meltdown and Spectre (Jan 3 2018)”, Daniel Miessler,

https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

6

What Have AlienVault Labs Seen?

• Meltdown or Spectre are not known

to have been used to steal data

That said, compromise can be

difficult to detect

• AlienVault Labs has seen samples

of malware attempting to exploit

the vulnerabilities

Most are variants of the samples

provided by the disclosing teams

Source: https://otx.alienvault.com/pulse/5a50d6d41f9dd76baa10458c

7

Are Software Patches Available?

• Yes – Early software patches exist for:

Devices: Apple devices, Surface & Surface

Book, Android devices

OS: Windows, various Linux distributions

(CentOS, Red Hat, Fedora and Ubuntu)

Cloud providers (AWS, Azure, Google)

indicate they’ve patched

• GitHub* has the latest status on patches

• When applying patches, some have seen

System slowdowns

System crashes

Source: https://medium.com/implodinggradients/meltdown-c24a9d5e254e

* https://github.com/hannob/meltdownspectre-patches

8

Decrease Your Risk from Meltdown and

Spectre• Evaluate and fully test the available patches for your different systems

Apply those patches where possible

• Apply the same protections for any malware or ransomware

Evaluate need for services (e.g. SMB), and disable those that are not required

Architect your environment to include network segmentation, and a least-privilege model, to

limit ability for any ransomware to traverse the network

Train your organization on how to watch for phishing attempts, and how to report and protect

your organization if they think they’ve become infected

Implement a backup plan with offline backups

• Deploy AlienVault USM Anywhere to detect vulnerabilities and threats that could be

Meltdown/Spectre sourced across your cloud, on-premises & hybrid environments

9

Vulnerability Assessment

Know where the vulnerabilities are to avoid

easy exploitation and compromise

Behavioral Monitoring

Identify suspicious behavior and potentially

compromised systems

Intrusion Detection

Know when suspicious activities happen in

your environment

SIEM Log Management

Correlate, analyze, and report on security event

data from your network

Asset Discovery

Know who and what is connected to your cloud or

on-premises environments at all times

AlienVault USM Anywhere: A Unified Approach to

Threat Detection & Response

10

Actionable Threat Intelligence Powered

by

AlienVault Labs Security Research

• AlienVault researches emerging threats–so

you don’t have to

• Continuous Threat Intelligence updates

built into your USM Anywhere include:

• Correlation directives

• IDS signatures

• Vulnerability audits

• Asset discovery signatures

• IP reputation data

• Data source plugins & AlienApps

• Incident response guidance

Supplemented by the AlienVault Open

Threat Exchange™ (OTX)

• The world’s first truly open threat intelligence

community

• Collaborate with 65,000+ global participants

to investigate emerging threats in the wild

• Pulses created within minutes of the first

detection of an in-the-wild attack

• Subscribe to threat research updates from 73

public groups and other OTX contributors

• Leverage the latest OTX threat

intelligence directly in your

AlienVault USM environment

Optimize Threat Detection & Response

11

Automate & Orchestrate Containment

Cloud InfrastructureProductivity Apps IT VirtualizationIT OperationsIT Security

A Growing “Galaxy” of AlienApps

Respond

Automate and orchestrate your

threat responses for efficiency

Monitor

AlienApps collect and enrich

data from your environment

Detect

USM Anywhere uses that data

to detect threats and alerts you

12

It’s Demo Time!

13

Decrease Your Risk from Meltdown and

Spectre• Evaluate and fully test the available patches for your different systems

Apply those patches where possible

• Apply the same protections for any malware or ransomware

Evaluate need for services (e.g. SMB), and disable those that are not required

Architect your environment to include network segmentation, and a least-privilege model, to

limit ability for any ransomware to traverse the network

Train your organization on how to watch for phishing attempts, and how to report and protect

your organization if they think they’ve become infected

Implement a backup plan with offline backups

• Deploy AlienVault USM Anywhere to detect vulnerabilities and threats that could be

Meltdown/Spectre sourced across your cloud, on-premises & hybrid environments

888.613.6023

ALIENVAULT.COM

CONTACT US

HELLO@ALIENVAULT.COM

Test Drive USM Anywhere in our Online Demo:

Get instant access, no download, no install

https://www.alienvault.com/products/usm-anywhere/demo

Try it for Free in your Environment :

Start detecting threats in less than an hour

https://www.alienvault.com/products/usm-anywhere/free-trial

Review Pricing and Get a Quote:

Multiple tiers available, low annual subscription pricing

https://www.alienvault.com/products/usm-anywhere/pricing

Questions?