meltdown and spectre - how to detect the vulnerabilities and exploits
TRANSCRIPT
Jeff Olen, Senior Product Manager, AlienVault
Kate MacLean, Senior Product Marketing Manager, Cisco
Sacha Dawes, Principal Product Marketing
Manager
Meltdown and Spectre – How
to Detect the Vulnerabilities
and Exploits
2
In this Webcast
What are Meltdown and Spectre, and their impact?
Detecting and Protecting your Environments with
AlienVault® USM Anywhere™
USM Anywhere Live Demo
Ask Us Questions!
3
The News Since Jan 3rd 2018
4
Timeline
Google informs
affected
companies of
Spectre flaw
June
2017
Google informs
affected
companies of
Meltdown flaw
July
2017
Vulnerabilities
made public
Jan
2018
First CPUs
susceptible to
Spectre/Meltdown
shipped
Jan
1995
5
Comparing Meltdown & Spectre
Meltdown Spectre
Affected CPU Types Intel, Apple Intel, Apple, ARM, AMD
Attack VectorExecute Code
on the System
Execute Code
on the System
Method
Intel Privilege Escalation &
Speculative Execution
(CVE-2017-5754)
Branch Prediction &
Speculative Execution
(CVE-2017-5715 / -5753)
Exploit PathRead Kernel Memory from
User Space
Read Memory Contents
from Other Applications
Remediation Software Patches Software Patches
Source: “A Simple Explanation of the Differences Between Meltdown and Spectre (Jan 3 2018)”, Daniel Miessler,
https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/
6
What Have AlienVault Labs Seen?
• Meltdown or Spectre are not known
to have been used to steal data
That said, compromise can be
difficult to detect
• AlienVault Labs has seen samples
of malware attempting to exploit
the vulnerabilities
Most are variants of the samples
provided by the disclosing teams
Source: https://otx.alienvault.com/pulse/5a50d6d41f9dd76baa10458c
7
Are Software Patches Available?
• Yes – Early software patches exist for:
Devices: Apple devices, Surface & Surface
Book, Android devices
OS: Windows, various Linux distributions
(CentOS, Red Hat, Fedora and Ubuntu)
Cloud providers (AWS, Azure, Google)
indicate they’ve patched
• GitHub* has the latest status on patches
• When applying patches, some have seen
System slowdowns
System crashes
Source: https://medium.com/implodinggradients/meltdown-c24a9d5e254e
* https://github.com/hannob/meltdownspectre-patches
8
Decrease Your Risk from Meltdown and
Spectre• Evaluate and fully test the available patches for your different systems
Apply those patches where possible
• Apply the same protections for any malware or ransomware
Evaluate need for services (e.g. SMB), and disable those that are not required
Architect your environment to include network segmentation, and a least-privilege model, to
limit ability for any ransomware to traverse the network
Train your organization on how to watch for phishing attempts, and how to report and protect
your organization if they think they’ve become infected
Implement a backup plan with offline backups
• Deploy AlienVault USM Anywhere to detect vulnerabilities and threats that could be
Meltdown/Spectre sourced across your cloud, on-premises & hybrid environments
9
Vulnerability Assessment
Know where the vulnerabilities are to avoid
easy exploitation and compromise
Behavioral Monitoring
Identify suspicious behavior and potentially
compromised systems
Intrusion Detection
Know when suspicious activities happen in
your environment
SIEM Log Management
Correlate, analyze, and report on security event
data from your network
Asset Discovery
Know who and what is connected to your cloud or
on-premises environments at all times
AlienVault USM Anywhere: A Unified Approach to
Threat Detection & Response
10
Actionable Threat Intelligence Powered
by
AlienVault Labs Security Research
• AlienVault researches emerging threats–so
you don’t have to
• Continuous Threat Intelligence updates
built into your USM Anywhere include:
• Correlation directives
• IDS signatures
• Vulnerability audits
• Asset discovery signatures
• IP reputation data
• Data source plugins & AlienApps
• Incident response guidance
Supplemented by the AlienVault Open
Threat Exchange™ (OTX)
• The world’s first truly open threat intelligence
community
• Collaborate with 65,000+ global participants
to investigate emerging threats in the wild
• Pulses created within minutes of the first
detection of an in-the-wild attack
• Subscribe to threat research updates from 73
public groups and other OTX contributors
• Leverage the latest OTX threat
intelligence directly in your
AlienVault USM environment
Optimize Threat Detection & Response
11
Automate & Orchestrate Containment
Cloud InfrastructureProductivity Apps IT VirtualizationIT OperationsIT Security
A Growing “Galaxy” of AlienApps
Respond
Automate and orchestrate your
threat responses for efficiency
Monitor
AlienApps collect and enrich
data from your environment
Detect
USM Anywhere uses that data
to detect threats and alerts you
12
It’s Demo Time!
13
Decrease Your Risk from Meltdown and
Spectre• Evaluate and fully test the available patches for your different systems
Apply those patches where possible
• Apply the same protections for any malware or ransomware
Evaluate need for services (e.g. SMB), and disable those that are not required
Architect your environment to include network segmentation, and a least-privilege model, to
limit ability for any ransomware to traverse the network
Train your organization on how to watch for phishing attempts, and how to report and protect
your organization if they think they’ve become infected
Implement a backup plan with offline backups
• Deploy AlienVault USM Anywhere to detect vulnerabilities and threats that could be
Meltdown/Spectre sourced across your cloud, on-premises & hybrid environments
888.613.6023
ALIENVAULT.COM
CONTACT US
Test Drive USM Anywhere in our Online Demo:
Get instant access, no download, no install
https://www.alienvault.com/products/usm-anywhere/demo
Try it for Free in your Environment :
Start detecting threats in less than an hour
https://www.alienvault.com/products/usm-anywhere/free-trial
Review Pricing and Get a Quote:
Multiple tiers available, low annual subscription pricing
https://www.alienvault.com/products/usm-anywhere/pricing
Questions?