Written By Josh Harriman And Presented By Chuck Leaver
Ziften understands the current exploits impacting practically everybody who deals with a computer system or digital device. While this is a large statement, we at Ziften are working diligently helping our clients find susceptible assets, fixing those vulnerable systems, and monitoring systems after the repair for prospective performance problems.
This is an ongoing examination by our team in Ziften Labs, where we keep up-to-date on the current malicious attacks as they evolve. Right now, the majority of the discussions are around PoC code (Proof of Concept) and exactly what can in theory happen. This will soon alter as enemies benefit from these opportunities. The exploits I’m speaking, of course, are Meltdown and Spectre.
Much has actually been blogged about how these exploits were found and what is being done by the industry to discover workarounds to these hardware problems. For more information, I feel it’s appropriate to go right to the source here (https://spectreattack.com/).
What Do You Need To Do, and How Can Ziften Help?
An essential area that Ziften assists with in case of an attack by either approach is monitoring for data exfiltration. Considering that these attacks are basically taking data they shouldn’t have access to, our company believe the first and most convenient methods to safeguard yourself is to take this confidential data and remove it from these systems. This data might be passwords, login credentials or perhaps security keys for SSH or VPN access.
Ziften checks and alerts when processes that typically do not make network connections start displaying this unusual habit. From these signals, users can quarantine systems from the network and / or kill processes connected with these scenarios. Ziften Labs is keeping an eye on the advancement of the attacks that are most likely to become readily available in the wild related to these vulnerabilities, so we can better secure our customers.
Discover – How am I Vulnerable?
Let’s look at areas we can monitor for susceptible systems. Zenith, Ziften’s flagship product, can simply and quickly find Operating Systems that have to be patched. Even though these exploits are in the CPU chips themselves (Intel, AMD and ARM), the fixes that will be readily available will be updated to the Operating System, and in other cases, the internet browser you use too.
In Figure 1 shown below, you can see an example of how we report on the readily available patches by name, and exactly what systems have actually successfully installed each patch, and which have yet to set up. We can likewise track failed patch installs. The example below is not for Meltdown or Spectre, but the KB and / or patch number for the environment could be populated on this report to reveal the susceptible systems.
The same applies for browser updates. Zenith keeps track of for software application versions running in the environment. That data can be used to understand if all web browsers the current version once the repairs appear.
Fix – Exactly What Can I Do Now?
Once you have recognized susceptible systems in your environment you definitely want to patch and repair them as soon as possible. Some safeguards you have to take into account are reports of certain Anti-Virus items triggering stability issues when the patches are applied. Details about these concerns are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).
Zenith also has the ability to help patch systems. We can monitor for systems that require patches, and direct our product to use those patches for you and after that report success / failure and the status of those still requiring patching.
Because the Zenith backend is cloud-based, we can even track your endpoint systems and use the needed patches when and if they are not connected to your business network.
Track – How is Everything Running?
Finally, there may be some systems that show performance destruction after the OS fixes are applied. These concerns appear to be restricted to high load (IO and network) systems. The Zenith platform assists both security and functional teams within your environment. What we prefer to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).
We can help discover concerns such as application crashes or hangs, and system crashes. Plus, we monitor system use for Memory and CPU gradually. This data can be utilized to monitor and notify on systems that begin to exhibit high utilization compared with the duration prior to the patch was applied. An example of this tracking is displayed in Figure 2 below (system names purposefully eliminated).
These ‘defects’ are still brand-new to the general public, and far more will be talked about and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the scenario and how we can best educate and protect our clients and partners.