Providing a Rapid Response to Meltdown and Spectre for Hybrid IT. Industry: Computer Security and Operations Date: February 2018

Transcription

1 Market Guide Providing a Rapid Response to Meltdown and Spectre for Hybrid IT Industry: Computer Security and Operations Date: February 2018 Meltdown and Spectre Exploits Vulnerabilities in Common Processors During the first week in January 2018, the news broke about two vulnerabilities in modern processors. Researchers quickly discovered exploits for these vulnerabilities, called Meltdown and Spectre, which could potentially allow an attacker to glean sensitive information from a computer 1. What set Meltdown and Spectre apart from the myriad of exploits discovered every day was that they were created by flaws in processor design in other words, in the hardware itself that has been in use since the 1990s. The scope of the vulnerabilities was also unusual. It is not uncommon to find security issues with a single processor; It is much more unusual to find exploits that affect many, diverse, processors all at once. To put it plainly, this was the unusual case where a major security flaw exists across a wide range of processors and has gone unnoticed for over 20 years. So far, Intel, ARM, AMD, Oracle Sparc, IBM Power processors are affected, as well as a number of others. This encompasses most, if not all, of the processor types used in enterprises of all sizes and most major cloud services 2. With the number of servers attached to the Internet conservatively estimated to be 75m units and adjusting for the number that are used for internal applications only, it is reasonable to 1 The Register, January 2, 2018, 2 Meltdown and Spectre, EXECUTIVE SUMMARY Key Stakeholders: CIO, CSO, Security Analysts, Operations Managers, Developers, Technical Analyst Why It Matters: Meltdown and Spectre affects almost every type of processor in use in servers today. Every type of system component container, virtual machine, and on-premises and cloud server is at risk. Mitigating that risk at this scale will be a major challenge, especially difficult in hybrid or mixed systems. Top Takeaways: Automated workflow security systems are the key to managing the danger posed by Meltdown and Spectre. Finding a single product to cover all deployment options is difficult but exists. CloudPassage Halo is an example of software that covers all the bases. prior written permission. Page 1

2 assume as many as 100m or more vulnerable servers. This is in addition to the 2b personal computers and 4.75b mobile devices estimated to be in use by At the moment, there doesn t appear to be a way to fix the processor design problem. Instead, vendors and the open source community are focusing on mitigating the effects of these vulnerabilities on an operating system. OS vendors can patch their kernels to turn off features that cause the vulnerability but not fix the hardware or firmware of the processors. Initial attempts by Intel to release a fix to the problems have not been wholly successful 3. The absence of a fix is an enormous problem because even a single unpatched kernel can leak information to a bad actor. For enterprise IT, this means that every system component that uses an operating system kernel needs to be patched. This includes: Windows operating systems both desktop and server, in all types Linux operating systems both desktop and server variants Oracle Solaris operating system for Sparc processors UNIX operating systems including proprietary versions Virtual machines and VM images IoT devices that use a vulnerable processor Mobile devices using vulnerable ARM processors Cloud services that use any of the above in any form Just about every kernel in every system in every form available in an enterprise has to be updated. Given the scope of the problem, ensuring that all system components are up to date is a serious problem. The scope is amplified for enterprises with large, complex, heterogeneous, systems of varying age. If even 25% of enterprise servers are running an average of 10 virtual machines (again, a very conservative estimate), then as many as 350m operating system kernels will be affected by Meltdown and Spectre. That doesn t include containers running on hosts or VMs. The Scope is New but the Problem Is Not Meltdown and Spectre are extreme versions of an everyday problem for IT professionals. A typical enterprise application, especially one that uses cloud services, containers, virtual machines, and onpremises dedicated servers, has a host of software components, each of which may have a set of vulnerabilities at any time. In addition to the kernels and operating systems, modern applications 3 Intel Corporation, January 22, 2018, prior written permission. Page 2

3 have process virtual machines such as a Java VM or Python VM, libraries that may be proprietary or open source, databases, middleware, and application code. It is not even reasonable to assume that the same system components, for example the PHP engine or AngularJS framework on a website, have the same versions in use across the enterprise. Software system components of varying ages and deployed by different teams, may use the version they are used to rather than a standard one across the enterprise. All of the software components in an enterprise may have their own vulnerabilities and need constant monitoring and patching, which make enterprise-wide security efforts across the software value chain a necessary practice. Strategic Consideration: Container images represent a special case, especially when publicly images are downloaded from public repositories. While these rarely are deployed into production systems, they are used by developers, often as starting point for their production images, and become a vector for which vulnerabilities may find their way into production. Hybrid Deployment Models Make Security Harder The problem of tracking so many pieces of a system is made worse by the introduction of hybrid deployment models. While it s common for cloud service providers, container and virtual machine software vendors, and open source advocates to present the modern IT architecture as being homogenous, the myth of standardization does not accurately describe how large enterprises are approaching their system design. Instead, mixed or hybrid architectures are emerging as the dominant model for computing, especially for large enterprises. Amalgam Insights expects that as many as 60% to 70% of large enterprises will have a mix of cloud services and on-premises data centers. Even with the growing popularity of microservices architectures, most IT organizations will deploy to containers, virtual machines, and dedicated servers simultaneously. In fact, it would not be unusual to find containers in virtual machines which are hosted on on-premises or cloud servers. This is a viable method of achieving a balance of isolation and high capacity utilization appropriate to the demands of a system. Strategic Consideration: prior written permission. Page 3

4 Not only does hybridity drive the complexity of the system up, but it also offers a number of vectors for exploiting vulnerabilities. In the case of Meltdown and Spectre, kernel patches will need to be applied to server or virtual machine kernels, then to virtual machine operating systems. Patching only one part of the stack will result in retaining exploitable security weaknesses. With a conservative 10 to 20 virtual machines per host on average, even a moderate data center may have thousands of kernels that will need attending too. Figure 1: Nested Deployment Options for Software Applications Bare Metal or Cloud Server OS/Kernel Virtual Machine Application Stack OS/Kernel Application Stack Container Application Stack Knowing is Half the Battle Source: Amalgam Insights, February 2018 With so many components in modern systems deployed in a variety of ways, simply knowing which software components need updating is a daunting task. It s too easy to miss a vital, out-of-date component. That, in turn, could leave a gaping security hole in a system. These are exactly the types of vulnerabilities that black hat hackers exploit. They rely on mistakes as much as negligence. With the scale of the problem so large, manual intervention is no longer an option. The solution to detecting components that need to be updated is automated workload security. All workloads and images, no matter how they are deployed, need to be constantly monitored for out-of-date components at all levels. When a component of a system is found to have security vulnerability, an assessment of the threat should be performed, and security and operations professionals notified that a patch is available. Even if a patch is not yet available, then at least the security team is aware of the vulnerability and can put in place its own mitigation strategy. Manual processes simply can t do this at scale. Automated, software-driven systems backed by machine learning represent the best method for maintaining workload security in large and complex systems. prior written permission. Page 4

5 Comprehensive Workload Security One of the challenges of implementing automated workload security is that many of the products in this space don t address the totality of modern hybrid designs. There are products that will monitor containers, others that look at virtual machines and dedicated servers, and yet others for cloud services. It s difficult to find a single pane of glass for workload security that addresses current and emerging deployment options. The result is uncoordinated information that can cause IT professionals to miss a critical vulnerability. With a situation such as Meltdown or Spectre, many IT professions will have to consult multiple tools for different portions of their systems. This opens the door to some system components being left vulnerable to attack. The more that IT professionals are forced to use separate tools for containers, virtual machines, and on-premises and cloud hosts and the more uncoordinated the information - the higher the chances are that something will be missed. CloudPassage Workload Security Thankfully, the market situation is changing. As IT professionals demand more complete solutions, products are emerging that provide workload security monitoring and analytics across multiple types of deployment scenarios. Products such as these are especially necessary in emerging hybrid architectures. An example of a product that offers comprehensive visibility across system components deployed in a myriad of ways is CloudPassages Halo. Halo covers a wide range of workload security functions, including the ability to monitor and identify software that needs updating. What makes Halo interesting is that it works across all types of software infrastructure including on-premises servers, containers, virtual machines, and cloud services. In the case of Meltdown and Spectre, Halo can identify which kernels need changing no matter how they are deployed. In complex, hybrid architectures, Halo will assist in patching containers and virtual machines as well as the hosts they inhabit, including cloud hosts. In addition, Halo will continuously monitor the other components in a system to identify updates and patches as they become available. Halo provides a single system for monitoring software components when they are running and for images prior to deployment. Strategic Consideration: Amalgam Insights believes that having single source of truth for managing workload vulnerabilities is the best approach. Disparate streams of information, from a variety of product, presents too many opportunities to miss important data. CloudPassage Halo, represents that prior written permission. Page 5

6 type of tools that we believe are necessary for hybrid environments; Tools capable of monitoring cloud servers, on-premises hosts, virtual machines, and containers. The downside of this approach is monoculture. The danger of monoculture is outweighed by the need to manage responses that are broad in scope, such as Meltdown and Spectre. Conclusion Meltdown and Spectre are only the latest exploits of vulnerabilities in processors, operating systems, and platform stacks. They are certainly not expected to be the last. As the open source and vendor operating system community mitigate this vulnerability with updates to their software, large enterprises will need to identify where they will need to be applied. With vendors rolling out patches across weeks, knowing what has and hasn t been updated will become a difficult task. Failure to keep up, however, will leave critical systems open to attack. The key to insuring that systems are safe from the Meltdown and Spectre exploits safe from all exploits in a software stack is persistent, continuous, automated monitoring and analysis of the software that makes up large enterprise systems. A comprehensive suite of workload security software, such as CloudPassage Halo, is the best way to insure the integrity of large scale, hybrid systems. Tom Petrocelli Contributing Analyst February 12, 2018 prior written permission. Page 6

7 About Us ABOUT AMALGAM INSIGHTS AUTHOR: TOM PETROCELLI Is a leading research, advisory, and consulting firm focused on Technology Consumption Management: the technology, personnel, and strategies to unlock business value from new technologies for emerging and disruptive business models. This focus on the purchase and utilization of technology bridges key CFO-CIO gaps in maximizing the value of technology investments and successfully supporting enterprise technology. AI provides over 20 years of experience in supporting high-growth and disruptive companies with a focus on translating new technologies into Digital advantage. Tactically, AI focuses on the following practices as part of the Technology Consumption Management umbrella: Hybrid IT management Subscription Revenue Management Financial Planning Management Strategic Performance Management Design Thinking & Technology Evangelism Tom Petrocelli is a contributing analyst with Amalgam Insights. His area of interest is collaboration, developer tools, IT project efficiency, governance, and methodologies, and DevOps. He also looks at how large regulated companies, especially financial services companies, manage IT projects. Tom has over 33 years of experience in the IT industry. Prior to Amalgam Insights, Tom: Worked for a large, global, banking corporation. Was the research director for Enterprise Social, Mobile and Cloud Applications at Neuralytix. Before Neuralytix, Tom was the senior analyst, Social Enterprise at Enterprise Strategy Group. Before becoming an analyst, Tom held various senior and executive management positions. Phone: Website: This paper was sponsored by CloudPassage. Disclaimer: Amalgam Insights provides consulting, research and advisory services to a variety of technology consumers and vendors and may have revenue-based client relationships with companies mentioned in our research. prior written permission. Page 7