As you've likely heard, Meltdown and Spectre are vulnerabilities that exist in Intel CPUs built since 1995. Hackers can exploit Meltdown and Spectre to get hold of information stored in the memory of other running programs. This might include passwords stored in a password manager or browser, photos, emails, instant messages and even business-critical documents.
Join us for a technical webcast to learn more about these threats, and how the security controls in AlienVault Unified Security Management (USM) can help you mitigate these threats.
You'll learn:
What the AlienVault Labs security research team has learned about these threats
How to scan your environment (cloud and on-premises) for the vulnerability with AlienVault USM Anywhere
How built-in intrusion detection capabilities of USM Anywhere can detect exploits of these vulnerabilities
How the incident response capabilities in USM Anywhere can help you mitigate attacks
Watch the On-Demand Webcast here: https://www.alienvault.com/resource-center/webcasts/meltdown-and-spectre-how-to-detect-the-vulnerabilities-and-exploits?utm_medium=Social&utm_source=SlideShare&utm_content=meltdown-spectre-webcast
Hosted By
Sacha Dawes
Principal Product Marketing Manager
Sacha joined AlienVault in Feb 2017, where he is responsible for the technical marketing of the AlienVault Unified Security Management (USM) family of solutions. He brings multiple years of experience from product management, product marketing and business management roles at Microsoft, NetIQ, Gemalto and Schlumberger where he has delivered both SaaS-delivered and boxed-product solutions that address the IT security, identity and management space. Originally from the UK, Sacha is based in Austin, TX.
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
1. Jeff Olen, Senior Product Manager, AlienVault
Kate MacLean, Senior Product Marketing Manager, Cisco
Sacha Dawes, Principal Product Marketing
Manager
Meltdown and Spectre – How
to Detect the Vulnerabilities
and Exploits
2. 2
In this Webcast
What are Meltdown and Spectre, and their impact?
Detecting and Protecting your Environments with
AlienVault® USM Anywhere™
USM Anywhere Live Demo
Ask Us Questions!
4. 4
Timeline
Google informs
affected
companies of
Spectre flaw
June
2017
Google informs
affected
companies of
Meltdown flaw
July
2017
Vulnerabilities
made public
Jan
2018
First CPUs
susceptible to
Spectre/Meltdown
shipped
Jan
1995
5. 5
Comparing Meltdown & Spectre
Meltdown Spectre
Affected CPU Types Intel, Apple Intel, Apple, ARM, AMD
Attack Vector
Execute Code
on the System
Execute Code
on the System
Method
Intel Privilege Escalation &
Speculative Execution
(CVE-2017-5754)
Branch Prediction &
Speculative Execution
(CVE-2017-5715 / -5753)
Exploit Path
Read Kernel Memory from
User Space
Read Memory Contents
from Other Applications
Remediation Software Patches Software Patches
Source: “A Simple Explanation of the Differences Between Meltdown and Spectre (Jan 3 2018)”, Daniel Miessler,
https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/
6. 6
What Have AlienVault Labs Seen?
• Meltdown or Spectre are not known
to have been used to steal data
That said, compromise can be
difficult to detect
• AlienVault Labs has seen samples
of malware attempting to exploit
the vulnerabilities
Most are variants of the samples
provided by the disclosing teams
Source: https://otx.alienvault.com/pulse/5a50d6d41f9dd76baa10458c
7. 7
Are Software Patches Available?
• Yes – Early software patches exist for:
Devices: Apple devices, Surface & Surface
Book, Android devices
OS: Windows, various Linux distributions
(CentOS, Red Hat, Fedora and Ubuntu)
Cloud providers (AWS, Azure, Google)
indicate they’ve patched
• GitHub* has the latest status on patches
• When applying patches, some have seen
System slowdowns
System crashes
Source: https://medium.com/implodinggradients/meltdown-c24a9d5e254e
* https://github.com/hannob/meltdownspectre-patches
8. 8
Decrease Your Risk from Meltdown and
Spectre
• Evaluate and fully test the available patches for your different systems
Apply those patches where possible
• Apply the same protections for any malware or ransomware
Evaluate need for services (e.g. SMB), and disable those that are not required
Architect your environment to include network segmentation, and a least-privilege model, to
limit ability for any ransomware to traverse the network
Train your organization on how to watch for phishing attempts, and how to report and protect
your organization if they think they’ve become infected
Implement a backup plan with offline backups
• Deploy AlienVault USM Anywhere to detect vulnerabilities and threats that could be
Meltdown/Spectre sourced across your cloud, on-premises & hybrid environments
9. 9
Vulnerability Assessment
Know where the vulnerabilities are to avoid
easy exploitation and compromise
Behavioral Monitoring
Identify suspicious behavior and potentially
compromised systems
Intrusion Detection
Know when suspicious activities happen in
your environment
SIEM Log Management
Correlate, analyze, and report on security event
data from your network
Asset Discovery
Know who and what is connected to your cloud or
on-premises environments at all times
AlienVault USM Anywhere: A Unified Approach to
Threat Detection & Response
10. 10
Actionable Threat Intelligence Powered
by
AlienVault Labs Security Research
• AlienVault researches emerging threats–so
you don’t have to
• Continuous Threat Intelligence updates
built into your USM Anywhere include:
• Correlation directives
• IDS signatures
• Vulnerability audits
• Asset discovery signatures
• IP reputation data
• Data source plugins & AlienApps
• Incident response guidance
Supplemented by the AlienVault Open
Threat Exchange™ (OTX)
• The world’s first truly open threat intelligence
community
• Collaborate with 65,000+ global participants
to investigate emerging threats in the wild
• Pulses created within minutes of the first
detection of an in-the-wild attack
• Subscribe to threat research updates from 73
public groups and other OTX contributors
• Leverage the latest OTX threat
intelligence directly in your
AlienVault USM environment
Optimize Threat Detection & Response
11. 11
Automate & Orchestrate Containment
Cloud InfrastructureProductivity Apps IT VirtualizationIT OperationsIT Security
A Growing “Galaxy” of AlienApps
Respond
Automate and orchestrate your
threat responses for efficiency
Monitor
AlienApps collect and enrich
data from your environment
Detect
USM Anywhere uses that data
to detect threats and alerts you
13. 13
Decrease Your Risk from Meltdown and
Spectre
• Evaluate and fully test the available patches for your different systems
Apply those patches where possible
• Apply the same protections for any malware or ransomware
Evaluate need for services (e.g. SMB), and disable those that are not required
Architect your environment to include network segmentation, and a least-privilege model, to
limit ability for any ransomware to traverse the network
Train your organization on how to watch for phishing attempts, and how to report and protect
your organization if they think they’ve become infected
Implement a backup plan with offline backups
• Deploy AlienVault USM Anywhere to detect vulnerabilities and threats that could be
Meltdown/Spectre sourced across your cloud, on-premises & hybrid environments
14. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Test Drive USM Anywhere in our Online Demo:
Get instant access, no download, no install
https://www.alienvault.com/products/usm-anywhere/demo
Try it for Free in your Environment :
Start detecting threats in less than an hour
https://www.alienvault.com/products/usm-anywhere/free-trial
Review Pricing and Get a Quote:
Multiple tiers available, low annual subscription pricing
https://www.alienvault.com/products/usm-anywhere/pricing
Questions?
Editor's Notes
Petya would typically launch the UAC window. If the user did not give access, Mischa would take on.
More patches will come
Linux KPTI (Kernel Page Table Isolation) patch, originally named KAISER
AlienVault’s threat intelligence can help pinpoint bad IP addresses of ransomware C2 servers
Want to see orchestration rules in action – use case example
Hybrid coverage
AlienVault’s threat intelligence can help pinpoint bad IP addresses of ransomware C2 servers