Spectre, Meltdown, and Security Uncertainty

Share:

Patches and Uncertainty are the two key takeaways in the wake of the Meltdown and Spectre security flaws. These security exploits affecting most computing systems – from PCs to business cloud data centers and mobile phones – are a reminder that trust in the age of digital business depends on the application of security fixes from providers. Here’s our update on this continuing drama of IT security uncertainty.

First, we see continuing confusion and chaos to go around with the many different patches issued by numerous providers for the security flaws known as Spectre (versions 1 and 2) and Meltdown. Some of the patches deliver workarounds for only the Meltdown exploit, while others partially or fully workaround one of the Spectre exploits, and others claim to partially fix the other Spectre exploit.

Complicating the picture of all the different patches is a witches’ brew of additional ingredients that may need to be applied. As many who are applying the early patch releases can attest, conflicting guidance persists about the effectiveness of the different patches: some have been recalled, others have been blocked, and others are superseded by newer patches.

The mitigations have just begun, requiring IT operations to update systems operating systems, browsers and firmware (in the form of UEFI and BIOS or microcode updates) across the enterprise. The updates available for Meltdown and Spectre now include patches from the following:

AMD
Apple
Firefox
Google
IBM
Microsoft
Linux distribution providers

The net result is plenty of uncertainty - about the efficacy of the many different Spectre and Meltdown patches between microcode fixes, BIOS remediations, and operating system and browser patches – and about ongoing IT security itself. ISG recommends that clients contact the providers of patches directly, assemble relevant information about the digital products that are in use by the enterprise, test the proposed patches beforehand, and then apply these in production workloads and networks.

Even if – and after – patches are applied, there remains the question: are we safe or not? This is the larger uncertainty – beyond just Meltdown and Spectre – and a question that is security’s uncertainty: knowing if, when and where enterprise digital assets are compromised by a cyberattack.

A new ISG Insights Research Note – IT Security Visibility + Speed are Keys to Better Results – focuses on the key performance indicators (KPIs) that will most improve solve security’s uncertainty dilemma and answer security’s core question: are we safe?