Meltdown and Spectre: What You Need to Know to Secure Your End-User Computing Environment
Although Meltdown and Spectre have been publicly disclosed since January, the two security vulnerabilities remain at the top of daily technology and digital security news feeds, for good reason: These can be used to exploit modern processors that power millions, maybe billions of devices. This means desktops, servers, and mobile devices are all subject to potential breach because of these two vulnerabilities. Hackers can use these vulnerabilities to exploit side channels in modern processors, with Meltdown affecting Intel processors and Spectre affecting Intel, AMD, and ARM processors.
An exploit that takes advantage of Meltdown can give an application access to system memory, an area an application should not have access. An exploit using the Spectre vulnerability tricks an application into leaking information that’s meant to be safe in its protected memory area.
The Problem With Updates and Patches
Updating and patching firmware and operating systems is one of the most critical steps in reducing risk from most cyber threats related to devices. In the case of Meltdown and Spectre:
- CPU manufacturers began rolling out patches for these vulnerabilities, albeit unsuccessfully so far.
- Operating system vendors, such as Microsoft, have also released patches.
- Since the vulnerabilities may affect hypervisors, our own VMware ESXi, Workstation, and Fusion teams have also released fixes and given advisory guidance.
- And since the vulnerabilities may also affect mobile device operating systems, our VMware AirWatch team released guidance on what customers can do. (More information can be found in this FAQ.)
“One-in-ten enterprise customers take a year or more to complete Windows patches that affect most or all of their endpoints.”
Hardware manufacturers and software, operating system (OS), and application vendors can make firmware and patch updates available to help reduce the risk of breaches from known vulnerabilities like Meltdown and Spectre. But actually identifying, applying, and continuously monitoring the updates can be the real challenge for IT. In fact, an internal VMware study indicated that one-in-ten enterprise customers take a year or more to complete Windows patches that affect most or all of their endpoints.
Meeting Security Needs With VMware Workspace ONE
We’re now in a world where dynamic sets of users are as mobile as ever, accessing data that can live anywhere. To meet the demands of the modern workforce, modern device management and security are needed, and organizations can easily meet these demands with VMware Workspace ONE. Workspace ONE, powered by AirWatch unified endpoint management technology, allows IT to manage, in real time, the complete lifecycle of endpoints and securely deliver any app on any device. In the case of vulnerabilities, like Meltdown and Spectre, Workspace ONE can help IT instantly patch and update firmware, operating systems, and apps, across any endpoint, over the air, and without any network or domain dependencies.
Identifying Devices at Risk
One of the first challenges in securing an end-user computing environment in the wake of Meltdown and Spectre is identifying which devices may be at risk due to outdated patch levels. Workspace ONE provides IT with a simple view to immediately identify these devices using a native dashboard. These devices include those with desktop operating systems (e.g. Windows 10, Chrome OS, and macOS), mobile operating systems (e.g. iOS and Android), and even connected things, like barcode scanners.
“Vulnerabilities like Meltdown and Spectre continue to teach us that no single digital entity is safe in today’s mobile-cloud world.”
Applying Updates and Patches
Once identified, IT can quickly remediate any affected device across the enterprise by automatically safeguarding critical company resources and malware exposure to the rest of the endpoints. Remediation rules in Workspace ONE enable IT to automate compliance or manually push updates over the air, with reliability and at scale. Critical OS and firmware patches can be instantly delivered from the cloud so endpoints are always up-to-date instead of waiting for months for the devices to be back to a compliant state. Workspace ONE can not only cut off affected endpoints from accessing critical company resources, but also force remediation steps (e.g. forcing critical patches, encrypting devices, wiping company data) to get the device back to a compliant state.
Continuously Monitoring Risk
Another challenge for securing an end-user environment is trusting the users who can get access to corporate data. Workspace ONE helps with well-defined authentication policies that mitigate credentials from being exploited, including password-less, multifactor authentication leveraging PIN, biometrics and certificates; virtualization-based credential isolation; and conditional access to apps and resources. With conditional access, users can be prompted to install a workspace services profile on their device before they open an application, which might be affected by vulnerabilities like Meltdown and Spectre. If that application is considered a threat to the device, it can be blacklisted, and IT can instantly initiate a remote wipe to help reduce the risk of data breach.
Continuously hardening the operating system across devices end users are using can also be challenging. Workspace ONE can help ensure unapproved apps (including apps infected with malware) and apps from untrusted vendors can no longer run on the device. Real-time compliance engine blocks access to company resources if the device health (e.g. device, boot, code integrity) is compromised. Over-the-air management of the OS and firmware also ensures that the systems are always up-to-date against new exploits. Workspace ONE ensures data is protected while at rest (e.g. managing BitLocker encryption lifecycle on Windows 10), in use (with native data loss prevention capabilities such as Windows Information Protection on Windows 10) and in transit (with traffic filtering and micro-segmentation using Workspace ONE and NSX integration).
Vulnerabilities like Meltdown and Spectre continue to teach us that no single digital entity is safe in today’s mobile-cloud world. However, organizations can take steps, such as deploying a unified endpoint management solution like Workspace ONE in their environment, to mitigate risk caused by these vulnerabilities and have an end-to-end security approach from the device into the data center. To learn more about Workspace ONE, visit vmware.com/workspaceone.