Sunday, January 21, 2018

Executive Speculation on the Speculative Execution Situation

Security issues that are resolved via the installation of a single patch are easy mode in a few regards: they're easy to fix, and they're easy to measure. How many times have you heard your CIO ask, "What percent complete are we for <insert cool vulnerability name here>?" That's because executives love metrics, and patch installations are easily quantifiable:

  • How many systems do we have?
  • How many systems are vulnerable?
  • How many systems are fully patched?
  • How many systems need to be patched?

Execs love 3D pie charts.
You can be sure that once the exec collects these data points, a shiny new pie chart will be willed into existence and cut and pasted into a PowerPoint presentation concerning incident response. Then you'll enter the measuring progress phase of remediation, in which each morning these four data points are updated and the pie chart is refreshed.

Remediations for #spectre and #meltdown, however, are not so primitive. For modern on-prem environments, you can count on applying complex, interdependent remediations to each layer of your stack, from the server hardware you rely on (in the form of microcode and/or firmware updates), to the hypervisor you trust (in the form of host and management server patches and updates), to the virtual machines that migrate throughout your data center (in the form of vm version upgrades (yeah, you're not the only one with VMs using version 4 in your production environment), to the guest operating systems (in the form of patches to the OS), to the anti-virus applications running within those guest operating systems (in the form of compatibility assurances inserted in the Windows Server registry). Once all of these mitigations are in place, then you've fully addressed the vulnerability (at least as of the end of January 2018).

Many of these steps require planned downtime. Some of these steps are dependent upon others; surely by now you've read that applying updates to Windows without having a compatible anti-virus solution has a nasty habit of breaking Windows in the form of the dreaded BSoD. A few intrepid admins inserted the required "QualityCompat" key to the registry of a server that lacked a validated av solution with mixed results.

Undeniably, implementing safeguards for spectre and meltdown are not easily captured in a 3D pie chart. Such a chart would be visually cluttered and would immediately lose its intended audience who wishes to see, in clear, clean, coordinated, contrasting colors, the state of remediation.

The result of the difficulty in measuring speculative execution remediation activities is this: no one measures speculative execution remediation activities, which translates to not a whole lot of attention being paid at the executive level. Sure, the technologists of the world are frantically updating and patching and running PowerShell scripts to validate the state of protection. But the flurry of activity is confined to the lowest layers of the org chart. Bikeshedding is alive and well in the enterprise.

Infrastructure, dear friends, is important. I suspect that as we've moved from client-server to virtualization to cloud, we've abstracted ourselves far away from the hardware that makes IT possible. Some vendors even proclaim that infrastructure should be invisible. And while I understand the intent of such a provocative statement, I believe it has been interpreted as "infrastructure should be ignored."

This is a risky ideology to employ in the data center, to be certain.