The Strongroom

Meltdown and Spectre Uncover Serious Shortcomings in Incident Readiness

20th February 2018

Written by Tania Allison

Meltdown and Spectre - a pair of vulnerabilities that affect virtually every computer in operation today - were made public early this year.  

The proliferation of patches from multiple vendors following the news resulted in widespread confusion among IT and security professionals. Part of the reason for the confusion was that the update released by Microsoft has compatibility issues with third-party antivirus (AV) software, and so Microsoft restricted its roll-out.

I was disturbed to hear many reports of corporate IT teams and managed IT support providers not understanding Microsoft’s requirements and being unable to remediate the situation in a timely and effective manner. In fact, despite heightened awareness about the scale of the problem, a Barkly survey conducted a week after the Meltdown and Spectre announcement found that at half the organizations surveyed, more than 75% of machines hadn’t received the Windows update. Just 4% of respondents had applied it to all of their machines.

The antivirus incompatibility shambles

The reason for such low remediation rates is twofold: Firstly, because Meltdown and Spectre affect features designed to improve system performance, installing patches can mean slowing down your systems significantly, as well as other serious issues. This explains why so many IT teams were wary of installing them, and instead took a ‘wait and see’ approach.

Secondly, to install the Windows update, Microsoft required that first company IT administrators change a registry setting, after ascertaining whether or not their organisation’s antivirus software was compatible. Failure to do this results in issues such as machines not starting up, blue screens and other issues rendering the computers and servers inoperable. Many IT teams simply didn’t take this crucial step before running the update, resulting in serious issues for end users.

The Origin difference

Origin Security and engineering teams sprang into action the moment news of Meltdown and Spectre was released. We immediately kicked into quality assurance mode, testing patches on every platform that vendors were releasing them for.

Next, our security team created internal documentation and held training sessions with engineering team members to educate them on the remediation process. As soon we had our ducks in a row, we reached out to every Origin client, to let them know about the vulnerabilities, explaining the next point of action and giving clear instructions for users to follow. We continued to keep our customers up to date on the progress of new patches as they became available.

The result? I’m proud to say that every single Origin customer was protected in a timely manner, without one case of AV incompatibility.

Automated patching is not enough

The lesson here is that information security is about so much more than automated patching and updates. Your IT team must have an Incident Readiness and Response Plan (IRRP) underpinned by proven methodologies if they’re to respond quickly and proactively to new threats.

An effective IRRP should look something like this:

  • Allocated roles and responsibilities in the event of an incident

  • Defined security incidents and likely scenarios for response

  • Documented handling procedures (technical and administrative)

  • Communications plans for internal and external efforts

  • Detailed training plans for team members

  • Regular mock exercises to keep the team sharp enough to make quick decisions during incident response

I believe all businesses should expect this level of protection from their managed IT support provider; however the experience of businesses both locally and globally following Meltdown and Spectre show that most providers are woefully unprepared.

All of Origin’s managed IT support customers enjoy this baseline level of prevention, benefiting from the expertise of our specialist Origin Security business practice. But prevention is only one part of the more complex security picture. Our Managed Security service can work hand-in-hand with Managed IT Support to give your business the best possible chance to prevent incidents, detect threats, and recover from events. Read more about Origin Security here.

 

Tania Allison

Head of Services

Tania has over 20 years’ experience leading Sales and Service Teams in large ICT organisations, most recently for Spark Digital. At Origin she leads the bulk of the business, overseeing the managed service team including those in the office, on the road, and the delivery teams who run technology projects for our clients. Tania describes herself as passionate about customers and how IT can help their businesses to be successful.

Join the Strongroom
Join The Strongroom and get a regular round-up of news and views to keep you up to date with the fast moving world of cyber security.