Customers still running a majority of their compute on-premise were given yet another reason to expedite their migrations to public cloud. On Tuesday Intel announced another wave of CPU flaws (remember Meltdown and Spectre?) this time focused on speculative execution side-channel vulnerabilities affecting its Core and Xeon lines called L1 Terminal Fault (L1TF). Collectively dubbed Foreshadow and Foreshadow-NG, unpatched systems are susceptible to a new wave of sophisticated attacks. Interestingly, Intel in their disclosure notes, “...those running traditional virtualization technology, and primarily in the data center – it may be advisable that customers or partners take additional steps to protect their systems.” What does this nebulous language mean and why are public cloud customers at an immediate advantage over their on-premise peers?
Public cloud providers collectively spend billions on securing their infrastructure and consumers directly and tangibly benefit from this. Case and point, with respect to the latest round of Intel CPU flaws, cloud titans Google, Microsoft and AWS quickly responded by updating their respective infrastructure and services. For the vast majority of enterprise cloud customers not operating multi-tenant workloads on the same VM, there was no immediate need for action. However, for organizations still operating large on-premise environments, the massive work effort to identify vulnerable systems, apply patches and other system level changes has only just begun. Like other critical patching efforts before it, the process will likely take many organizations months to address and validate, further adding to the already overburdened IT workload.
While cloud providers have done the lionshare of work for public cloud customers, it’s clear that those running multi-tenant workloads on the same VM, including vendors who sell software-as-a-service (SaaS) solutions hosted in public cloud environments, still have work to do albeit considerably less than their on-premise peers. Even the best and fastest fixes aren’t effective unless all stakeholders do their part. It only takes one party, one weak link in the chain, for the exposure to remain. So what will it take to ensure comprehensive remediation for this latest round of CPU flaws?
First, a proactive approach to threat detection is absolutely essential. The higher level of vigilance drives up the economics of an attack and discourages hackers from exploiting emerging vulnerabilities. A real-time vulnerability management strategy enables organizations to identify systems running older versions of software. This is a particularly difficult issue to address in on-premise environments as they typically span large and often segmented IP ranges which means IP-based vulnerability scans can take weeks to complete. Research from RedLock shows that if organizations attempt to use these same IP-based scanning tools in the public cloud results could be even worse. That’s because these tools identify hosts that are missing patches by IP addresses, while IP addresses are constantly changing in the cloud. That makes much of the data unreliable. And with every new vulnerability the fears become top of mind all over again.
Second, rapid response is needed as well. This way, the enterprise can update or remove vulnerable systems before any weakness is identified by potential hackers. In particular, organizations running critical infrastructure in verticals such as financial services and healthcare should have well-defined incident response processes.
RedLock customers can leverage the RedLock Cloud 360 platform to identify vulnerable hosts within their environments. You can easily create an alert policy, supported through our vulnerability management integrations with Amazon Inspector and Tenable.io. By ingesting these feeds in real-time and correlating them with host information, RedLock can identify any hosts that have been affected. For example, the following screenshot shows a RedLock query that is looking for hosts with a specific CVE and are receiving traffic from suspicious IP addresses.
RedLock Cloud 360 Detects Hosts That are Receiving Traffic From Suspicious IP Addresses and Vulnerable to L1 Terminal Fault (L1TF)
Modern threat defenses require an AI-driven approach that correlates disparate security datasets—encompassing network traffic, user activities, risky configurations, vulnerability information and threat intelligence—to gain a unified view of risks across fragmented cloud environments. This is where cloud agnostic security tools such as the RedLock Cloud 360 Platform can help.
You're invited to view RedLock's on-demand webinar here, where we discuss how you can leverage your existing vulnerability management tools to identify vulnerable hosts and implement mitigations in your AWS, Azure, and Google Cloud environments.