Meltdown & Spectre: How to Secure Your SaaS Environment From Unknown Threats

As a SaaS provider, securing your environment from known threats is one thing, but how about the unknown? That’s a different story altogether, and it’s exactly why the security community is so worked up over Meltdown and Spectre. With so much to learn about the newly discovered vulnerabilities and the threats they pose, many have been sent into a bit of a tailspin. But, before you give in to the panic, we’ve laid out specific steps below that can help you mitigate the risks in order to keep your data and that of your customers secure.

So what are Meltdown and Spectre exactly, and how can they impact you as a SaaS provider? Meltdown and Spectre take advantage of critical hardware vulnerabilities in modern processors, allowing for a breach in the normal isolation between the kernel space of a CPU and the user space. Meltdown breaks the fundamental isolation between user applications and the operating system, while Spectre breaks the isolation between different applications. Both allow an attacker to access the memory of otherwise error-free programs and, in Meltdown’s case, that of your operating system.

While there are currently no weaponized versions in the common hacker arsenal, the cloud is just as susceptible to these vulnerabilities as personal computers and mobile devices, so securing your environment before an attack occurs is critical. But how?

1. Get Patched

Software patches are available to help protect against Meltdown and against specific known exploits of Spectre, and it’s important to follow your cloud provider’s instructions for updating the Linux kernel to a patched version as a first line of defense. The recommendations for patching can be found in the security advisories below from various cloud providers:

While you should follow your cloud provider’s recommendations, keep in mind that these patches do impact processor performance. Even more disconcerting, though, is the fact that these patches are only mitigations. They do not fix the fundamental architectural issues that gave rise to these vulnerabilities. This is especially true of Spectre, since it targets barriers between applications and cannot be fixed through an OS-level kernel patch, and requires changes by package maintainers within vulnerable application code.

2. Audit Your Configurations

Monitoring the state of your cloud configuration settings allows you to gain visibility into the attack surface across your cloud infrastructure. With a clearer view, it’s possible to take proactive measures, such as disallowing ingress and egress to EC2 instances that should not be open to the outside world. Making sure your configurations are up to snuff in this way helps to prevent attackers from exploiting vulnerabilities like Meltdown and Spectre and to reduce your attack surface. Threat Stack’s Configuration Audit can help streamline this process.

3. Assess Your Vulnerability

Meltdown and Spectre may be hogging all the attention right now, but it’s important to note that less publicized vulnerabilities can present greater risk, given that exploits are already available in common hacker toolkits, whereas Meltdown and Spectre are still in an early phase of exploit development. By performing an assessment of packages that are used on your hosts, you can quickly determine which systems you need to patch to reduce risk from vulnerabilities that are readily exploitable today.

4. Use Behavior-Based Detection

Security works best in serial, not parallel. In other words, if you’re relying on just one layer of security to protect your business-critical systems, it’s time to rethink your strategy. A host-based intrusion detection system (HIDS) serves as an additional layer of protection that proves critical when an attacker is able to sneak by other defenses. HIDS provides visibility into your hosts, alerting you to anomalous behavior, including events that could lead up to an attacker exploiting the Meltdown and Spectre vulnerabilities.

Behavior is the keyword here. While many intrusion detection systems focus on signatures, signature-based detection is useless when trying to protect against the unknown. Much of the focus on Meltdown and Spectre has been around attempts to identify possible signatures of possible exploits using traditional malware analysis tools and methods. The problem with this approach is that there are no known exploits currently in existence from which to create these signatures. Even once exploits are created, their signatures will be especially difficult to detect, because “Meltdown and Spectre are hard to distinguish from regular benign applications.”

Behavior-based detection, on the other hand, analyzes the various stages of an attack, each of which is associated with a particular behavior. By detecting and alerting on anomalous behavior, a behavior-based HIDS can recognize possible exploitations of Meltdown, Spectre, and other vulnerabilities whose signatures are still unknown, allowing you to stop an attack in its tracks before your SaaS environment is compromised.

Why Intrusion Detection Wins Against Meltdown & Spectre

While patches are an important first line of defense in protecting against Meltdown and Spectre, it’s clear that they will not fully protect your SaaS organization from the inevitable exploits that will take advantage of these newly discovered vulnerabilities. Instead of simply following the directions of your cloud provider to mitigate the problem, it is advisable to raise your shields at every possible angle by building additional layers of protection. A comprehensive intrusion detection platform like Threat Stack can help by performing configuration audits and vulnerability assessments, and — perhaps most critically — it uses a behavior-based approach to give you the best protection against these two new beasts of the security world, as well as any unknown threats that may arise in the future.

To learn more about Threat Stack’s intrusion detection platform, sign up a demo today.

See Threat Stack in Action

Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.

Book Your Demo