How to Find the Spectre and Meltdown Vulnerabilities Using Falcon Insight
Introduction
CrowdStrike’s Falcon is built on an extensible platform that allows for rapid response and quick adaptation to the rapid changing environment of cyber security. When the Spectre and Meltdown vulnerabilities were announced, the Falcon platform was ready to provide immediate value. In this article we’ll highlight the new Spectre and Meltdown vulnerability dashboards in Falcon Insight.
Video
Prerequisite
The only prerequisite to getting the Spectre and Meltdown dashboard is to have sensor version 3.9.6 and be a Falcon Insight customer.
Spectre & Meltdown
The Spectre and Meltdown dashboard helps you assess how well your Windows hosts are protected from two security vulnerabilities published in January 2018:
- “Spectre” (Variant 2: Branch Target Injection, CVE-2017-5715)
- “Meltdown” (Variant 3: Rogue Data Cache Load, CVE-2017-5754)
This dashboard only displays information about Windows hosts running sensor version 3.9.6009 or later.
Mitigating Spectre
Mitigating Spectre involves three components and applies to both software and hardware:
- Set a registry key specified by Microsoft. (This component applies to software.)
- Install a software patch from Microsoft. (This component applies to software.)
- Update your processor’s firmware/BIOS. The specific steps depend on the hardware used in your hosts, but Microsoft provides an index of major hardware vendors. (This component applies to hardware.)
| Variant 2 (aka Spectre) Patch Status | Microsoft patch installed? | Registry key set? | Firmware updated? | Recommended action |
|---|---|---|---|---|
| Protected | Yes | Yes | Yes | None – this host is protected against the Variant 2 (Spectre) vulnerability. |
| Unprotected – No Microcode | Yes | Yes | No | Apply the microcode update from your hardware vendor. |
| Unprotected – No Microcode and Disabled by Registry | Yes | No | No |
|
| Unprotected – with Microcode but Disabled by Registry | Yes | No | Yes | Set the registry key specified by Microsoft. |
| Unpatched | No | No | No |
|
Mitigating Meltdown
Mitigating Meltdown involves two components and applies only to software:
- Set a registry key specified by Microsoft. (This component applies to software.)
- Install a software patch from Microsoft. (This component applies to software.)
On certain hardware, using this software patch can slow your host’s processing performance. See Microsoft’s blog post about the performance impact of the mitigation.
| Variant 3 (aka Meltdown) Patch Status | Microsoft patch installed? | Registry key set? | Recommended action |
|---|---|---|---|
| Protected – Minimal Performance Impact | Yes | Yes | None – this host is protected from the Variant 3 (Meltdown) vulnerability. This host’s hardware is expected to perform only slightly slower as a result of the software patch. |
| Protected – Visible Performance Impact | Yes | Yes | None – this host is protected from the Variant 3 (Meltdown) vulnerability. This host’s hardware is expected to perform noticeably slower as a result of the software patch. Consider purchasing new hardware if your use case requires higher performance. |
| Unprotected | Yes | No | Set the registry key specified by Microsoft. |
| Unprotected – due to x86 | Yes | No |
|
| Unpatched – Minimal Performance Impact Expected | No | No | Apply the software patch provided by Microsoft. This host’s hardware is expected to perform only slightly slower after applying the software patch. |
| Unpatched – Visible Performance Impact Expected | No | No | Apply the software patch provided by Microsoft. This host’s hardware is expected to perform noticeably slower after applying the software patch. |
| Unpatched – due to x86 | No | No |
|
Conclusion
Having a cloud based platform is key to being flexible and quickly reacting to new and evolving threats. In the situation of Spectre and Meltdown having a platform that can quickly adapt provides immediate value to customers.
