X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to Find the Spectre and Meltdown Vulnerabilities Using Falcon Insight

Introduction

CrowdStrike’s Falcon is built on an extensible platform that allows for rapid response and quick adaptation to the rapid changing environment of cyber security.  When the Spectre and Meltdown vulnerabilities were announced, the Falcon platform was ready to provide immediate value.  In this article we’ll highlight the new Spectre and Meltdown vulnerability dashboards in Falcon Insight.

Video

Prerequisite

The only prerequisite to getting the Spectre and Meltdown is to have sensor version 3.9.6 and be an Insight customer.

Spectre & Meltdown

The Spectre & Meltdown dashboard helps you assess how well your Windows hosts are protected from two security vulnerabilities published in January 2018:

  • “Spectre” (Variant 2: Branch Target Injection, CVE-2017-5715)
  • “Meltdown” (Variant 3: Rogue Data Cache Load, CVE-2017-5754)

This dashboard only displays information about Windows hosts running sensor version 3.9.6009 or later.

MITIGATING SPECTRE

Mitigating Spectre involves three components and applies to both software and hardware:

Variant 2 (aka Spectre) Patch Status Microsoft patch installed? Registry key set? Firmware updated? Recommended action
Protected Yes Yes Yes None – this host is protected against the Variant 2 (Spectre) vulnerability.
Unprotected – No Microcode Yes Yes No Apply the microcode update from your hardware vendor.
Unprotected – No Microcode and Disabled by Registry Yes No No
Unprotected – with Microcode but Disabled by Registry Yes No Yes Set the registry key specified by Microsoft.
Unpatched No No No

MITIGATING MELTDOWN

Mitigating Meltdown involves two components and applies only to software:

On certain hardware, using this software patch can slow your host’s processing performance. See Microsoft’s blog post about the performance impact of the mitigation.

Variant 3 (aka Meltdown) Patch Status Microsoft patch installed? Registry key set? Recommended action
Protected – Minimal Performance Impact Yes Yes None – this host is protected from the Variant 3 (Meltdown) vulnerability.
This host’s hardware is expected to perform only slightly slower as a result of the software patch.
Protected – Visible Performance Impact Yes Yes None – this host is protected from the Variant 3 (Meltdown) vulnerability.
This host’s hardware is expected to perform noticeably slower as a result of the software patch. Consider purchasing new hardware if your use case requires higher performance.
Unprotected Yes No Set the registry key specified by Microsoft.
Unprotected – due to x86 Yes No
Unpatched – Minimal Performance Impact Expected No No Apply the software patch provided by Microsoft.
This host’s hardware is expected to perform only slightly slower after applying the software patch.
Unpatched – Visible Performance Impact Expected No No Apply the software patch provided by Microsoft.
This host’s hardware is expected to perform noticeably slower after applying the software patch.
Unpatched – due to x86 No No

Conclusion

Having a cloud based platform is key to being flexible and quickly reacting to new and evolving threats.  In the situation of Spectre and Meltdown having a platform that can quickly adapt provides immediate value to customers.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial