Three-Pronged Approach Helps CIOs Allocate Scarce IT Resources to Remediate Risky Security Vulnerabilities
Itasca, IL - Jan 23, 2018 - Flexera, the company that’s reimagining how software is bought, sold, managed and secured, today announced recommendations for a standardized, risk-based approach to managing vulnerabilities such as Spectre and Meltdown. Flexera’s three-pronged approach, based upon internal expertise around vulnerability remediation and intelligence harvested from Secunia Research’s Advisories, advises organizations to:
- Determine Criticality: Determine actual Spectre/Meltdown risk criticality using verified vulnerability intelligence
- Prioritize: Prioritize remediation of known vulnerabilities based on criticality – not hype
- Fix Using Conservative Mitigation Approach: Apply patches with an emphasis on testing in controlled environments
“There’s no doubt companies should be concerned about Spectre and Meltdown. But since these vulnerabilities came to light on January 3, Secunia Research at Flexera has published dozens of advisories on unrelated, highly critical vulnerabilities. If weaponized, exploitation of these vulnerabilities could have a devastating impact on organizations,” said Kasper Lindgaard, Director of Research and Security at Flexera. “With more than 17,000 vulnerabilities disclosed within the past year – how do organizations know where to allocate scarce IT sources to minimize risk? They need access to verified vulnerability intelligence and must take a common-sense, risk-based approach to applying patches. Otherwise they’ll be forever chasing shadows from one sensational news cycle to the next.”
Understanding True Spectre/Meltdown Risk
The Spectre and Meltdown processor vulnerabilities are documented in three CVE’s (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715). While these vulnerabilities are indeed pervasive and potentially harmful – to truly assess risk CIO’s need deeper vulnerability intelligence (beyond a basic CVE score). This deeper intelligence should provide product context that takes into account attack vectors and possible security impact, allowing security teams to look beyond speculation commonly hyped by the media.
To date, Secunia Research at Flexera has issued more than 35 vulnerability intelligence advisories linked to Spectre/Meltdown, and most were scored below “Moderately Critical” (Criticality scores of 1 to 3 out of a maximum score of 5). This would suggest that while Spectre/Meltdown vulnerabilities are important – other more critical unpatched vulnerabilities within the environment could present a more immediate threat.
Once CIO’s get an accurate understanding of the risk to their environments, they can put into place common-sense, risk-based remediation plans. This will ensure they’re prioritizing those risks and allocating scarce IT resources accordingly.
“Because of its massive scale, Spectre/Meltdown has dominated the headlines for the last couple weeks. But prudent CIO’s shouldn’t take their eye off the ball,” said Lindgaard. “By identifying the vulnerabilities that could pose the greatest harm and prioritizing remediation efforts to those first, organizations can most efficiently and cost effectively minimize risk.”
With risk and prioritization established, organizations should then apply patches with an emphasis on testing in controlled environments. Using established processes and tools to aid in identifying possible, unintended consequences ensures understanding ahead of time the potential performance hits and compatibility issues of patching.
“Patching is essential to reduce the attack surface, but it must be done prudently and with an understanding ahead of time of potential impacts on system performance and stability,” added Lindgaard. “Mitigation should happen carefully and conservatively, with a focus on risk-based models.”
Download the Vulnerability Review 2017
Learn more about:
Flexera is reimagining the way software is bought, sold, managed and secured. We view the software industry as a supply chain, and make the business of buying and selling software and technology asset data more profitable, secure, and effective. Our Monetization and Security solutions help software sellers transform their business models, grow recurring revenues and minimize open source risk. Our Vulnerability and Software Asset Management (SAM) solutions strip waste and unpredictability out of procuring software, helping companies buy only the software and cloud services they need, manage what they have, and reduce compliance and security risk. Powering these solutions and the entire software supply chain, Flexera has built the world’s largest and most comprehensive repository of market intelligence on technology assets. In business for 30+ years, our 1200+ employees are passionate about helping our 80,000+ customers generate millions in ROI every year. Visit us at www.flexera.com.
About Secunia Research at Flexera
Secunia Research at Flexera is a research team with globally recognized expertise in discovering, verifying, testing, validating and documenting vulnerabilities on tens of thousands of applications and systems. Our experts work under strict ethical guidelines and collaborate with the research community and software producers to guarantee the quality of the vulnerability information we document.
For more information, contact:
*All third-party trademarks are the property of their respective owners.