Using Splunk to look for Spectre and Meltdown security breaches

Meltdown and Spectre are two security vulnerabilities that are currently impacting millions of businesses all over the world. Since the news broke about the flaw in Intel processor chips that opened the door to once-secure information, companies have been bulking up their system security and implementing patches to prevent a breach.
Want to make sure your system is protected from the recent outbreak of Spectre and Meltdown? One of our Splunk Architects, Andy Erskine, explains one of the ways JDS can leverage Splunk Enterprise Security to check that your environment has been successfully patched.
What are Spectre and Meltdown and what do I need to do?
According to the researchers who discovered the vulnerabilities, Spectre “breaks the isolation between different applications”, which allows attackers to expose data that was previously considered secure. Meltdown “breaks the most fundamental isolation between user applications and the operating system”.
Neither type of attack requires software vulnerabilities to be carried out. Labelled “side channel attacks”, they are not solely based on operating systems as they use side channels to acquire the breached information from the memory location.
The best way to lower the risk of your business’s sensitive information being hacked is to apply the newly created software patches as soon as possible.
Identifying affected systems
Operating system vendors are forgoing regular patch release cycles and publishing operating system patches to address this issue.
Tools such as Nessus/Tenable, Qualys, Tripwire IP360, etc. regularly scan their environments for vulnerabilities such as this and can identify affected systems by looking for the newly released patches.
Each plugin created for the Spectre and Meltdown vulnerabilities will be marked with at least one of the following CVEs:
Spectre:
CVE-2017-5753: bounds check bypass
CVE-2017-5715: branch target injection
Meltdown:
CVE-2017-5754: rogue data cache load
To analyse whether your environment has been successfully patched, you would want to ingest data from these traditional vulnerability management tools and present the data in Splunk Enterprise Security.
Most of these tools have a Splunk app that brings the data in and maps to the Common Information Model. From there, you can use searches that are listed to identify the specific CVEs associated with Spectre and Meltdown.
Once the data is coming into Splunk, we can then create a search to discover and then be proactive and notify on any vulnerable instances found within your environment, and then make them a priority for patching.
Here is an example search that customers using Splunk Enterprise Security can use to identify vulnerable endpoints:
tag=vulnerability (cve=" CVE-2017-5753" OR cve=" CVE-2017-5715" OR cve=" CVE-2017-5754") | table src cve pluginName first_found last_found last_fixed | dedup src | fillnull value=NOT_FIXED last_fixed | search last_fixed=NOT_FIXED | stats count as total
Example Dashboard Mock-Up
JDS consultants are experts in IT security and proud partners with Splunk. If you are looking for advice from the experts to implement or enhance Splunk Enterprise Security or any other Splunk solution, get in touch with us today.
Conclusion
To find out more about how JDS can help you with your security needs, contact our team today on 1300 780 432, or email [email protected].
Our team on the case
Our Splunk stories

JDS Australia Named 2022 Splunk APAC Services Partner of the Year
Read More

JDS and the GO Foundation
Read More

5 Ways uberAgent Measures Your Employee Digital Experience
Read More

Implementing Salesforce monitoring in Splunk
Read More

5 quick tips for customising your SAP data in Splunk
Read More

How to maintain versatility throughout your SAP lifecycle
Read More

Visualise and consolidate your data with SAP PowerConnect for Splunk
Read More

What is AIOps?
Read More

How synthetic monitoring will improve application performance for a large bank
Read More

The Splunk Gardener
Read More

Using Splunk and Active Robot Monitoring to resolve website issues
Read More

JDS is now a CAUDIT Splunk Provider
Read More

Machine Learning with Splunk
Read More

Monitor Dell Foglight Topology Churn with Splunk
Read More

How operational health builds business revenue
Read More

Splunk: Using Regex to Simplify Your Data
Read More