Here's how to remediate Meltdown/Spectre with BSA.
(how to do with SecOps Response Service / Threat Director, is here:Remediate Meltdown and Spectre with SecOps Response):
First, you'll need a current Windows or Linux Patch Catalog. For the purposes of this discussion, I'll focus on Windows, but doing this under Linux is just as easy: swap out the catalog type, and the Analysis job is just the same.
My catalogs update at least every week, and this week, I've been updating every day, as there have been a number of changes to these patches. I also get automated notifications from Ivanti/Shavlik to let me know when there are updated patches and vulnerabilities, and I'll sometimes update the catalogs right after I get one of those, in a week when we've got a new high-profile vulnerability.
As you can see, we got 9 new MS Bulletins in the last 3 days, and 133 new hotfixes, with updates to many more of each. Great, we can spot check, but this should cover the latest fixes we've been reading about everywhere.
Now, let's go build a targeted policy, or patch smart group, that will let us focus our efforts on just these fixes. Regular patching is being executed on a periodic basis, and we're all following best practices there already, right?
Let's find our favorite production Windows Patch Catalog, right click New->Patch Catalog Smart Group
Let's give it a name (I called mine "Meltdown - Spectre Checks", and create it as a filter of Hotfix objects, where CVE_ID "is one of" a list of the three key CVE-IDs: CVE-2017-5751, -5753, and -5715.
The "is one of" operator makes it really easy to have a focused list in a single line in a Patch Smart Group.
Note that this Patch Smart Group now lists a range of useful patches for addressing this vulnerability:
Now we create a Patch Analysis Job like we would for any other task, and go find out what our exposure is:
Building a Patch Analysis Job (PAJ) is like any other, it needs a name, somewhere to live, and a set of servers to act on:
Note that the job automatically includes the Meltdown - Spectre Checks Patch Smart Group, since we created via right-click:
Since we're highly motivated to close these as soon as possible, I'm going to ask BSA to create remediation objects (packages and a job to deploy them) from the start.
Note that I can use any existing Server Groups, including Smart Groups based on CMDB or other server properties, including Environment, Location, related Business Services, etc. I can also pick individual servers, or populate a group or job based on an external list of hosts, like you might get from an existing change management request.
There are options to notify the relevant team, but I'm going to click "Execute Job Now" so it can get rolling.
Once our Patching Analysis completes, it should show whether any hosts are missing the hotfixes:
Now, it's downloaded and packaged these hotfixes, and is ready to deploy at any time, including after an approved change control!
You can then either execute the deployment or schedule, and afterward you can re-run patch analysis, and observe that the patch is now applied, and the vulnerability closed!
Check status in the Live Dashboards in real time, and for reporting purposes.
Until next time!