Alternatives to patching for Meltdown & Spectre

Is there any other mitigation measures other than the usual 3 patchings below for Meltdown & Spectre?

3 steps approach (physical servers) :
-              A registry key has to be applied (manually, via GPO, SCCM or via AV program)
-              A patch from Microsoft has to be applied
-              A BIOS/firmware update has to be executed

We are concerned with the performance impact : I heard it's the BIOS/firmware update that will cause performance impact.

Fair to say that only servers in DMZ (directly facing Internet) runs much higher risk of data leakage/loss compared to
servers (in internal/backend zone) that have no Internet connectivity?

Anyone know if McAfee NIDS (Network IPS) appliance has signature to mitigate or DLP (we have Codegreen
network DLP appliance) can help prevent such data loss/leakage?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
The latter 2 (Windows patch and BIOS upgrade) are the only practical way to mitigate this threat. I don't know if the registry patch is needed for all servers. I don't think so.

We have not seen much about performance drops, so I am not sure how prevalent this is.
0
dbruntonCommented:
Performance drops vary depending on computer usage.  You won't know until you do benchmark testing/measuring, before and after the patches are applied.

Standard desktops look like about 2% drop.  Some servers have reports of up to about 30%.  (I believe that was Epic Games).

High drops (like the 30%) seem to be due to high I/O (hard disk access, network traffic) which would apply in the Epic Games example.

But get some figures for your servers first before you apply the patches and then measure afterwards.

I'd be cautious about applying the BIOS patch.  Intel stuffed it up the first time they released it and I would not want to rush in applying it.  If you can find out if others have applied it to a similar server like yours and if they had problems.
0
sunhuxAuthor Commented:
Just found from our internal team that specifically they're concerned with Dell's firmware/BIOS update as
Dell has advised not to apply the firmware update that they had released but wait for another one; so if
we only apply the MS Windows patch : is this sufficient to mitigate for the time being?

http://www.dell.com/support/article/sg/en/sgdhs1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en

http://www.dell.com/support/article/sg/en/sgdhs1/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products?lang=en
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

JohnBusiness Consultant (Owner)Commented:
Dell has advised not to apply the firmware update that they had released but wait for another one; so if
we only apply the MS Windows patch : is this sufficient to mitigate for the time being?


Yes. So long as you patch Windows, that helps. Then update BIOS when Dell has a good release.
0
dbruntonCommented:
Your internal team may wish to have a look at  https://arstechnica.com/gadgets/2018/03/microsoft-will-soon-start-shipping-the-intel-spectre-microcode-fixes/

Don't know if it will apply to your servers.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Anyone know if McAfee NIDS (Network IPS) appliance has signature to mitigate or DLP (we have Codegreen
network DLP appliance) can help prevent such data loss/leakage?
you cannot detect these hardware based vulnerabilities though you can still maintain the control of NIPS and NDLP to reduce the risk. Instead, to safeguard is to protect your security device from being exploited, patch them early too - note McAfee NSP (NIPS) is vulnerable too. You should check Codegreen appliance too. https://kc.mcafee.com/corporate/index?page=content&id=KB90206&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.