Planning for Security Vulnerabilities in Drivers and Firmware

Modern computing has brought significant benefits that help businesses develop new markets and innovative new products. But organizations are also experiencing an increasing number of security vulnerabilities as hackers become more sophisticated. Updating lower-level drivers and firmware, and accelerating the response to known issues can help mitigate these security risks. Driver and firmware dependencies are more intricate than ever, and OEMs are not able to test every scenario in every environment.

At Intel, we manage over 300 individual drivers across more than 30 platforms. Simply updating drivers and firmware, without fully understanding application dependencies, can sometimes create additional problems and degrade the user experience. Intel IT has established a Gold Standard configuration and a process for driver and firmware maintenance to help keep our environment up-to-date and secure. When we encounter critical vulnerabilities, we can now accelerate our existing process without overlooking important dependencies. Read the IT@Intel White Paper, “Developing a Gold Standard for Driver and Firmware Maintenance.”

Mitigating Complex TPM Vulnerabilities

Our Gold Standard configuration and the process for updating drivers and firmware include identifying prerequisites, a defined technical approach to testing and deployment, as well as change management and communication. When facing critical security vulnerabilities, we use an accelerated version of this process to ensure we do not skip important steps and that we deliver the same level of customer service and enterprise security as we would with any normal planned driver or firmware updates.

Like many other organizations, Intel recently experienced a Trusted Platform Module (TPM) vulnerability in our environment affecting up to 55,000 devices. TPM is a widely used code library is integral to the encryption keys and certification processes that protect our intellectual property. The weakness opened opportunities for attackers to bypass critical protections. This critical vulnerability demanded a rapid response.

Understandably, Intel IT initiated critical incident response to deploy the patch update as quickly as possible. By accelerating our existing process, including identifying prerequisites, testing, and engaging the incident response team, we discovered additional dependencies within our infrastructure. We learned that deploying the patch could interfere with some important applications when remediated in specific ways—resulting in a significant loss in productivity for Intel. Using our defined process, we were able to accelerate the timeline and develop an end-to-end pre- and post-configuration with additional scripts to prevent the problem.

Our critical response process includes the following:

  • Risk analysis. We analyze and evaluate known vulnerabilities to determine the risks to Intel and identify the best approach to mitigate them. We examine the impact of the Avoiding critical security vulnerabilities through the Critical Response Processpatch to our users, and work with our OEMs and security teams to speed updates.
  • Velocity. We use an agile release process to quickly evaluate the health of a package before releasing it. Depending on the severity of the issue, we define levels of velocity to manage critical updates with an accelerated approach using the steps that we use for planned updates. Regardless of severity, we identify prerequisites, conduct testing, determine sequencing, and communicate with technical support, as well as the users.
  • Dependency mapping. We map dependent drivers and firmware, then sequence the updates before we deploy. We also bundle patches to ensure that all dependencies are handled and in the correct order.

At Intel, we have learned through experience. Our Gold Standard configuration, whether the drivers and firmware deployment is a planned upgrade or in response to any critical security vulnerabilities, uses the same process. This approach saved Intel from a potential loss in productivity, as well as preserved the user experience and service levels our employees expect.

Read the IT@Intel White Paper, “Developing a Gold Standard for Driver and Firmware Maintenance.”