Looking for Vulnerabilities Below the OS? Check Out Intel® Device Health (201)

Camille Morhardt  00:12

Hi, and welcome to today’s InTechnology podcast. I’m Camille Morhardt, your host. And today’s topic is endpoint vulnerability management beneath the OS, very specific. And for that very specific topic, I have Novin Kaihani, who is GM of Intel’s Client Software Products Group. Welcome, Novin.

Novin Kaihani  00:33

Thanks for having me.

Camille Morhardt  00:34

So we’re just going to come right out and say you announced a product late last year in 2023 that addresses vulnerability management in endpoints, which are things like PCs underneath the operating system layer. But before we talk about the product, why would you be looking beneath the operating system? Isn’t that already happening?

Novin Kaihani  00:57

Yeah, great question. So much of what we see out there is around application OS vulnerabilities that are covered today; there’s quite a few vulnerability management services and companies focused in this space–it’s a core piece of, you know, the security posture of an IT organization. But that is only half of the stack,  OS and below don’t really get covered very well in the market today because it’s difficult to identify vulnerabilities with firmware, microcode, drivers, there’s all different versions, different packages of BIOS, it’s complex. And so what you see a lot in the market is OS and above because it’s relatively straightforward and included in many of the security solutions out there.

So what we’ve done is, “Hey, there’s an area that’s uncovered in the market and we have to make sure that the security posture of our endpoints is increased” and making sure that the full stack is covered.

Camille Morhardt  02:04

So you’re doing this in partnership, Intel is doing this in partnership with another company.

Novin Kaihani  02:10

That’s right. So we announced late last year a partnership with a company called Eclypsium. And what we’ve done is we have a service where we make it easy to identify security vulnerabilities below the OS in the wild, and we highlight those vulnerabilities to Eclypsium’s product that ensures identification and ultimately patching or remediation of those vulnerabilities. Because that’s at the end of the day what IT cares about is that they’re plugging those security holes throughout their entire stack. So we’ve just made it easy to identify those vulnerabilities in the wild.

Camille Morhardt  02:53

Because it’s below the OS, so is that happening, like at the chip level or the firmware level? Or can you not say, and it becomes unsafe? (laughs)

Novin Kaihani  03:04

So what we do is we identify what are the vulnerabilities below the OS, but we do it at the OS level. So we ensure that we can read platform information, understand, say, what versions of microcode, BIOS, firmware, drivers exist on the platform, we scan that platform data against our vulnerability database, and then signal those vulnerabilities to companies like Eclypsium to be remediated.

Now I will say, it sounds pretty straightforward. The challenge is identifying those vulnerabilities in the wild. Much of what exists out there is basically websites that catalogue, what vulnerabilities exist, but identifying those correctly between what’s published and what exists on a very specific endpoint, that’s the hard part.

Camille Morhardt  04:00

So you’re going through, is it called CVE? if I’m remembering correctly.

Novin Kaihani  04:06

You got it!

Camille Morhardt  04:07

All right. (laughs) I get my gold star for today. So there’s published known vulnerabilities that are made public and these would be like libraries of vulnerabilities, doesn’t mean they’ve been exploited doesn’t mean, there’s been an actual problem on your system, it just means the world has now become aware of this vulnerability.  And you’re going through the libraries and cross checking that with what the actual system is, and whether or not it’s maybe been patched or I don’t know, what are you cross checking it with?

Novin Kaihani  04:40

Yeah, so we have a whole team of engineers that actually work to convert those CVEs into something that is machine readable or developer friendly, however you want to think about it; because there is what is published, but what actual devices and different versions of again, driver, microcode, firmware exist, that rule set is what is very difficult to actually create and then match against a specific endpoint. And so it’s not enough to have as part of a vulnerability management system a catalog of CVEs; that’s published.  The challenging part is actually finding that vulnerability on a specific endpoint against a rule set that those CVEs represent.

Camille Morhardt  05:34

Is this something that you do in an automated fashion? Or are there engineers actually doing this manually?

Novin Kaihani  05:43

Yeah, so the rule set is both manual and automated, but I would say probably more heavily towards manual as they are cross checking all the different versions of say BIOS and how those BIOS versions get manifested into actual packages that land on an endpoint. They’re going through that entire rule set so that they ensure that there’s no false negatives, false positives, when a particular system gets scanned–that they are actually determining a specific vulnerability that may exist on that device.

Camille Morhardt  06:22

And is this basically designed for, like, an enterprise-level IT department or inventory, or we’re talking consumer-level?

Novin Kaihani  06:33

It’s meant for IT organizations or businesses of all sizes, really, because they are ones that are most at risk and have the most to lose if a particular vulnerability is exploited. And so we want to make sure that it’s as seamless of an experience for IT an organization. So it’s not a separate tool that you go download or install; it’s built into the security products that they have today. And that’s part of what we’ve done behind the scenes with our partnerships is to make sure that we are providing that capability to the security solutions that IT depends on so that it’s built into those products, again, so they’re not having to download or install or maintain a separate application just for below the OS vulnerabilities.

Camille Morhardt  07:25

Makes sense. And this is specifically for the PC, correct? Not other forms of endpoints?

Novin Kaihani  07:30

That’s right.

Camille Morhardt  07:31

And so it’s a V Pro?

Novin Kaihani  07:33

Actually, it’s all the Intel PCs–V Pro, and any commercial device that this service would be applicable to.

Camille Morhardt  07:42

Anything else we should know about it?

Novin Kaihani  07:45

We’re super excited. I know security is one of those areas that it takes a special person to get excited about. But the reason why we think it’s important is at the end of the day, the more we can do to increase somebody’s security posture, the better off the entire industry is.

Camille Morhardt  08:03

Thank you, Novin. And we have some links below for anybody who might want to follow up and learn a bit more.

Novin Kaihani  08:09

Thanks for having me.

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.