CRN Exclusive: Cisco Earns Top Ratings For Response To Spectre, Meltdown Security Crisis

In the days after the Spectre and Meltdown bugs hit the news, Faisal Bhutto, vice president of corporate strategy at Computex, a solution provider in Houston, was struck by the level of confusion in the market.

"The fact is there's no easy fix, and in the first couple of days there was a lot of noise in the market, a lot of confusion in the market," Bhutto said. But as far as Computex's Cisco customers were concerned, the bugs and the strategies for handling them were not a big deal thanks to the networking giant's focused, fast-moving and complete response to the chip vulnerabilities.

"They did a bang-up job, and we were able to get customers aware of what's happening and calm their nerves," Bhutto said.

[Read on: CRN's coverage of the Spectre and Meltdown Response]

In a recent CRN survey of solution providers, Cisco earned top marks among hardware vendors for its response to the Spectre and Meltdown vulnerability discovery; it scored better than bested other industry titans like IBM, HPE, and Dell EMC.

CRN conducted an online poll of 190 members of the CRN Channel Intelligence Council, a panel of solution providers representing the broad channel ecosystem in North America. In the survey, solution providers ranked the vendor responses to the Spectre and Meltdown vulnerability issue on a scale of 1 to 5, with 5 being the top mark, or "excellent."

Cisco scored a mean rating of 3.66 out of five in the survey, which asked solution providers currently involved with the vendor to score vendors' technical, patching, support service and partner communication in the wake of the Spectre and Meltdown bugs. IBM scored 3.58 in the survey, while HPE scored 3.57 and Dell EMC scored 3.57. Lenovo scored 3.55. HP Inc. scored 3.54 and Apple scored 3.47. NetApp scored 3.28.

"The major manufacturers we work with – Cisco, HPE, Dell EMC – they're all world-class organizations, but the engagement we had with [Cisco's] data center team sets them apart," Bhutto said. "When it comes to field engagement, it's not just newsletters and blogs," he said. "That content is there, but at the end of the day, a phone call, a Spark message is more enriching, and that's what stands out."

The Spectre and Meltdown bugs affected CPUs industry-wide, prompting Cisco to issue security advisories covering dozens of products, including UCS servers. Cisco's response, Bhutto said, is helped by the fact that its channel-focused engineers act as specialists rather than generalists.

"We do a lot of UCS business, and you have engineers who are focused on a particular architecture," Bhutto said. "There's a concentrated effort of assigning partner engineers. That's helped, and you could see the results when Spectre and Meltdown happened. For all of our customers who are UCS clients, it was fairly easy."

Close communication and focused engineering expertise have enabled Computex to calm customers and provide clear, comprehensive advice, Bhutto said.

"We held education sessions with each large customer of ours," Bhutto said. "We give them a breakdown, and we assigned three of our experts on data center to put together a very concise summary and present it to customers, and that was a huge help. It's about continual education, making sure customers take care of patches and have a disciplined patching cycle. This is a problem you don't solve overnight, but we had enough data to begin communicating with customers right away."

The relative ease with which Cisco partners and customers have been able to confront Spectre and Meltdown is the result of the vendor's massive efforts behind the scenes. Cisco's Product Security Incident Response Team [PSIRT] has global reach and includes more than 20 incident managers. A minimum of two engineers handles every reported incident. The team supports every single Cisco product.

The team includes analysts whose only job is to look for third-party software vulnerabilities, and that group publishes more than 150 reports every week.

"For Spectre and Meltdown, they affected CPUs for general purpose computing, so UCS devices were affected," said Omar Santos, PSIRT's principal engineer. "We created code even before there was a patch created for those systems. It was a no-brainer that we had to respond and respond very quickly. We worked behind the scenes to make sure whatever microcode we created worked with those systems. There's a lot of interdependencies, a lot of multi-party coordination that we take into consideration."

It's important, Santos said, that whatever tools and education Cisco provides scales easily so customers and partners can quickly and completely consume it. Cisco is also more than willing to get hands-on with partners and customers when a vulnerability surfaces.

"In a lot of cases, we have sent people on site to a partner or to a customer directly to help at least assess the impact," Santos said. "We do have a very strong channel partner community. We try to train the trainer so they are somewhat self-sufficient. We have gone to customers sites and partner sites to help with that. We also try to accelerate and automate a lot of the process. When it comes to large customers, say a service provider that might have 1.5 million devices that might be impacted by one of these things, it's a significant task."

"In some of our strategic partners, we have people who handle that relationship, or a team," Santos said. "We work very closely with resellers. They understand their customers' environments. In a lot of cases, we have experts within Cisco, so if they have to deal with regulations or something like that, they can help. Patch management is always going to be there."

Still, Spectre and Meltdown are a little different in that they involve a complex web of vendors and circumstances. The bugs, Santos said, illuminate one of the industry's key challenges: coordination between technology vendors when incidents occur. Santos has played a key part in developing the OASIS Common Security Advisory Framework, a system that aims to accelerate the exam of vulnerabilities, to build those exam capabilities into products, create code to combat those vulnerabilities and hasten disclosure.

"As an industry, we have to evolve a lot better when it comes to multi-vendor coordination," Santos said. "Look at any third-party software vulnerability. It takes effort and time between discovery and when the end user gets a patch. Not just weeks or months, but maybe years. Some may never get a patch. The products that the Ciscos and other vendors have to wait for that patch. Other downstream vendors also have to patch. Weeks become months and years – the way we're sharing information and patching we do need to modernize."

"My team is trying to come up with best practices on how multi-party coordination should take place," Santos said. "We come up with innovative things to do better vulnerability management. We learned about Spectre and Meltdown later in the game, but we were able to alleviate it quickly."

New study finds intermittent fasting could help weight loss, hypertension and mood

Watch CBS News

A new study published in the JAMA Internal Medicine found eating only between the hours of 7 a.m. and 3 p.m. could help people lose weight and treat hypertension. Good Housekeeping's deputy nutrition director and registered dietician Stefani Sassos joins "CBS Mornings" to discuss the study's findings and limitations.

Be the first to know

Get browser notifications for breaking news, live events, and exclusive reporting.

CAT 2023 Answer Key: CAT Response Sheet Out At iim.cat.ac.in, Steps To PDF Download Here

IIM Lucknow has released the CAT 2023 answer key and CAT Response Sheet 2023. Candidates can visit the official website iimcat.ac.in to download the answer key. The last date for students to raise objections on the CAT answer key is December 8, 2023.

CAT Answer Key, Response Sheet 2023 Out: CAT Answer Key 2023 and CAT Response Sheet Out. Candidates who have appeared for the CAT 2023 exam conducted on November 26, 2023, can visit the official website to check the answer key and download the response sheet. The CAT 2023 exams were conducted in three slots. The CAT answer key 2023 has been released separately for each slot. Candidates can log in through the candidate login window to check their CAT answer key and their CAT 2023 response sheets.

Students must also note that the window to raise objections against the CAT answer key 2023 is available on the official website. The window will remain open until 5 pm on December 8, 2023. Students can check their IIM CAT response sheet and the answer key through the candidate login link provided on the official website.

CAT 2023 Answer Key Objection window - Click Here

The official answer key for CAT 2023 is available in the candidate login. It must be noted that the answer key has been released separately for each slot. Students who appeared in the different slots can click on the appropriate link to download the answer key.  Students can visit the login link on the website or follow the steps provided here to check the answer key.

Step 1: Visit the official website of CAT

Step 2: Click on the candidate login link on the website

Step 3: Enter the user ID and password 

Step 4: Click on the answer key link provided based on the slots appeared

Step 5: Download the answer key for further reference

Candidates can click on the link given here to check the CAT answer key for each slots.

The CAT answer key and the CAT 2023 response sheet will help students to calculate their scores. Based on the answer key released and the answers marked during the exam as per the response sheets, every correct answer will have 3 marks while every incorrect answer will have -1.

Along with releasing the IIM CAT 2023 answer key and response sheet, the authorities have also opened the window for students to raise objections to the answer key released. According to the notification available on the website, the objection form and response sheet for CAT 2023 appeared candidates is live from December 5, 2023, 11:00 A.M till December 8, 2023, 5:00 P.M. Candidates have also been advised to refer to their registered email id for further details.

The results of CAT 2023 will be out soon. After candidates submit their objections, the same will be taken into consideration to prepare the final answer key and the CAT results. The announcement regarding the date and time of the declaration of the CAT 2023 result will be made by the officials soon. 

Also Read: MAT 2023 PBT Exam Registration Last Date Today, Admit Card On December 7