I
M
A
G
E
B
Y
A
N
D
R
I
J
B
O
R
Y
S
A
S
S
O
C
I
A
T
E
S
,
U
S
I
N
G
P
H
O
T
O
B
Y
M
O
N
K
E
Y
B
U
S
I
N
E
S
S
I
M
A
G
E
S
for the vulnerability management pro-
gram at Goldman Sachs, the response
was just another day at the office.
While these vulnerabilities are
theoretically fascinating, we have to
live with their practical impact. As risk
managers at Goldman Sachs, a large
enterprise of approximately 35,000 employees, we had to respond rapidly to
the announcement of the vulnerabilities. Moreover, we will have to continue
managing the risks that will arise over
the next decade from new variants or
similar vulnerabilities.
We learned about the vulnerabilities
when they were publicly announced on
January 3, 2018. The announcement
was made earlier than planned because
word was already starting to leak. This
meant that many vendors had not yet
released patches or prepared customer
communications about impact, mitigation strategies, and the timelines for
patch availability. Vendors could not
immediately help in understanding
the vulnerabilities.
The first challenge when any major
vulnerability is released is to gather
information: which systems are im-
pacted, when will patches be avail-
able, what compensating controls are
in place, and is the vulnerability being
actively exploited? It’s even better to
know if the vulnerability is being ex-
ploited by threat actors who have his-
torically targeted your firm.
Meltdown and Spectre were particularly difficult to triage. It was clear
early on that certain processor families
were impacted, but the full scope was
suspected to be much wider. Moreover,
our hardware and software inventories