Hewlett Packard Enterprise’s Silicon Root of Trust — which is aimed at preventing compromised firmware code from executing — “protects against” the ‘Screwed Drivers’ vulnerability highlighted by security researcher Eclypsium, said Hewlett Packard Enterprise Director of Server Software and Product Security For HPE Hybrid IT Bob Moore.“We mitigate the risk for any changes to over four million lines of firmware – that is specifically what our Silicon Root of Trust is designed to detect,” said Moore, a 20-year HPE veteran who has been proselytizing the benefits of the Silicon Root of Trust since HPE put it in its Gen10 and other servers two years ago. “We knew this kind of trend was coming. Now we are seeing it. Silicon Root of Trust protects against this kind of vulnerability.”HPE’s Silicon Root of Trust — which can be set to check firmware every 24 hours — is now part and parcel of its Gen10, Synergy, Apollo, Edgeline and Proliant servers, said Moore.Gen10 server customers have a “relatively higher degree of protection,” said Moore.A number of federal government customers already include Silicon Root of Trust as part of their request for proposals, said Moore. “The federal sector has standardized on this kind of protection capability and other segments like financial services and retail are starting to standardize on this because they see these vulnerabilities,” he said.
Paul Cohen, vice president of sales for New York-based PKA Technologies Inc., one of HPE’s top Platinum partners, said HPE’s Silicon Root of Trust is a major competitive advantage for HPE partners.
“The silicon root of trust is resonating with customers,” said Cohen. “With all of the breaches taking place in the market, customers realize that root of trust is another layer of security.”
PKA is hosting an invitation only inner circle security event in September with HPE to shine the spotlight on the benefits of HPE security including Silicon Root of Trust.
“We are working closely with our customers to help them safeguard a constantly shifting threat landscape,” said Cohen. “HPE doesn’t get the credit they deserve for the security that is built into their servers. We view servers as a value product not a commodity.”
Eclypsium, a Portland, Ore.-based security startup backed by Intel Capital and Andreessen Horowitz, disclosed the vulnerabilities, collectively dubbed “Screwed Drivers,” on Saturday, saying that more than 40 drivers from at least 20 different vendors are impacted.
Vulnerabilities found in drivers released by major vendors can potentially give bad actors full control of Windows-based computers and their underlying firmware, even after the operating system is reinstalled, according to Eclypsium.
Moore said HPE’s Silicon Root of Trust is a “huge” differentiator versus competitors. Competitors have been unable to match HPE because they buy off the shelf hardware from offshore companies.
“We were in unique position at HPE because we invested in and designed our own silicon,” he said. “It was easy for us to design in this indelible fingerprint into the silicon because we own the design. The competition buys their stuff off shelf and writes firmware code off that without any anchor point into it. We leveraged our position with new cryptography to embed this hash into the Silicon.”
Moore said he is seeing more and more focus on the firmware breaches including an FBI expert at HPE Discover who proclaimed that firmware breaches are an increasing trend.
“Those in the know realize that you can not secure any of the software or applications if your hardware is not secure,” said Moore.” This is starting to register with customers because of the increase in these types of breaches.”
The Silicon Root of Trust is a testament to HPE’s never ending drive to innovate, said Moore. “This is a proof point of our innovation,” he said. “It’s also a proof point of our collaboration with the FBI to identify future breach trends. It shows how public and private sector can work together to stay one step ahead of the hackers.”
HPE has a comprehensive holistic view of cybersecurity protection, detection and recovery that include all of HPE’s products including networking and services, said Moore. “WE have a very comprehensive end to end security story that encompasses networking,storage, services and supply chain,” he said.
Firmware is now one of the biggest threat vectors, said Moore. “That is the biggest thing cybersecurity insurance companies are worried about these days,” he said.
An IT executive for a healthcare customer at HPE Discover said the organization was recently attacked by ransomware with every server being taken out except for the HPE server, said Moore.
The call to action for customers, said Moore, is to “invest in state of the art” hardware with “built in cybersecurity protection that is not bolted on as an after thought.”