Taking a Holistic Approach to Security and Creating an Environment of Continuous Learning

By Leslie Culbertson

As I reflect on the time that has passed since we renewed our commitment to security through our security‑first pledge a year ago, I’m proud of the work the Intel team has done to show our commitment to transparency and, above all, to the security of our products. And yet, as anyone familiar with the security landscape knows: We must remain vigilant as our work is never done. The nature of security threats will continue to evolve and we must actively evolve with it.

In the past year, Intel has taken many steps to keep pace with this evolution — new tools and processes, exciting new talent we’ve brought on board, and, of course, the ongoing work we’ve done to continue improving security, including protecting against new classes of security vulnerabilities like Spectre and Meltdown.

If I think of this in terms of the milestones over the past year, there are several that really stand out for me:

Establishing the Intel Product Assurance and Security (IPAS) Group: While IPAS was formed in the same timeframe as the public disclosure of Spectre and Meltdown, its remit is much broader. Designed to serve as Intel’s security “mission control,” IPAS is a holistic product assurance and security effort that spans all of Intel, developing policy and best practices, and driving critical decisions across all our businesses. As the result of IPAS’ formation and our efforts throughout the year, we have made significant strides that have enhanced our agility from the very beginning of product design all the way through product manufacturing and post-sales support.

Completing the Microcode Updates: The new class of security vulnerabilities that includes Spectre and Meltdown has presented a challenge for the entire industry. While you have frequently heard me and other Intel leaders talk about our learnings and the complexity of the side channel methods presented, the way the industry rallied together to help protect customers and their data ultimately stands out to me. When vulnerabilities require updates to microcode, the code that controls transistors on the chip, Intel issues a microcode update (MCU). Working together with a customer-centric focus, we and our partners were able to provide our customers with microcode updates for more than nine years of Intel products.

Engineering New Protection into Hardware: One of the commitments we made early on was to advance security at the silicon level to help protect against side channel exploits. On the client side, we started introducing this with our 8th Generation Intel® Core™ U-series processor (Whiskey Lake) in August, followed by our 9th Gen Intel Core desktop processor (Coffee Lake) in October. And, our next-generation Intel® Xeon® Scalable processor (Cascade Lake) is the first x86 processor released to market that has hardware-based protections for Spectre V2.

Automating the Microcode Update Process: We recognized that a more predictable and consolidated update process for security as well as functional issues would be helpful to the entire ecosystem. So we are transitioning to a quarterly release model aligned with others in the ecosystem wherever possible. One of the challenges silicon vendors face is the MCU distribution process. This can be a complex process for OEM and software partners as well as consumers. One of the first major initiatives for IPAS was to improve the delivery of MCUs. In June 2018, we made our MCUs OS-loadable, making the update for Spectre V2 possible via Windows Update. Moving forward, we intend to enable delivery of MCUs through this automated process when possible.

Increasing Research Internally and Externally: Intel has always attracted the industry’s top talent, and we continue to build a world-class team of security researchers and engineers embedded across the company. We have actively increased our red team exercises – connecting deep offensive security research with deep product knowledge to find and address potential vulnerabilities before products ship. Our security researchers and engineers share their insights with the broader community by publishing findings and presenting to peers at industry events. In return, we continue to learn from the broader community though our bug bounty program and engaging academia through sponsored research and our “researcher in residence” program.

Committing to Coordination: As technologies become more and more complex, we believe it takes the ecosystem working together to collectively keep products and data more secure. We’ve built a model for collaboration and development among our partners that enables them to communicate directly. This approach takes a step beyond traditional multiparty collaboration and is one that we expect to build upon that will support an environment of continuous learning.

While I’m pleased with the progress we’ve made, our work is just beginning. So, as we look to 2019, two things are certain. First, security will continue to be an area where vigilance is required. Second – and just as important – we at Intel will continue to drive security innovation across our product portfolio to better protect customers and help drive the industry forward to make all our products more secure.

Leslie S. Culbertson is an executive vice president and general manager of Product Assurance and Security at Intel Corporation.