IT organizations worldwide are still reeling from the discovery of a major security vulnerability in Apache Log4j, an open-source logging utility embedded in countless internal and commercial applications.
By submitting a carefully constructed variable string to log4j, attackers can take control of any application that includes log4j. Suddenly, cybercriminals around the world have a blueprint for launching attacks on everything from retail store kiosks to mission-critical applications in hospitals.
If security teams overlook even one instance of log4j in their software, they give attackers an opportunity to issue system commands at will. Attackers can use those commands to install ransomware, exfiltrate data, shut down operations — the list goes on.
How should enterprises respond to this pervasive threat?
First, organizations need better visibility into both software supply chains and endpoints. They also need a way of delivering patches and updates quickly and comprehensively. Finally, they need hair-trigger segmentation controls over endpoints, so that if attackers do penetrate their network through log4j or any other exploit, they can quickly isolate those endpoints through network segmentation (closing network ports) and prevent the attack from spreading.
Know your code
Organizations need improved visibility into their software supply chains. That means understanding not just what applications they’re running, but also understanding the various components that go into those software applications.
If a software application from vendor X includes a software component from vendor Y, and vendor Y’s software includes a component from vendor Z, then any security vulnerability in vendor Z’s software affects the entire supply chain: vendors X, Y, Z, and all three companies’ customers.
Two recent cyberattacks illustrate the breadth of this kind of vulnerability, which is known as a supply chain compromise.
The first was the SolarWinds data breach, in which attackers broke into the network at software vendor SolarWinds and implanted malware in the company’s Orion network management product. That malware eventually gave attackers access to the networks of thousands of SolarWinds customers, including government agencies.
The second supply chain compromise attack involved software vendor Kaseya. In that case, attackers bypassed authentication controls and plant ransomware in one of Kaseya’s products, which is used by managed service providers (MSPs) to manage remote endpoints. The ransomware eventually affected 1,500 organizations, including Kaseya MSPs and their customers.
When software vulnerabilities are discovered, organizations need to be able to scan their software assets and discover any use of compromised components. This can be trickier than it might seem. When hunting for software components rather than full applications, you can’t just list the applications installed on an endpoint.
You might have to search for filenames or even file hashes, or #include statements within applications themselves. And of course, you need to be able to do this quickly across all your endpoints, including those in remote locations or in the cloud. Time matters. You have just days or even hours before attackers will find the files for you.
Know your endpoints
To scan software on endpoints, you first need to find all your endpoints. Easier said than done. A recent survey found that 94% of organizations have overlooked endpoints on their networks.
You need to know where all your endpoints are and what software components are included in all their applications, so you can take the next step — installing patches and updates — before attackers take advantage of a known exploit.
Patch quickly to eliminate vulnerabilities
Once you’ve identified problematic software on endpoints, you need to patch that software or disable it as quickly as possible.
With comprehensive visibility into software versions active on every endpoint, though, you can target your patches and updates. With an effective endpoint management system, you can install them promptly. And again, accuracy matters.
Some endpoint management systems report that they’ve successfully installed patches when they haven’t. The best practice is to audit some of your installations to ensure your system is performing as expected.
Contain attacks instantly
You’re not always going to win this race against time with every vulnerability in all your organization’s software. Attacks will happen. When they do, you need to shut them down quickly.
With a zero-trust solution in place for endpoints, you can detect attack activity instantly and isolate any compromised endpoints from the rest of your network. Zero-trust technology limits endpoint access only to authorized users by segmenting network traffic. It also blocks the ports and protocols that many ransomware and other malware strains rely on for moving across networks.
Unfortunately, software component vulnerabilities like the log4j vulnerability will likely be an ongoing challenge for IT organizations. But by improving visibility into endpoints and applications, patching quickly and accurately, and using zero-trust technology to contain malware attacks, organizations can minimize the damage of these vulnerabilities.
To learn more, visit us here.