IT organizations around the world are still suffering from the discovery of a major vulnerability in Apache Log4j, an open source logging utility that is embedded in a myriad of internal and commercial applications.
By sending a carefully constructed variable string to log4j, attackers could take control of the every application that includes log4j. All of a sudden, cyber criminals around the world have a blueprint for attacking everything from retail kiosks to mission-critical applications in hospitals.
If security teams overlook even one instance of log4j in their software, they give attackers the opportunity to issue system commands at will. Attackers could use these commands to install ransomware, exfiltrate data, terminate operations – the list goes on.
How should companies respond to this ubiquitous threat?
First, organizations need better visibility into both software supply chains and endpoints. They also need a way to provide patches and updates quickly and comprehensively. After all, they need hair-raising segmentation controls for endpoints so that if attackers break into their network via log4j or another exploit, they can quickly isolate those endpoints through network segmentation (closing network ports) and prevent the attack from spreading.
Know your code
Companies need improved transparency in their software supply chains. This means that you not only understand what applications they run, but also understand the various components that are included in those software applications.
If a software application from provider X contains a software component from provider Y and the software from provider Y contains a component from provider Z, then every security gap in the software from provider Z affects the entire supply chain: provider X, Y, Z and all three customers of Company.
Two recent cyberattacks illustrate the breadth of this type of vulnerability known as a supply chain compromise.
The first was the SolarWinds data breach, in which attackers broke into software manufacturer SolarWinds’ network and implanted malware in the company’s Orion network management product. This malware eventually gave attackers access to the networks of thousands of SolarWinds customers, including government agencies.
Software manufacturer Kaseya was involved in the second attack on the compromise of the supply chain. In this case, attackers bypassed authentication controls and installed ransomware in one of the Kaseya products used by managed service providers (MSPs) to manage remote endpoints. The ransomware eventually hit 1,500 companies, including Kaseya MSPs and their customers.
When software vulnerabilities are discovered, organizations must be able to scan their software assets and discover any usage of compromised components. This can be more difficult than it may seem. If you are looking for software components rather than full applications, you cannot just list the applications installed on an endpoint.
You may need to look for file names or even file hashes or #include statements in applications themselves. And of course, you need to be able to do this quickly across all of your endpoints, including remote locations or in the cloud. Time counts. You only have days or even hours before attackers can find the files for you.
You need to know where all of your endpoints are and what software components are in all of your applications so you can take the next step – installing patches and updates – before attackers take advantage of a known exploit.
Fast patching to remove vulnerabilities
Once you’ve identified problem software on endpoints, you need to patch or disable that software ASAP.
However, with comprehensive insight into the software versions that are active on each endpoint, you can use your patches and updates in a targeted manner. With an effective endpoint management system, you can install them right away. Again, it comes down to accuracy.
Some endpoint management systems report that they have successfully applied patches when they have not. The best practice is to check some of your installations to make sure that your system is working as expected.
Immediately contain attacks
You won’t always win this race against time with every vulnerability in all of your company’s software. attacks will happen. If so, then you need to close them quickly.
With a zero-trust endpoint solution, you can immediately identify attack activity and isolate any compromised endpoint from the rest of your network. Zero trust technology restricts endpoint access to only authorized users by segmenting network traffic. It also blocks the ports and protocols that many ransomware and other strains of malware rely on to move across networks.
Unfortunately, vulnerabilities in software components like the log4j vulnerability are likely to be an ongoing challenge for IT organizations. But by improving the visibility of endpoints and applications, patching and using quickly and accurately Zero Trust Technology To contain malware attacks, companies can minimize the damage caused by these vulnerabilities.