session id:spo3-w04 the sky is falling! responding ... · session id: #rsac gill langston. the sky...
TRANSCRIPT
SESSION ID:
#RSAC
Gill Langston
THE SKY IS FALLING! RESPONDING RATIONALLY TO HEADLINE VULNERABILITIES
SPO3-W04
Director, Product ManagementQualys, Inc.
#RSAC
Why are we here
3
Our emergency response playbook has solved all of our problems
This job is pretty boring these days since we are ahead of the curve
#RSAC
Why are we here
4
Our emergency response playbook has solved all of our problems
This job is pretty boring these days since we are ahead of the curve
When a high profile vulnerability comes along, it makes my day
#RSAC
Why are we here
5
Our emergency response playbook has solved all of our problems
This job is pretty boring these days since we are ahead of the curve
When a high profile vulnerability comes along, it makes my day
NO?
#RSAC
Today’s news cycle
6
Executive visibility
High noise level vs. what's important
Public accountability
Need a better plan for response
#RSAC
Today’s news cycle
7
https://www.buzzfeed.com/sheerafrenkel/the-biggest-ransomeware-attack-in-history-is-hitting?utm_term=.ow9qL9Bqk#.iu8q56vqR
#RSAC
Discussion
9
Review of anonymized, aggregated Qualys customer detections
Response challenges based on patching behavior trends
Real-world best practices based on analysis of remediation(s)
Prepare React Review Improve
#RSAC
WannaCry – notable info
11
High risk issue
Highly publicized (NSA/Shadow Brokers hack)
Mitigations – Risky
#RSAC
1 month
1 month
1.5 months
Mar 14, 2017 MS17-010 released (CVEs also published)
Shadow Brokers releases exploit codeApr 14, 2017
May 10, 2017 WannaCry v1 attacks begin using EternalBlue exploit
WannaCry v2 attacks explodeMay 12, 2017
New Petya malware outbreak using same exploitJun 27, 2017
WannaCry timeline
12
#RSAC
WannaCry detections
13
0100200300400500600700
Thou
sand
s
MS17-010 Detections
MS17-010 released
Shadow Brokers
WannaCryv1 attacks WannaCry
v2 attacks New Petya
#RSAC
WannaCry takeaways – why we struggled
14
Identification of all at-risk assets was slow
All issues sometimes treated the same by ITOps teams
Widespread user participation requirement created delays in remediation
If they don’t know its critical, complacency sets in
#RSAC
WannaCry Impact
15
Large Organizations infectedStayed present in news cycle
Panic to resolve issue from top-downIdentify vulnerable assetsDetermine fixesComplete patching cycle
Reinforced need to improve patching cycles
#RSAC
Struts – notable info
16
High risk
Easy to exploit
https://nvd.nist.gov/vuln/detail/CVE-2017-5638
#RSAC
Mar 6, 2017 CVE-2017-5638 releasedUpdated libraries releasedExploit available
July 29, 2017 Reported discovery date of breach
Struts timeline
May 13, 2017 Reported as date of Equifax breach
Sep 7, 2017 Breach reported publicly
72 days
77 days
77 days
17
#RSAC
Struts Vulnerability
18
Equifax breach
Discoverydate
reported publiclyCVE-2017-5638 released
Updated libraries releasedExploit available
#RSAC
Struts takeaways – why we struggled
19
Long delays in remediating web applications
Not easily fixedNot always as simple as pushing a patchApplication rebuildTesting cycles
#RSAC
Struts Impact
20
Highly public data breachDelay in updating web application was the cause
Reinforces need for mitigations (Web Application Firewall, filtering rules)
#RSAC
Meltdown/Spectre– notable info
21
Requires access to machineCould be delivered via multi-stage attackFew-to-no exploits available
Mitigation – Patch was a mitigationAlso ensure layered security is up-to-date
#RSAC
Jan 3, 2018 Vulnerabilities published
MS “patches the patch”Jan 27, 2018
MS releases new microcode updatesFeb 28, 2018
Meltdown/Spectre timeline
Jan 3, 2018 MS releases emergency update
Jan 22, 2018 Intel recommends updates be halted
19 days
5 days
32 days
22
#RSAC
Meltdown Detections
23
Intel recommends updates halted
MS “patches the patch”
MS releases new microcode updates
Vulnerabilities publishedMS releases emergency update
#RSAC
Meltdown/Spectre takeaways – why we struggled
25
No fixes, only mitigation patches
Every OS patch had a downside
#RSAC
Meltdown/Spectre takeaways – why we struggled
26
No fixes, only mitigation patches
Every OS patch had a downside
Affected handling of memory
#RSAC
Meltdown/Spectre takeaways – why we struggled
27
No fixes, only mitigation patches
Every OS patch had a downside
Affected handling of memory
Tons of caveats and risk
#RSAC
Meltdown/Spectre Impact
28
Panic – so many systems affected
Fix caused major issuesGenerated a lot of churn in IT orgs
Reinforces need to….wait?
#RSAC
Overall takeaways
29
Leaving high profile vulnerabilities to the current cycle doesn’t work
Not all newsworthy vulnerabilities mean the same to you
Sometimes the fix can be worse than waiting!
Things can change quickly
Lacking a thorough response plan can generate chaosInternal pressureExternal requests (is my data protected? Will business proceed normally?)
#RSAC
Put it all together
30
Identify high-risk vulnerabilities - often
Track the risk to your organization
Determine best course of action (Remediate? Mitigate? Wait?)
Decide when to communicate
Update regularly
Work the plan and improve
#RSAC
Prepare – Action Plan
31
Get buy-in from teams (Executive, SecOps, DevOps, ITOps)Build playbook together
#RSAC
Response plan elements
32
• Ensure all assets are identified
• Document the triggers
• Build communication plan
Prepare React Review Improve
#RSAC
Response plan elements
33
• Ensure all assets are identified
• Document the triggers
• Build communication plan
• Work the playbook
• Decide on Fix/Wait/Mitigate
• Communicate with your users
Prepare React Review Improve
#RSAC
Response plan elements
34
• Ensure all assets are identified
• Document the triggers
• Build communication plan
• Work the playbook
• Decide on Fix/Wait/Mitigate
• Communicate with your users
• Retrospective
• Identify areas to improve
• Don’t get discouraged!
Prepare React Review Improve
#RSAC
Response plan elements
35
• Ensure all assets are identified
• Document the triggers
• Build communication plan
• Work the playbook
• Decide on Fix/Wait/Mitigate
• Communicate with your users
• Retrospective
• Identify areas toimprove
• Don’t get discouraged!
• Work together to improve response
• Modify the plan based on findings
• Expand the plan to all high-severity vulnerabilities
Prepare React Review Improve
#RSAC
CommunicationsAlert Users? Yes NoAlert Mechanism Email Patching
PromptsAlert Details:
External Comm? Yes NoAlert Mechanism Public Website
Social MediaInternal site
Alert Details:
A rational response
36
ThreatAll Assets Identified? Yes NoActive Attack? Yes NoVector Remote
LocalWeb
Vector Details: Fix Available? Yes NoFix Tested? Yes NoRisks/Issues? Yes No
Risk Details:
Mitigation Available? Yes NoMitigation Tested? Yes NoRisks/Issues? Yes No
Risk Details:
RecommendationCurrent Recommendation Fix
WaitMitigate
Reason for Recommendation:
Trigger to Change Recommendation:ActionsLast Action: Complete? Yes NoNext Action:
#RSAC
CommunicationsAlert Users? Yes NoAlert Mechanism Email Patching
PromptsAlert Details: None at this time
External Comm? Yes NoAlert Mechanism Public Website
Social MediaInternal site
Alert Details:
A rational response
37
ThreatAll Assets Identified? Yes NoActive Attack? Yes NoVector Remote
LocalWeb
Vector Details: Must have access to assets
Fix Available? Yes NoFix Tested? Yes NoRisks/Issues? Yes No
Risk Details: Performance issues, unexpected reboots.
Mitigation Available? Yes NoMitigation Tested? Yes NoRisks/Issues? Yes No
Risk Details:
RecommendationCurrent Recommendation Fix
WaitMitigate
Reason for Recommendation:Patches known to cause issues. No active attacks. Ensuring antivirus, web filters, and email filtering is up to date in case of multi stage attack
Trigger to Change Recommendation:Active attack that could be triggered by user, Confirmation that all issues with patches are resolved
ActionsLast Action: Test Meltdown patchesComplete? Yes NoNext Action: Monitor for changes in
threat landscape
CVE-2017-5754
#RSAC
CommunicationsAlert Users? Yes NoAlert Mechanism Email Patching
PromptsAlert Details: Inform users of known
threats and reinforce user training
External Comm? Yes NoAlert Mechanism Public Website
Social MediaInternal site
Alert Details: Internal site with company response for copy/paste
A rational response
38
ThreatAll Assets Identified? Yes NoActive Attack? Yes NoVector Remote
LocalWeb
Vector Details: Multi-stage attack delivered via emailFix Available? Yes NoFix Tested? Yes NoRisks/Issues? Yes No
Risk Details: Performance issues, unexpected reboots.
Mitigation Available? Yes NoMitigation Tested? Yes NoRisks/Issues? Yes No
Risk Details:
RecommendationCurrent Recommendation Fix
WaitMitigate
Reason for Recommendation:Known attack using email and websites tricking users into downloading exploit. Recommending we deploy fixes for applications and browsers, and waiting on operating systems until issues are resolved.
Trigger to Change Recommendation:none at this time
ActionsLast Action: Deployed patch to test groupComplete? Yes NoNext Action: Roll out patches to affected
machines
CVE-2017-5754
#RSAC
Apply
40
Next WeekIdentify the stakeholders (SecOps, ITOps, Dev, Exec Team)
Decide how you would document and share:
Business impact if you do nothing (Wait to see changes in landscape)Business impact if you do something (Apply Fix OR Mitigation)Triggers - monitor threat feeds for changes
Decide on the KPIs – how would you measure success?
Next Quarter (or next event)
Work the playbook
Daily ‘stand-up’ during event
Review with team and decide together
Document each step of action plan
Next 6 monthsMeasure success
Identify where to improve
Don’t get discouraged by early failures or delays
This is a process!
Repeat
#RSAC
A rational response
41
High-profile vulnerabilities are not going awayRelying on other teams to handle just won’t work
More executive visibility = panic mode for teamsHelp be the stabilizing force in reaction
Methodical approach leads to rational response