session id:spo3-w04 the sky is falling! responding ... · session id: #rsac gill langston. the sky...

SESSION ID:

#RSAC

Gill Langston

THE SKY IS FALLING! RESPONDING RATIONALLY TO HEADLINE VULNERABILITIES

SPO3-W04

Director, Product ManagementQualys, Inc.

#RSAC

Why are we here

2

Our emergency response playbook has solved all of our problems

#RSAC

Why are we here

3


This job is pretty boring these days since we are ahead of the curve

#RSAC

Why are we here

4



When a high profile vulnerability comes along, it makes my day

#RSAC

Why are we here

5



When a high profile vulnerability comes along, it makes my day

NO?

#RSAC

Today’s news cycle

6

Executive visibility

High noise level vs. what's important

Public accountability

Need a better plan for response

#RSAC

Today’s news cycle

7

https://www.buzzfeed.com/sheerafrenkel/the-biggest-ransomeware-attack-in-history-is-hitting?utm_term=.ow9qL9Bqk#.iu8q56vqR

#RSAC

They don’t go away on their own!

Someone else’s problem

#RSAC

Discussion

9

Review of anonymized, aggregated Qualys customer detections

Response challenges based on patching behavior trends

Real-world best practices based on analysis of remediation(s)

Prepare React Review Improve

#RSAC

REVIEW OF HIGH PROFILE VULNERABILITIES

#RSAC

WannaCry – notable info

11

High risk issue

Highly publicized (NSA/Shadow Brokers hack)

Mitigations – Risky

#RSAC

1 month

1 month

1.5 months

Mar 14, 2017 MS17-010 released (CVEs also published)

Shadow Brokers releases exploit codeApr 14, 2017

May 10, 2017 WannaCry v1 attacks begin using EternalBlue exploit

WannaCry v2 attacks explodeMay 12, 2017

New Petya malware outbreak using same exploitJun 27, 2017

WannaCry timeline

12

#RSAC

WannaCry detections

13

0100200300400500600700

Thou

sand

s

MS17-010 Detections

MS17-010 released

Shadow Brokers

WannaCryv1 attacks WannaCry

v2 attacks New Petya

#RSAC

WannaCry takeaways – why we struggled

14

Identification of all at-risk assets was slow

All issues sometimes treated the same by ITOps teams

Widespread user participation requirement created delays in remediation

If they don’t know its critical, complacency sets in

#RSAC

WannaCry Impact

15

Large Organizations infectedStayed present in news cycle

Panic to resolve issue from top-downIdentify vulnerable assetsDetermine fixesComplete patching cycle

Reinforced need to improve patching cycles

#RSAC

Struts – notable info

16

High risk

Easy to exploit

https://nvd.nist.gov/vuln/detail/CVE-2017-5638

#RSAC

Mar 6, 2017 CVE-2017-5638 releasedUpdated libraries releasedExploit available

July 29, 2017 Reported discovery date of breach

Struts timeline

May 13, 2017 Reported as date of Equifax breach

Sep 7, 2017 Breach reported publicly

72 days

77 days

77 days

17

#RSAC

Struts Vulnerability

18

Equifax breach

Discoverydate

reported publiclyCVE-2017-5638 released

Updated libraries releasedExploit available

#RSAC

Struts takeaways – why we struggled

19

Long delays in remediating web applications

Not easily fixedNot always as simple as pushing a patchApplication rebuildTesting cycles

#RSAC

Struts Impact

20

Highly public data breachDelay in updating web application was the cause

Reinforces need for mitigations (Web Application Firewall, filtering rules)

#RSAC

Meltdown/Spectre– notable info

21

Requires access to machineCould be delivered via multi-stage attackFew-to-no exploits available

Mitigation – Patch was a mitigationAlso ensure layered security is up-to-date

#RSAC

Jan 3, 2018 Vulnerabilities published

MS “patches the patch”Jan 27, 2018

MS releases new microcode updatesFeb 28, 2018

Meltdown/Spectre timeline

Jan 3, 2018 MS releases emergency update

Jan 22, 2018 Intel recommends updates be halted

19 days

5 days

32 days

22

#RSAC

Meltdown Detections

23

Intel recommends updates halted

MS “patches the patch”

MS releases new microcode updates

Vulnerabilities publishedMS releases emergency update

#RSAC

Meltdown/Spectre takeaways – why we struggled

24

No fixes, only mitigation patches

#RSAC


25


Every OS patch had a downside

#RSAC


26



Affected handling of memory

#RSAC


27



Affected handling of memory

Tons of caveats and risk

#RSAC

Meltdown/Spectre Impact

28

Panic – so many systems affected

Fix caused major issuesGenerated a lot of churn in IT orgs

Reinforces need to….wait?

#RSAC

Overall takeaways

29

Leaving high profile vulnerabilities to the current cycle doesn’t work

Not all newsworthy vulnerabilities mean the same to you

Sometimes the fix can be worse than waiting!

Things can change quickly

Lacking a thorough response plan can generate chaosInternal pressureExternal requests (is my data protected? Will business proceed normally?)

#RSAC

Put it all together

30

Identify high-risk vulnerabilities - often

Track the risk to your organization

Determine best course of action (Remediate? Mitigate? Wait?)

Decide when to communicate

Update regularly

Work the plan and improve

#RSAC

Prepare – Action Plan

31

Get buy-in from teams (Executive, SecOps, DevOps, ITOps)Build playbook together

#RSAC

Response plan elements

32

• Ensure all assets are identified

• Document the triggers

• Build communication plan


#RSAC


33




• Work the playbook

• Decide on Fix/Wait/Mitigate

• Communicate with your users


#RSAC


34







• Retrospective

• Identify areas to improve

• Don’t get discouraged!


#RSAC


35







• Retrospective

• Identify areas toimprove

• Don’t get discouraged!

• Work together to improve response

• Modify the plan based on findings

• Expand the plan to all high-severity vulnerabilities


#RSAC

CommunicationsAlert Users? Yes NoAlert Mechanism Email Patching

PromptsAlert Details:

External Comm? Yes NoAlert Mechanism Public Website

Social MediaInternal site

Alert Details:

A rational response

36

ThreatAll Assets Identified? Yes NoActive Attack? Yes NoVector Remote

LocalWeb

Vector Details: Fix Available? Yes NoFix Tested? Yes NoRisks/Issues? Yes No

Risk Details:

Mitigation Available? Yes NoMitigation Tested? Yes NoRisks/Issues? Yes No

Risk Details:

RecommendationCurrent Recommendation Fix

WaitMitigate

Reason for Recommendation:

Trigger to Change Recommendation:ActionsLast Action: Complete? Yes NoNext Action:

#RSAC


PromptsAlert Details: None at this time



Alert Details:

A rational response

37


LocalWeb

Vector Details: Must have access to assets

Fix Available? Yes NoFix Tested? Yes NoRisks/Issues? Yes No

Risk Details: Performance issues, unexpected reboots.


Risk Details:


WaitMitigate

Reason for Recommendation:Patches known to cause issues. No active attacks. Ensuring antivirus, web filters, and email filtering is up to date in case of multi stage attack

Trigger to Change Recommendation:Active attack that could be triggered by user, Confirmation that all issues with patches are resolved

ActionsLast Action: Test Meltdown patchesComplete? Yes NoNext Action: Monitor for changes in

threat landscape

CVE-2017-5754

#RSAC


PromptsAlert Details: Inform users of known

threats and reinforce user training



Alert Details: Internal site with company response for copy/paste

A rational response

38


LocalWeb

Vector Details: Multi-stage attack delivered via emailFix Available? Yes NoFix Tested? Yes NoRisks/Issues? Yes No

Risk Details: Performance issues, unexpected reboots.


Risk Details:


WaitMitigate

Reason for Recommendation:Known attack using email and websites tricking users into downloading exploit. Recommending we deploy fixes for applications and browsers, and waiting on operating systems until issues are resolved.

Trigger to Change Recommendation:none at this time

ActionsLast Action: Deployed patch to test groupComplete? Yes NoNext Action: Roll out patches to affected

machines

CVE-2017-5754

#RSAC

A rational response

39

#RSAC

Apply

40

Next WeekIdentify the stakeholders (SecOps, ITOps, Dev, Exec Team)

Decide how you would document and share:

Business impact if you do nothing (Wait to see changes in landscape)Business impact if you do something (Apply Fix OR Mitigation)Triggers - monitor threat feeds for changes

Decide on the KPIs – how would you measure success?

Next Quarter (or next event)

Work the playbook

Daily ‘stand-up’ during event

Review with team and decide together

Document each step of action plan

Next 6 monthsMeasure success

Identify where to improve

Don’t get discouraged by early failures or delays

This is a process!

Repeat

#RSAC

A rational response

41

High-profile vulnerabilities are not going awayRelying on other teams to handle just won’t work

More executive visibility = panic mode for teamsHelp be the stabilizing force in reaction

Methodical approach leads to rational response

#RSAC

THANK YOU!

Gill Langston - Director, Product Management

Qualys, Inc.

session id:spo3-w04 the sky is falling! responding ... · session id: #rsac gill langston. the sky...

Documents