Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 博客

订阅

Are You Ready for the Next Log4Shell? Tenable’s CSO and CIO Offer Their Advice

Are You Ready for the Next Log4Shell? Tenable’s CSO and CIO Offer Their Advice

Tenable CIO Patricia Grant and CSO Robert Huber share insights and best practices to help IT and cybersecurity leaders and their teams weather the next cyber crisis of Log4j proportions.

A year ago, the discovery of the Log4Shell vulnerability sent IT and cybersecurity teams scrambling to assess and address their organizations’ exposure to this flaw in the ubiquitous Log4j open source component. 

Shifting quickly into “all hands on deck” mode, IT, engineering and cybersecurity teams put in long days and nights, racing to prevent breaches stemming from this easy-to-exploit and extremely severe zero-day vulnerability. 

Now, the one-year anniversary of the earth-shaking Log4j event offers an opportunity to take stock and ponder key questions, such as: “What did we learn?” and “Are we ready for the next Log4j-like vulnerability?”

They’re important questions to ponder, especially with the findings about the current state of Log4j remediation that Tenable recently disclosed. After analyzing a representative sampling of telemetry data from its 40,000 customers globally, Tenable found that, as of October 1, 2022:

  • 72% of organizations remain vulnerable to Log4Shell.
  • 29% of vulnerable assets saw the reintroduction of Log4Shell after full remediation was achieved.
  • Nearly one third of North American organizations have fully remediated Log4j (28%), followed by Europe, Middle East and Africa (27%), Asia-Pacific (25%) and Latin America (21%).

In this blog, Tenable CIO Patricia Grant and CSO Robert Huber share their insights, recommendations and expertise for dealing with high-impact vulnerabilities like Log4Shell, including the importance of a detailed playbook, cross-team collaboration and asset visibility. 

Communicate and collaborate — constantly and enthusiastically

At the foundation of an effective response to a Log4j-type event is a basic, yet sometimes elusive, principle: A pre-existing good and constant communication among the CIO, the CSO and all other stakeholders involved in protecting the company from cyberthreats.

For example, a key partnership between the CIO and the CSO involves the establishment of protective policies and procedures regarding the secure and compliant use of technology, which helps set a solid security hygiene foundation for managing and reducing cyber risk. The enforcement and detection of policy violations, vulnerabilities, misconfigurations and other flaws should be continuous and automated.

“Having visibility into your assets, with dashboards for reporting progress, is the best way to respond quickly and manage communications between the CIO and CSO on status at all times,” Grant says.

Tenable CIO Patricia Grant offers advice on dealing with Log4Shell-type vulnerabilities.
Tenable CIO Patricia Grant

Not only is communication between the CIO and CSO important, but it’s essential for the employees as well. All employees need to understand the importance of security in their company and ensure that they understand and follow all policies, which are there for a reason. Failure to do so could have negative consequences for the whole company.

“It’s important to not only communicate ‘the what’, but also ‘the why’ and the impact of not complying.” Grant says.

Boosting the staff’s security awareness increases end user compliance and cooperation, and reduces the incidence of risky behavior, such as the use of unapproved IT products. When dealing with a high-risk, zero-day vulnerability like Log4j, these “shadow IT” tools represent an extremely dangerous attack vector for an organization.

Get full asset visibility

Another foundational piece that must be in place for successfully dealing with high-impact vulnerabilities is comprehensive asset visibility. Once you’ve understood the nature of the vulnerability and its severity, as well as the implications of getting breached, you must quickly determine where and to what extent you’re impacted.

To do that, it’s critical for IT and cybersecurity to have an actively managed and constantly updated inventory of IT assets in a configuration management database (CMDB) or similar repository, such as an asset data lake fueled by your IT service management (ITSM), vulnerability management (VM) and endpoint detection and response (EDR) solutions.

“Otherwise, it’ll be difficult to swiftly and precisely answer the question of where this vulnerability is in your IT environment,” Huber says. This continuously updated IT asset inventory should contain all hardware and software assets on-premises, in the cloud and in remote locations, with granular details of all their components.

Tenable CSO Robert Huber offers advice on dealing with Log4Shell-type vulnerabilities.
Tenable CSO Robert Huber

Draft a response playbook

Organizations felt an intense urgency to address Log4Shell as quickly as possible — including detecting where it was in their environment and promptly patching the impacted assets. Based on how that went, you should have gotten a good idea of whether your vulnerability management program can handle a future Log4j-like crisis, Huber says.

Here are five key questions to ask yourself: 

  1. Do you have enough scanners and infrastructure in place to respond? 
  2. Can you scan quickly enough? 
  3. Can you patch immediately and automatically? 
  4. Can your business weather the operational disruptions of a massive and urgent vulnerability assessment and remediation campaign? 
  5. Can you coordinate all of these things quickly?

At Tenable, Huber and Grant deploy a rapid-response (RR) playbook for dealing internally with high-impact vulnerabilities. It outlines concrete steps to take and details the tasks and responsibilities of different teams, including research, security, IT, operations, legal, marketing, product management and the C-level suite. 

“This is very similar to an incident response plan, but very specific for high profile vulnerabilities. The IR process could be co-opted for such events as it is usually well understood and agreed upon by all stakeholders,” Huber says.

With this RR playbook in place, Tenable’s goals are to:

  • Quickly address and respond to the vulnerability
  • Ensure teams involved collaborate and communicate effectively
  • Ensure everyone is clear about their responsibilities and expectations
  • Ensure that internal and external communications are clear and consistent

Once the RR plan is activated, Tenable goes through the following stages:

  • Convene the RR executive team that’ll manage strategic decisions.
  • Assemble the RR team with representatives from each team involved.
  • Establish the key goals and objectives that must be attained.
  • Execute playbook action items.
  • Track and document progress and modify strategy as needed.
  • With the incident contained, wrap up and shift back to normal operations.

Be ready to respond to queries from customers and partners — quickly!

As you’re scrambling to address the vulnerability, you’ll get bombarded with queries from customers and partners wanting to know whether your organization has been impacted and if your software will need to be patched. It’s a consequence of the greater awareness we all now have about software supply chain risks.

Having answers ready is a must, and a challenge, so Grant and Huber recommend the following:

  • If you haven’t already done so, create detailed software bills of materials (SBOMs) for all your software, so that you know all the “ingredients” present in these products.
  • Embed security checks and tests early in your software development lifecycle, using tools for dynamic and static application security testing; third-party dependency or software composition analysis; vulnerability management; and container security. This will improve the trust and assurance of the software you release to customers.

Keep close tabs on the security posture of your suppliers

On the flip side, you should have a stringent process for evaluating the cybersecurity preparedness and practices of all your IT providers, and manage that third-party vendor risk so that, for example, your software vendors and managed service providers don’t put you in undue danger of breaches through carelessness on their part. 

“You’re only as safe as the weakest link in your vendor supply chain,” Grant says.

Not “if” but “when”

Bottom line: it’s not a question of “if” but rather of “when” IT and cybersecurity leaders will again face a crisis of Log4j proportions. Taking steps such as the ones outlined in this blog will go a long way towards putting your organization in a much better position to successfully respond to the next “all hands on deck” vulnerability. 

“Run tabletop exercises for this specific scenario and create some muscle memory and identify opportunities for improvement,” Huber says.

For more information about Log4j, check out the Tenable Log4j resources page, which includes links to FAQs, white papers, blogs, plugins, how-to videos, on-demand webinars and more.
 

相关文章

您是否易受最新漏洞利用的攻击?

输入您的电子邮件以在收件箱中接收最新的 Cyber Exposure 警报。

tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable.io Vulnerability Management 试用版还包括 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

tenable.io 购买

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产

选择您的订阅选项:

立即购买

免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。

选择您的许可证

购买多年期许可,即享优惠价格

添加支持和培训

Tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable.io Vulnerability Management 试用版还包括 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

Tenable.io 购买

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产

选择您的订阅选项:

立即购买

试用 Tenable.io Web Application Scanning

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册。

Tenable Web Application Scanning 试用版还包括 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.cs Cloud Security。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN

$3,578

立即购买

试用 Tenable.io Container Security

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器映像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器映像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

试用 Tenable Lumin

通过 Tenable Lumin 直观呈现及探索 Cyber Exposure,长期追踪风险降低状况,并比照同行业者进行基准度量。

Tenable Lumin 试用版还包括 Tenable.io Vulnerability Management、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

购买 Tenable Lumin

联系销售代表,了解 Lumin 如何帮助获取整个企业的洞见并管理网络安全风险。

试用 Tenable.cs

获取检测和修复云基础设施错误配置以及查看运行时漏洞的完全访问权限。立即注册,免费试用。

Tenable.cs Cloud Security 试用版还包括 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.io Web Application Scanning。

联系销售代表购买 Tenable.cs

联系销售代表,了解有关 Tenable.cs 云安全的更多信息,并了解如何轻松加入您的云帐户,并在几分钟内获得云错误配置和漏洞的可见性。

免费试用 Nessus Expert

免费试用 7 天

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

已经有 Nessus Professional?
免费升级到 Nessus Expert 7 天。

购买 Nessus Expert

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

选择您的许可证

促销价格已延长到 2 月 28 日。
购买多年许可证,节省幅度更大。

添加支持和培训