Taking on a Zero Day with Intelligence
The situation described here does not come from the ivory tower; instead it comes from the real world and shows how to rapidly and efficiently address a zero-day vulnerability.
Last week there was some very unwelcome news for security engineers. Another Microsoft Internet Explorer (IE) zero-day vulnerability (2013-3893) was announced, with the double whammy that there were active exploits on the World Wide Web. The general recommendation – as you’d expect – was to:
- Only visit trusted websites
- Avoid any websites that might be malicious
All very sensible and pragmatic. But in reality, you are probably already overwhelmed with patching; you might have 1000’s of machines with this vulnerability, with 1000’s of users with possible click-happy tendencies. All of this adds up to a major security nightmare. Not only do you have all of those machines to patch, but you don’t know which ones might have already been exploited. On top of that you have a bunch of users to herd that are well meaning but uneducated, and you need to prevent any further exploits from happening until you eventually get everything patched.
So you formulate a cunning plan:
- Email an alert to users saying ‘Please be careful’
- Scan your network for the vulnerability
- Embark upon patching the assets that have the vulnerability
And then you promptly recognize the following critical flaws in the cunning plan:
- 90% of your email alerts will get a cursory glance and then be consigned to the deleted folder
- The scan itself will potentially take several days
- Your patching schedule is already packed, how can you fit this in?
Thus leading to cunning plan B:
- Hope for the best until your next scheduled patch deployment
A more intelligent approach
Alternatively, you might be considering a more intelligent approach. We like to call it the Swiss Army Knife of Security.
It is a more comprehensive approach to help you manage vulnerabilities, and respond to security incidents in a fast and efficient way. An incident isn’t always an attack or some form of anomalous network behavior; it can often be the sudden realization that you have a significant security weakness in your network and need to respond to it as quickly and effectively as possible, such as an IE zero-day announcement.
A real-life experience
Let’s walk through a real-life experience of this intelligent approach. When the IE zero-day vulnerability was first announced, QRadar Vulnerability Manager (QVM) already knew which assets had IE installed based on a previous scan. QVM’s “early alert” functionality prevented the need to re-scan and detect the IE zero-day vulnerability. So when the zero-day was published, QVM knew there were approximately 1200 instances in the network. This may sound routine, but the customer didn’t have to wait a day or so to scan for the vulnerability, but any vulnerability scanning and management product worth its salt should have been able to do the same.
So it looks like the customer had to patch 1200 assets? Not so fast. Of the 1200, the next thing to determine was if there had actually been any Web traffic to or from those assets in the last month or so that indicated IE was in use. When time is limited, you want to patch what is most likely to be exploited, and not waste time patching assets that are at low risk of exploitation. If an asset with a Web vulnerability is ever going to be low risk, it is one where there hasn’t been any web traffic to or from it. With QVM the answer was just a click away. Why? Because it is part of the QRadar Security Intelligence Platform which can see all traffic on the network. It turned out in this case that nearly 20% of those assets didn’t have any web traffic in the last month. IE was installed but was never used. Ironically a ‘stand-alone’ vulnerability product would typically tell you to patch those first because they would be ranked as most important.
Ok, so 1200 targets down to around 1000, Did the customer patch? No, QRadar Security Intelligence wasn’t finished yet. Not by a long shot.
The exploit for this vulnerability comes from malicious sites and IPs, so it was really important to know which sites and IPs were harmful, and which vulnerable assets had been communicating with them. IBM QRadar, thanks to our IBM Security X-Force team, has a continuously updated database of malicious internet IPs and Web sites. Also, because QRadar sees everything on the network through log and network flow analytics, it knew which assets had been communicating with those harmful IPs and Web sites. So with a couple of clicks, QVM correlated the vulnerable asset list with the list of assets that had been communicating with the potentially malicious locations on the internet.
The initial list of about 1200 assets that needed to be patched suddenly dropped to less than 50. And, crucially, these 50 are the most likely to be exploited. This is a huge reduction in cost and risk, and a big improvement in efficiency. And it is possible because QVM is an integrated part of the IBM QRadar Security Intelligence Platform, and receives vital network context from QRadar.
Now imagine if all those vulnerabilities were automatically risk adjusted based on the above, and your recommended patching strategy was seamlessly updated as a result. Oh and what if you had access to a real-time monitoring system where those 50 assets automatically go on a watch list and are very closely monitored for anything that looked suspicious for the foreseeable future. Sounds like another job for QRadar.
Wouldn’t that be good? And very cunning indeed. And you can patch the other 1150 as time allows. Those are just some of the reasons I think the future is bright and we are here to help. If you have any questions just let me know in the comments below.