When DHS published their Emergency Directive covering CVE-2020-1472 on September 18, it got a lot of people’s attention – not that DHS was requiring their agencies to patch vulnerable systems, but that the runway to get it done was so short (less than 96 hours). In fact, the vulnerability was discovered over a month earlier and Microsoft released a patch on August 11. So why the directive a month later, and why were the endpoints not compliant with the CVE already? This is not meant to point a finger at one organization, because there are plenty of endpoints that go unpatched for months, or in some cases, years (average is ~200 days), but it is a chance to look at the remediation process and explore a few steps we can all employ to make it better.
Step one is an obvious one: scan your environment for vulnerabilities and pay attention to your vulnerability scanner results. Most organizations employ some sort of scanner, so run the scan and analyze the results. Remember however, the scan is run at a point in time, so anything can happen after the scan (and if you scan monthly, you might miss a vulnerability like CVE 2020-1472!). We’ll get to how you can overcome that issue in a bit.
Defense in Depth
Step two is probably pretty obvious as well – sometimes it’s good to have more than one tool to ensure you get the job done. There’s nothing wrong with having two tools that seemingly do the same thing, especially if they do it different ways. For example, you might run a vulnerability scan once a month, but a patch compliance scan once a week. With some exceptions you’re pretty much looking for the same thing: holes in your defense, your security perimeter. No, you don’t have to go broke purchasing every security tool on the market, but redundancy is not a bad thing.
Remediate the Vulnerabilities
This one seems simple enough when in fact it’s the one that trips us up – and it’s the heart of the matter regarding CVE-2020-1472. DHS would not have issued the directive if they were compliant with the CVE if all of their applicable endpoints were patched. And this seems to be the case so many times, whether it’s a security patch or a configuration item. When a vendor like Microsoft or RedHat comes out with a patch, we need to apply it as soon as possible, and here’s why: software vendors don’t always find their own flaws; often times these vulnerabilities are discovered in the wild by administrators and folks who make a living looking for vulnerabilities – including bad actors. So when the patch is released, it’s already a known vulnerability, including a description of the vulnerability, and often times a description of the exploit. That’s like losing the keys to your brand-new car in the garage where you parked! All a thief has to do is walk around a little bit clicking the fob and listening for the car to respond, “Here I am!”
There are processes, change control, maintenance windows and other things that factor into the equation, so it’s not quite as simple as just patch! But we need to do a better job remediating vulnerabilities we already know about. And once we remediate the vulnerabilities, we need a mechanism to make sure they stay remediated!
So what else can we do to make sure we see the vulnerabilities at hand, respond to those vulnerabilities, and keep our environment compliant afterward?
Add BigFix to your Toolset
This is where BigFix comes in. BigFix is a security platform that provides the IT Security manager continuous visibility into vulnerabilities and enables the IT Operations team the tools required to respond to these vulnerabilities. By doing this, BigFix gives you the ability to maintain continuous compliance, not just at the enterprise level, but on every endpoint as well.
You see, BigFix doesn’t just check to see if a patch has been installed, it checks to see if the vulnerability exists. If you’ve ever used tools to patch a large organization, you know that not all patches take the first time. There are also situations where a patch may not install if a computer is pending a reboot, and instances where the patch appears to have installed but the installation wasn’t actually successful. When you add BigFix to the mix, you can not only deploy patches but you can check behind your deployment mechanism to see if the vulnerability was indeed remediated.
Address the Visibility Gaps
In the world of vulnerability remediation there are several visibility gaps. The first one, the one we alluded to earlier, occurs right after the vulnerability scan. We know the vulnerabilities that existed at scan time but nothing that happens afterward, because the scan is a snapshot in time.
The second visibility gap occurs while the operations team is performing their remediation process. Let’s say you start patching on a Friday night and you have until Sunday morning to complete the process. During this time the focus is on accomplishing the job at hand, not continuously stopping to run reports to assess your progress.
Unlike traditional point-in-time scanning tools, BigFix relies on a smart agent that’s continuously running in the background on your managed endpoints and reporting status as you patch – it can’t help it, that’s it’s job! So you don’t have to wait for the maintenance window to be over to run a report and find out how you did, because BigFix is going to let you know the status as it happens.
BigFix also has the ability to apply granular control to patching, like allowing you to retry failed patches automatically, and reboot in the middle of a patch cycle in order to apply that patch that checks for pending restart. In this way, BigFix closes this visibility gap by letting you see what’s going on as it happens, to keep you in charge of the remediation process.
The third visibility gap occurs between the close of the maintenance window and the next vulnerability scan. During this time, there is usually no mechanism to ensure the organization remains compliant until next time. That’s because things happen, as they say, that cause endpoints to become noncompliant. It could be installing software, changing an application setting, or even manipulating a configuration item. Yes, you can run a report and discover this new – or renewed – vulnerability, but there’s usually no mechanism to take care of it, except a notification to the end-user or waiting until the next maintenance window.
BigFix has the ability to enforce settings that you make, whether it’s a patch, a configuration item, or even a piece of software or an application setting. Because the agent runs in the background of your managed endpoints, it can automatically and autonomously enforce those things you don’t want to change. So if someone makes a setting change they aren’t supposed to, BigFix will change it back. If someone uninstalls required software, BigFix will reinstall it. And if something happens to an endpoint to re-introduce a vulnerability that you may have already patched, BigFix will alert you that the vulnerability exists. You can even use BigFix to reapply a patch if it becomes relevant on the endpoint again. Or you can wait until the next maintenance window or another appropriate time. But here’s the thing – you know about it! You’re not surprised the next time you scan and run a report. With BigFix, you just know.
BigFix In Action!
So let’s look at CVE-2020-1472 again and see how BigFix could have helped solve this, or any other vulnerability problem. As stated earlier, this is not an attack on DHS – we’re simply using this situation to as an illustration. With BigFix installed in the environment, you have a clear picture of the vulnerabilities at any time – no reports required, no emails, no stale data. Once you know this information, you can take action, using BigFix or the patch deployment tool of your choice, to install the patches to remediate the vulnerabilities. You can see at a glance, in real time, the progress of the remediation, putting you in charge of the process. And once the patches have been distributed and applied, you can enforce the remediated configuration so that your environment stays that way. No do-overs and no back-tracking.
Whether you have endpoint management tools in your environment that seem to work, or if you’re discovering some of the visibility gaps we discussed earlier, why not take a look at what BigFix can add to your toolset to help you maintain the right security posture. Visibility, Response and Enforcement – three great tools to reinforce your compliance posture. Because the only one making changes to your environment should be you.