Managing Log4j 2 Risk: Continuous Monitoring is the First Step
Over a week ago servers from around the world were suddenly exposed due to a simple vulnerability on a popular open-source library – Log4j 2, known as Log4Shell. Watching vulnerabilities over the past few years has taught us that simple configurations will lead to some major data breaches, access brokers, extortion, or worse. It has taught us there is a gap in data security that will exist for years to come.
So What Exactly Happened with Log4j 2 (Log4Shell?)
Log4j 2, is the affected software, written in the Java programming language, which logs user activity on computers. Developed and maintained by a handful of volunteers in an open-source Apache Software that is extremely popular with commercial software developers. It runs across many platforms — Windows, Linux, Apple’s macOS — powering everything from webcams to medical devices. In Log4j is a flaw that lets internet-based attackers easily seize control of everything. Simply identifying which systems use the utility is a challenge; it is often hidden under layers of other code.
By now, you’ve probably read about the vulnerability in the Log4j application. In case you missed it, the top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious” in a call Monday with state and local officials and partners in the private sector. Publicly disclosed last Thursday, it’s an open door for criminals because it allows easy, password-free entry to nearly everything. The affected software is small and often undocumented. This means bad actors are going to go big on these exploits.
Patching is a mandatory first step, but it definitely can not be the only action you take. With reports of exploits existing weeks before the vulnerability was announced, you have to seriously consider that something might have already slipped through the cracks.
The biggest threat with Log4j is that bad actors have already gotten access to your environment, and if they are smart, your enterprise may not know it. With this vulnerability, periodic audits will no longer work and continuous monitoring and audits will help. “You are not going to stop the risk.” said Sandy Bird, CTO, and Co-Founder of Sonrai Security,”The best your organization can do is keep the blast radius contained.”
The in a modern cloud environment, there are often tens of thousands of pieces of compute and, each with a corresponding identity and the bad actor is doing recond (quietly) and waiting for the right moment to make the next move. Your organization is in a real-life chess match. So how do you find risks, as well as the bad actors, before they do some real damage?
Five Steps to Continuous Monitoring & Audit
First Move: Discovery
Inventory your Identities and their effective (end-to-end) permissions. With an identity inventory and their effective permissions (entitlements), organizations can now determine what data identities can access. You can see context like, how they can access the data and what they can potentially do with the data. With this continuous visibility, you can see security drifts and alert on them.
Next, determine the VMs where those Identities are in use. With this visibility, teams can effectively determine where they have risks and then, in turn, manage the risks to ensure that the VM and the data within it stay secure.
Last, use a CIEM tool to automatically map out and visualize your cloud to identify all data stores and resources and the effective permissions of every identity. Sonrai Security, for example, grabs all the audit logs plus targeted API calls (as necessary) to get more details. Sonrai Dig’s graph with patented analysis provides a comprehensive risk assessment, enabling you to set the security baseline for what you will continuously monitor for continuous audit.
Second Move: Classify
Describe what your data is specifically. Identify data based on criteria such as sensitivity (credit card numbers) or PII (names, addresses, phone numbers). You should also be able to classify data based on organizational needs with custom classifiers. Establish what crown jewels are in your environment. Ideally, you will be able to normalize, i.e., standardize your data findings, across clouds.
Third Move: Lock it Down
Just like you would put your most valuable possessions in a safe, secure your crown jewel data – such as sensitive PII –through lockdown. Taking highly sensitive data and locking it down means you’re setting security controls (policies) that prevent certain behaviors, such as access to crown jewel data by specific roles and identities.
CheckMate: Protection
Through the continuous audit, monitor your environment with change detection for when there is drift from your security baseline. Sonrai Security, for example, provides a 24/7, 365 timeline of what has changed, so you can set controls to remediate the risk. The responsible team(s) get alerted of such changes.
Game Over: Prevention
Through continuous monitoring and with your security baseline established with teams ready to go, it’s game over for the bad guys. Not only can you prevent your environment with change detection when there is drift from your security baseline, but you can also prevent the change from ever happening.
Start Managing Log4j 2 Risk
A proper continuous monitoring and audit tool can bring an immediate sense of security. Analyzing and reporting, two of the most demanding parts of the process, become straightforward with all the data organized and laid out for review. Teams can quickly gather and analyze data risk on activities while they’re still occurring.
Continuous audit techniques that are practical include to:
- Identify the high priority areas of your operation
- Determine the rules for continuous auditing and monitoring
- Determine the process frequency
- Configure parameters and execute the audit
- Manage, analyze, and report the results
- Follow up on flagged areas with the right sense of urgency
- Identify and assess any emerging risks for addition to future audit and risk assessments
Continuous auditing goes beyond simply detecting risk. It provides security teams with emerging insights into the risk landscape. For example, a company may detect continuous access from an IP address outside of approved regions, implement controls, then continuously monitor for misconfigurations.
Sonrai Security comes out of the box with established frameworks (such as NIST, HIPAA, PCI, and other compliance reporting) and the ability to customize frameworks. Teams will remain empowered to direct policy and stay ahead of the curve.
Prevent Misconfigurations
According to IBM Security, the top risk factors that organizations face adapting to cloud include fundamental security issues such as governance and misconfigurations. Cloud misconfigurations increase risk and occur silently in the background, undiscovered until bad things occur. For example, a popular online gaming site recently misconfigured its Elasticsearch server, exposing the personal details of 66,000 users.
Organizations should have the ability to identify possible misconfigurations before they get discovered – preventing costly breaches.
Risk and Security Monitoring
Companies should be able to track and manage these identities to prevent data access. It’s easier said than done due to the sheer volume of non-person identities created in most environments. For example, it’s not uncommon for an enterprise to have thousands of person identities and tens of thousands of non-person identities in their environment.
What Kind of Solution Do You Need for Continuous Audit?
Continuous audit entails ongoing monitoring with reporting on the state of security of your environment, based on any change from the state that you set with your security controls. The tool should have the capability to deconstruct workloads, understand frameworks as they relate to identities and data, and automatically apply remediation and protection controls continuously. The solution should also provide robust reporting, communicating risk widely to security teams and auditors.
You no longer need to wait for your next security audit to see what to fix to continue passing your audits. Today’s leading enterprises use Sonrai Dig to improve security, ensure compliance and increase operational efficiencies for their AWS, Azure, GCP, and other cloud platforms. To learn more about how Sonrai Dig can help your organization continuously reduce risk, request a demo today.
The post Managing Log4j 2 Risk: Continuous Monitoring is the First Step appeared first on Sonrai Security.
*** This is a Security Bloggers Network syndicated blog from Blog - Sonrai Security authored by Eric Kedrosky. Read the original post at: https://sonraisecurity.com/blog/log4j-risk-2/