Heartbleed Outpatient Care: Steps for Secure Recovery

ENTERPRISE THREAT GAP: DETECTION, REMEDIATION & PREVENTION

2

Ken WestinProduct Marketing ManagerSecurity Intelligence

Katherine BrocklehurstProduct Marketing ManagerSecurity Configuration Management

Ed SmithProduct Marketing ManagerVulnerability Management

Heartbleed Outpatient Care: Steps for Secure RecoveryEnterprise Threat Gap: Detection, Remediation & Prevention

3

Agenda

• Heartbleed – what is it, how did it happen, and how can it be used against you

• How to identify your business exposure

• What systems are vulnerable and what you can do to check for Heartbleed

• How Tripwire’s solutions work together on detection, prevention, and remediation for Heartbleed

4

What Is Heartbleed?

• OpenSSL vulnerability

• Affects 2/3 of Internet and more

• Active exploits in the wild

• You may have already been compromised

CVE-2014-0160

5

OpenSSL Flaw

How Does Heartbleed Work?

Source: xkcd.com/1354/

6

OpenSSL Flaw

How Does Heartbleed Work?

Source: xkcd.com/1354/

7

Timeline

RECON/ENUMERATIONWEAPONIZATION

EXPLOITATIONCOMMAND &

CONTROLACTIONS/

EXFILTRATION

Cyber Kill Chain: Sophisticated Attacks

Cyber Kill Chain® is a registered trademark of Lockheed Martin

8

Heartbleed Exploit ExampleLive Exploit

9

Cyber Kill Chain Not Required- NO INDICATORS

- SIMPLE EXPLOIT

- EVERYWHERE

Cyber Kill Chain® is a registered trademark of Lockheed Martin

Timeline

RECON/ENUMERATIONWEAPONIZATION

EXPLOITATIONCOMMAND &

CONTROLACTIONS/

EXFILTRATIONX X X

10

Who Was Affected….

11

Who Was Affected….

Who Wasn’t?

12

Enterprise Threat Gap

DETECTION

REMEDIATION

PREVENTION

Prevention GapTime to put preventative

measures in place to avoid repeated attacks

Can we avoid this happening again?

Remediation GapTime between discovery to remediation to limit damage

How bad is it?

Detection GapTime between actual breach and discovery

Have we been breached?

13

• Correlation content now available now for IDS/IPS: Cisco, Sourcefire/SNORT, McAfee, Palo Alto

• Create alerts, automate remediation and share reports on Heartbleed exploit attempts

REAL-TIME HEARTBLEED EXPLOIT DETECTION

DETECTION

14

Exploit

Heartbleed Detection with Tripwire Log CenterIDS Correlation and Reporting

Intrusion Detection

15

Exploit

!

Heartbleed Detection with Tripwire Log CenterIDS Correlation and Reporting

Vulnerable Host

Intrusion Detection

16

Exploit

!

Actions & Alerts

Heartbleed Detection with Tripwire Log CenterIDS Correlation and Reporting

Reporting

Vulnerable Host

Intrusion Detection

17

Intrusion Detection

ExploitVulnerable Host

Actions & Alerts

Intelligent Vulnerability ManagementTripwire Log Center + Tripwire IP360

• Vulnerabilities of attacked host• Business value of target asset

!

18

• Automated inventory of devices and applications to know what’s on your network

• Continuous detection of Heartbleed and 60,000 other vulnerabilities

AUTOMATED SCANNING FOR CONTINOUS PREVENTION

PREVENTION

19

Heartbleed Is Not a Single “Bug”

20

There are Different Breeds of the Heartbleed Bug

21

The Heartbleed Bug Doesn’t Just Live in Perimeter Networks…

22

Heartbleed Also Thrives Inside Corporate Networks and Datacenters

23

Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f

Critical Security Control 1&2:

Inventory of Authorized and Unauthorized Hardware and Software

24

Where is OpenSSL on Your Network?

Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f

Critical Security Control 1&2:

Inventory of Authorized and Unauthorized Hardware and Software

25

Where is OpenSSL on Your Network?

Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f

Perimeter Networks• Web Servers• Email

Servers• FTP Servers

Critical Security Control 1&2:

Inventory of Authorized and Unauthorized Hardware and Software

26

Where is OpenSSL on Your Network?

Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f

Perimeter Networks• Web Servers• Email

Servers• FTP Servers

Datacenter• Databases• Application

Servers

Critical Security Control 1&2:

Inventory of Authorized and Unauthorized Hardware and Software

27

Where is OpenSSL on Your Network?

Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f

Perimeter Networks• Web Servers• Email

Servers• FTP Servers

Datacenter• Databases• Application

Servers

Internal Network• Operating

Systems• VPN Clients

Critical Security Control 1&2:

Inventory of Authorized and Unauthorized Hardware and Software

28

Scan Perimeter Networks to find Heartbleed bugs exposed to the public internet

Add TRIPWIRE LOGO TO SCANNER

29

Scan Internal Networksto find Heartbleed bugs hackers can leverage

30

Remote Checks look for Heartbleed Bugs Exposed to the Network

31

Local Checks Use Administrative Credentials Closely Inspect Machines

32

Automated Scanning Offers Continuous Prevention

33

Not a Tripwire Vulnerability Management Customer?

• Free for up to 100 IPs, up to 4 times a month• Automated Scanning for Internal Networks• Remote and Local Heartbleed Checks• Scan Web, FTP, IMAP, POP3, XMPP, and SMTP services for Heartbleed

vulnerabilities

Scan For Heartbleed Today: www.tripwire.com/securescan

34

35

36

37

38

39

40

41

Remote Checks

Network Services Vulnerabilities

Local Checks

Software Vulnerabilities

• Heartbleed TLS• Certificate Risks• XMPP• POP3• IMAP• FTP

• SMTP• Juniper• Debian• PostgreSQL

• OpenSUSE• Oracle Linux• Ubuntu• CentOS• Red Hat• OpenVPN

Tripwire Heartbleed Vulnerability Coverage

42

Remote Checks

Network Services Vulnerabilities

Local Checks

Software Vulnerabilities

• Heartbleed TLS• Certificate Risks• XMPP• POP3• IMAP• FTP

• SMTP• Juniper• Debian• PostgreSQL

• OpenSUSE• Oracle Linux• Ubuntu• CentOS• Red Hat• OpenVPN

Tripwire Heartbleed Vulnerability Coverage

THE CHECKS ABOVE ARE ALL FOR HEARTBLEED

43

Healing Heartbleed

If You Do Detect Heartbleed:

• Update OpenSSL to 1.0.1g+

• Contact the Vendor for a Fix

• Update or revoke your certificates as a precaution

• If appropriate, ask or require users to revise their passwords

44

Prevention Recap

.1

• Know What You Have and Where OpenSSL Lives

2• Check both Perimeter and

Internal Networks

3• Patch both Remote and Local

Vulnerabilities

45

Tripwire Vulnerability Management

• Heartbleed coverage released April 9th

• Additional Heartbleed checks released April 15th • 17 Remote and Local Heartbleed Checks for Web, FTP, IMAP, POP3,

XMPP, and SMTP services for Heartbleed vulnerabilities• On-premise solution with optional cloud-based perimeter scanning

Learn More & Request a Demo: www.tripwire.com

46

Intrusion Detection

ExploitVulnerable Host

Actions & Alerts

Intelligent Vulnerability ManagementTripwire Log Center + Tripwire IP360

• Vulnerabilities of attacked host• Business value of target asset

!

47

ExploitVulnerable Host

Actions, Alerts & Reporting

Bridging the Threat GapTripwire Log Center + Tripwire IP360 + Tripwire Enterprise

Intrusion Detection

!

48

How Bad Is It?

Identified inventory of affected systems applications, network devices, operating systems, databases, file systems, servers, desktops, mobile devices, etc…..

Post-Heartbleed Safety

REMEDIATION

49

X X

X X

X X

X X

X XX X

50

The Green Laser Trip Wire

51

52

53

Now the issue is watching for change Unauthorized

Authorized

File integrity and change control What Changed

When

By Whom

Remediation can be immediate and automated Return to baseline – built in rules / custom rules

Policy Compliance

Reducing the Threat Gap

Post-Heartbleed Safety

REMEDIATION

54

Tripwire Enterprise (TE) Results

55

DETECTION

REMEDIATION

PREVENTION

56

DETECTION

REMEDIATION

PREVENTION

• Keep Watchful• Use auto-remediation if warranted back to known good configurations

• Scan and discovery• Inventory of

hardware and software assets

• Pinpoint Heartbleed wherever it may be

• Receive input from other systems

• Intelligently alert, take action, and report on indicators of compromise

57

Other Resources• SecureScan (Free Heartbleed Network Scanner)

http://www.tripwire.com/securescan

• Tripwire VERT Heartbleed Researchhttp://www.tripwire.com/vert/heartbleed/

• Detecting Heartbleed Exploits in Real-Timehttp://www.tripwire.com/state-of-security/incident-detection/heart-attack-detect-heartbleed-exploits-in-real-time-with-active-defense/

• Blogpost on checking home routers for Heartbleedhttp://www.tripwire.com/state-of-security/security-data-protection/heartbleed-and-your-soho-wireless-systems/

• Tripwire Customer Portalhttp://www.tripwire.com (select Customer Support at top)

• OpenSSL.org – advisories, news, and further detailhttps://www.openssl.org/news/secadv_20140407.txt

• www.heartbleed.com

• CVE details at Mitre.org - Common Vulnerabilities and Exposures (CVE)https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

tripwire.com | @TripwireInc

Q & A?

THANK YOU!

59

Tripwire’s Solution Breadth Heartbleed – Detection, Remediation, Prevention

• Possible Heartbleed?• Scan and discovery• Inventory hardware and

software assets

• Other Heartbleed Indicators?

• Receive and intelligently alert on indicators of compromise

• Post-Heartbleed?• Keep Watchful• Use auto-remediation if warranted • back to known good configurations