In December 2021, the Log4j security vulnerability caused a stir in the media. Even though the danger for our customers has been averted, what lessons can we learn from the security vulnerability and can the findings also be applied to other current threats? Vinzenz Vogel and Kevin Rossi, both Security Solution Engineers at United Security Providers, take a look back, classify the situation and also venture a look into the future.
Log4j with global impact
In December last year, the news about Log4j was all over the media. This is not surprising. Over time, the severity, scope and impact of the Log4j vulnerability, also known as Log4Shell, had steadily increased. It became clear that millions of devices and networks were acutely at risk. This started a race between those who closed the vulnerabilities and those who found new evasion and attack tactics.
The Swiss National Cyber Security Center NCSC warned that critical infrastructure could be attacked and published a blog post with instructions on how to fix the Log4j vulnerability, while the German Federal Office for Information Security BSI declared the highest warning level. All these reports reminded people outside our industry just how vulnerable and interconnected technology can be and how important it is to protect it.
Image: Govcert.ch, NCSC
Even if the danger is currently averted, it will still be necessary to localize and close vulnerabilities and permanently monitor access to the network in order to effectively defend against imminent attacks. This will certainly be a major challenge, especially for SMEs, small and medium-sized enterprises. IT and security teams with limited resources may tend to focus on other issues.
Log4j – Advantage for companies with a managed security service
Companies that rely on 24/7 monitoring of their networks have a clear advantage. Managed security services detect and rectify security gaps, monitor networks and IT systems and actively combat cyber attacks. At United Security Providers, for example, the tasks of the Security Operations Center (SOC) are not limited to detecting cyber threats, but also include analyzing them, investigating the source, reporting vulnerabilities and preventing similar incidents in the future.
The serious situation at Log4j has also shown how important it is to have a complete overview of the IT landscape in order to apply patches where they are needed – and quickly.
Close security gaps quickly to give customers time
In the last blog post on Log4j, we showed how we were able to react quickly to the vulnerability. An interdisciplinary team was deployed for the Log4j issue and was also responsible, for example, for tracking changes to the ModSecurity Core Rule, which was used for virtual patching. This enabled us to provide our customers with the time they needed to analyze and update their IT systems through rapid virtual patching of the Web Application Firewall (SES WAF) of our USP Secure Entry Server® (USP SES ).
Fortunately, the rules that were introduced resulted in very few false positives. And we were also able to rectify these quickly with individual exceptions. Looking back, it is clear in any case that our customers were able to fully rely on our “first line of defense” task.
Upstream authentication protects
This vulnerability in Log4j also revealed another finding: upstream authentication, such as the Web Application Firewall (SES WAF) in combination with SES ACCESS, offers strong protection against external attacks. This applies in particular to security vulnerabilities such as Log4Shell. With these, it is sufficient that only certain parts of the request are logged on the web server. Thanks to upstream authentication, the request without valid credentials remains at the front of the SES WAF component and does not penetrate to the backend.
Permanent monitoring is crucial
Looking to the future, it is now also clear that rules against Log4Shell will be included in a future version of the ModSecurity Core Rule Set. We will leave the virtual patch in place and will continue to actively look out for news so that we can react quickly in this case. This will ensure that our customers have some protection, even if a backend system was overlooked during the update process.
Would you also like to rely on 24/7 monitoring of your networks or do you have questions about our services? Then please contact us.