How We Track Critical Vulnerabilities (4-part Blog Series)

Greg Pothier Posted on 02.07.17 — by Greg Pothier

Thoughts from a CISO from Tanium on Vimeo.

This is the first of a four-part blog series exploring how we use the Tanium platform in our own organization. In this installment, SecOps Engineer Greg Pothier shares his story about how a Mac patching issue was resolved for 376 machines, all before the morning coffee had finished brewing.

When discussing operational hygiene, the first metric that oftentimes comes to mind is how many critical vulnerabilities exist across an enterprise. The danger is well known – consider the Verizon DBIR 2015 report, which found 99.9% of the exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposures (CVE) was published.

In my experience as a SecOps Engineer, answering this most fundamental question requires network appliances and scanning that can take hours, days, or even weeks to determine, at which point the data collected is no longer current and accurate.

So, how do we provide this metric to our leadership at Tanium? We use Tanium! Tanium shines in its ability to provide both visibility and control of vulnerabilities at a speed and scale unmatched by any other tool I’ve used in the past. Let’s take a quick look at a recent example of how engineers leveraged Tanium to detect and respond to a recently published critical vulnerability affecting Apple’s Filevault full disk encryption for Macs.

In this scenario, our security team had been doing an effective job of ensuring all Macs across the enterprise were fully encrypted. We could verify this metric by running the Tanium question ‘Get FileVault Details from all machines’ and within 10 seconds we see 100% of our Mac assets are fully encrypted.

Screenshot 1

As any engineer knows, what’s patched and secured today might not be the same tomorrow. Such was the case when we came into work on a Tuesday in December and found Apple had released a patch for a vulnerability which completely subverted the full disk encryption provided by FileVault. Before we had our first cup of coffee, we received a call from leadership asking the inevitable questions: “Are we affected ?” and “Is it fixed?”

Before Tanium, we would have had to embark upon an arduous process of hunting down potentially affected systems using multiple tools, keeping track on multiple Microsoft Excel sheets, and, if all went well, we’d hope to remediate most of the systems over the course of days, weeks, or even months. However, we had Tanium, and with it comes the ability to track and remediate critical vulnerabilities at scale in seconds.

As our morning coffee brewed, we ran the Tanium query “Get Mac Patch Available.” Within seconds we saw all the Mac systems check in with the available patches they had for download. Checking the Apple bulletin we found our patch.

Screenshot 2

As expected, Tanium showed the count of 376 Mac systems with the patch available.

Before the coffee was even ready, Tanium allowed us to accurately answer leadership’s first question of “Are we affected?” with an exact number. After identifying the systems, we then leveraged Tanium to apply the security fix, ensuring that our data was effectively secured and protected by full disk encryption.

After selecting the machines that were affected, we select deploy action to apply the patch.

Screenshot 3

Because we have an environment in which some users check in now and then, and not all systems might be online right now, we used Tanium to schedule this patch process to be a recurring action and scan for unpatched systems every hour for the rest of the month. That way, the patch is  applied to future machines as they come online.

Screenshot 4

After deploying the patch, there were several ways to verify whether the patch had been applied. One was to check the action ID logs, which detail results of the patching action we just pushed. Or, we could simply run the available patch query again and confirm  that the FileVault patch is no longer available as it had been installed to all of the machines targeted, as shown below.

Screenshot 5

We then confidently reported to our leadership that we had 376 affected systems, we took action on all 376 systems, and full disk encryption was now effectively configured across the Macs in our enterprise. The beauty of Tanium is that we can check for critical vulnerabilities over any period of time and remediate them all before –you guessed it–we finish our first cup of coffee that morning.

This is part one in a four-part series.  In part two, I describe how we use Tanium to track critical compliance metrics.