It was reported that 2021 was a record year for zero-day exploits, and to many it has felt like a non-stop string of resource- and risk-intensive vulnerabilities to remediate.
The Log4j exploit seemed to get more attention than others because of its pervasiveness in organizations, regardless of size or industry. While many articles, blogs, and forum discussions focus on the technical and remediation specifics of Log4j, there are not many resources to help you look back and evaluate how well the capabilities of your organization met your needs.
Performing a Log4j Retrospective
This article is intended to help your organization perform a retrospective to see how your response capabilities held up to the pressure and intensity required to address Log4j, and how to improve these capabilities for future zero-day incidents. (Note that while this is intended to be specific to the Log4j vulnerability, this same approach can be applied in the wake of any security incident)
Questions to ask when performing a Log4j retrospective
We’ve identified three basic questions to address in your retrospective:
- How well do you understand the dependencies of your technical assets?
- Can the velocity of your vulnerability management activities be improved?
- Likewise, can the speed of your remediation activities be increased to better prevent further incidents?
Retrospective 1 of 3: Achieving Awareness of Technical Dependencies
Keeping track of technical dependencies across your systems, software, and infrastructure is an ongoing challenge. You likely have a decent grasp of most of these dependencies at a high level, but you may struggle to track them in areas where there is more significant complexity.
If you have sorted out where Log4j was present in your environments, you have an opportunity to reflect and assess how well your current understanding of these dependencies served you.
Questions for your organization:
- In what system areas were you required to initiate brand new work to get the information and analysis needed?
- Where did you discover that documentation existed but was out of date?
- Where did you find yourself relying on subject matter experts who had details stored in human memory, but not well documented?
If a significant amount of effort was needed to discover and capture the required information, you should consider making it a priority to improve your documentation and processes now, while you are not in the middle of an incident response.
Retrospective 2 of 3: Increasing Velocity of Vulnerability Management Activities
Your organization may have ongoing work established to discover known vulnerabilities within your infrastructure. This work may be strategically built into project methodologies and schedules. Some activities, such as penetration testing, may be taking place on a quarterly or annual basis.
Coordination of vulnerability management activities across the organization can improve breadth and scalability, enabling earlier discovery of vulnerabilities and giving your business its best chance to minimize impact.
Questions for your organization:
- As you coordinated work to produce discovery and analysis related to Log4j, what activities needed to be significantly sped up? How did that go?
- Which activities scaled well? Which did not?
The answers to these questions will likely illustrate the need for a more reliable mechanism to quickly ramp up these activities, especially in scenarios like zero-day exploits. The goal is to accomplish these activities without requiring teams to work around the clock.
Retrospective 3 of 3: Increasing Velocity of Remediation Activities
Your remediation work may be planned in two-or-more-week sprints and is nearly always competing with other priorities. It is common for remediations to be scheduled across multiple sprints or numerous iterations, increasing time the vulnerability can be exploited.
Your vulnerability management policy may tell you by when a specific issue should be resolved – generally within a 30-, 60-, or 90-day timeline – and it’s important to address remediations in a scalable and sustainable manner.
Questions for your organization:
- As you were responding to the urgency to address Log4j, how quickly were you able to remediate issues?
- How efficiently were resources able to be redirected from other work to remediation?
- How effectively did your change management, release management, and operational readiness processes serve your needs in this scenario?
- Can you remediate a known vulnerability in 24-48 hours if the alternative is to disable a critical business system or valued business service?
To address deficiencies discovered via the above questions, you may want to consider exercising and testing vulnerability management and remediation capabilities in the same manner as Disaster Recovery and Business Continuity Planning scenarios. Testing specific risk scenarios often results in the most valuable learning.
Result of performing a Log4j Retrospective
Performing a retrospective on the three key areas described in this article will provide a rich feedback loop and opportunity for significant improvement if your organization takes the time to work through them. Considering what is required each time organizations are faced with a new zero-day exploit, now is the perfect time to start.