Tuesday, March 20, 2018

IT says, “It can’t be done!” Cisco Tetration says, “Hold My Beer...”

Just received my daily email update from Talos.
"Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 74 new vulnerabilities, with 14 of them rated critical, and 59 of them rated important. These vulnerabilities impact Internet Explorer, Edge, Exchange, Scripting Engine, Windows Shell and more."
How can Tetration help me get visibility into what workloads are still vulnerable and unpatched? How can Tetration help me quickly make sure these workloads are unable to communicate until patched?  
Wow, that's a LOT! How in the world can I get visibility to which workloads are vulnerable and unpatched? How can I quickly make sure that workloads with critical issues are limited in their ability to communicate? How can I do all of this in a short time across thousands of servers or virtual machines? Cisco Tetration… that's how.
Application owners need some amount of autonomy to make application-level changes quickly, while security and network teams need to control the global aspects of application interconnectivity and shared services. Cisco Tetration flattens intent in a deterministic order, prioritizing intent of higher-authority users over the intent of application owners. Therefore, Tetration allows a global rollout of security rules to identify vulnerable workloads and quickly quarantine them. 
Tetration supports any mixture of blacklist/whitelist security models for different applications, let application owners define very fine-grained policies to secure their applications while simultaneously allowing the security teams to enforce their guidelines and best practices on wide sets of applications. 
Here is an example of defining an inventory filter that dynamically catalogs all workloads that match on any of the MSFT critical CVEs listed in the Talos email.  Filters are saved inventory searches that can be used when defining policies, config intents, etc. You can view existing filters by clicking on them, which lists all endpoints that match on a time-series basis.  
Tetration identifies all installed packages across all instrumented workloads and compares them with a CVE database to identify vulnerabilities. Tetration also tracks process behavior for malicious patterns such as side channel communication, shell code execution, privilege escalation and others, and records and alerts on that behavior. Process hashes are computed and compared with fingerprints registered with VirusTotal. As a bonus, Tetration also tracks a workloads open & listening ports and identifies whether or not a flow has been observed on a particular socket. Tetration will also tell you what user-id owns the process that opened the socket and what command line argument was used to launch the process.
Now it is possible to take that inventory filter created above and roll out a global rule that prevents anyone from communicating with the vulnerable endpoints except the patching server. 
Jason Gmitter and Loy Evan