Shellshock: Prevent, Detect and Respond

Endpoint Security for Your Organization

An old maxim tells us an ounce of prevention is worth a pound of cure. And that’s great advice — unless you unfortunately missed the prevention step and need a cure quickly.

A quick Web search shows the severity of the recent Bash bug. There has been a lot of focus on prevention, which is great advice and something definitely worth listening to, but there hasn’t been a lot of information about the cure — until now.

To implement the cure for Shellshock, organizations need a way to assess their endpoint environment and then deploy and manage the patches for the myriad operating systems in their environment. An effective solution provides policy-based installation of security updates, closed-loop verification and the ability to manage patches across multiple platforms from a single point of control. It must also shrink patch deployment time to reduce the risks associated with Shellshock. As organizations look for best practices on how to update all of their affected systems, they look for a solution that can do the following:

  • Automatically manage patches for multiple operating systems across hundreds or thousands of endpoints, regardless of location, connection type or status
  • Reduce security and compliance risk by slashing remediation cycles from weeks to hours
  • Provide visibility into patch compliance with real-time monitoring and reporting
  • Patch online and offline virtual machines to improve security in virtual environments
  • Provide consistent functionality, even over low-bandwidth or globally distributed networks

To help organizations address this vulnerability, IBM provides security solutions that can help prevent, detect and respond to the Shellshock threat.

Preventing Shellshock

IBM has been able to identify and protect against attacks caused by this threat through its IBM Security Network Intrusion Prevention product offering. With its unique focus on identifying and shielding this vulnerability from an attempted exploit, IBM has been helping clients protect against these kinds of exploits since 2007.

Read more about how you could have prevented attackers from exploiting Shellshock and other similar vulnerabilities.

Detection

If an endpoint has already been exploited by Shellshock before patches have been made available, the way to find the threat is by understanding the behavior of all the individual attack components and by using analytics to understand their relationship.

The key tasks in detection include the following:

  • Discover: Understand where the Shellshock vulnerability is in your endpoint environment
  • Assess risk: Understand how exposed the instances of this vulnerability are to potential attack
  • Detect attacks: Monitor and detect potential exploits of the Shellshock vulnerability

A “closed loop” system can quickly detect threats and alert security administrators to take the necessary corrective actions. With IBM BigFix, you can quickly determine which endpoints — including servers, work stations and other devices — are vulnerable to the Bash bug. IBM Security QRadar can leverage data from network and endpoint security solutions to immediately see whether someone is trying to exploit an operating system vulnerability. IBM QRadar can then alert the security team to use endpoint management solutions, such as BigFix, to remediate the condition.

Responding

Today, it is not a matter of if an organization will be breached, but rather a question of when a breach will take place. This means organizations need to have the ability to respond rapidly once an initial incident or vulnerability has been detected. The key response functions include the following:

  • Identifying the type and version of OS on the previously detected vulnerable endpoints
  • Remediating the endpoints with the appropriate patch for the version of OS it is running

Having detected which endpoints are vulnerable and the various OS types and versions that these endpoints are running with Endpoint Manager, you now have to focus your efforts on patching these endpoints quickly and efficiently.

BigFix can rapidly apply patches across multiple operating systems within minutes, including UNIX, Linux and OS X, all of which have reportedly been affected by Shellshock. BigFix customers have realized up to a 98 percent first-pass patch success rate and can rapidly apply Shellshock patches for all OS types, including CentOS-5 and CentOS-6, RHEL 5 and RHEL 6, zLinux, SLE 11 and SLE 11 System z, Solaris, Mac OS X and Ubuntu. With the manager’s ability to provide real-time visibility into the status of managed endpoints, you can confirm all your endpoints have been patched and are more secure.

BigFix supports over 130 platforms out of the box and helps ensure your endpoints are in continuous compliance with your security and regulatory policies — all through a single console, regardless of endpoint type, OS version or location. By automating the remediation, BigFix helps customers close the loop by supporting the response phase of the IBM Threat Protection System.

An ounce of protection is certainly worth a pound of cure. With IBM Security solutions, you get both.

Share this Article:
Rohan Ramesh

Product Marketing Manager

Rohan is the Senior Product Marketing Manager for IBM Watson for Cyber Security and QRadar Advisor with Watson. He is responsible for the worldwide marketing strategy and execution of Watson for Cyber Security. Rohan is experienced in marketing strategy, digital marketing, SEO, social media marketing, content strategy and enterprise level application development. He holds a Master’s degree in Business Administration and a Bachelor’s degree in Engineering with over 8 years of experience in the IT industry.​