It’s 3 AM, July 2021 and the phone rings – the phone that only rings when there is a problem.
“We have detected an anomaly in the firewall logs, and we think we have an intruder. We have teams checking the asset inventory for instances of Windows still running the print spooler service, but they’re all over the place and it’s taking us much longer to resolve than we thought it would. I think you should come in.”
Microsoft released information on CVE-2021-34527, affectionately known as PrintNightmare, on July 1, 2021. It took Microsoft a week from disclosure to issue a patch for Windows Server 2012, 2016, and Windows 10, but during that week the only clear guidance issued to network administrators was to completely disable the print spooler service. This was, clearly, an untenable solution; it broke many companies’ networked printing capabilities.
Unfortunately, stories like these are a dime a dozen in today’s cyber landscape, so what’s the solution?
One of the frustrations we regularly hear from our customers is that their scanning tools produce a TON of data and sifting through the mountain of information to find actionable intelligence requires dedicated teams. It’s also common for each tool to have its own dedicated team. In the example above, it’s likely that the recipient of the call was a director for one specific scanning tool team. It’s also likely that the conditions that led to the exploitation of PrintNightmare existed long before the call in the middle of the night. So how do you A) prevent the call and B) get ahead of the curve?
Preventing the Call
To make things easier for your team in the heat of the moment, you should enlist the help of an automated data aggregation tool that can ingest scan results from multiple sources (e.g., Qualys, Nessus, and AWS Inspector to name a few) and produce actionable data inclusive of all your assets, vulnerabilities, and compliance information.
Xacta is one such data aggregation tool. Any given asset in its database will have on hand information collected from every available source (via native ingestion or API) and, by using the intuitive dashboard in Xacta, a control tester, director, or even a CISO can get an assessment of data security for their entire organization.
There are scanning tools that report on running services for assets and, if that tool had been supplying information to Xacta, the people responsible for making sure the Print Spooler service was disabled in our earlier scenario could have easily searched for the service and found all running instances. In this case, there would be no need to send a request to the product team for their scan results, a dozen emails back and forth, or several Zoom meetings to collect the information. Everything is handled automatically, on schedule, by Xacta.
Getting Ahead of the Curve
Regularly scheduled imports of scan data from all available sources will yield tremendous amounts of actionable information about control compliance and security hygiene. If the goal for an organization is to be completely compliant with NIST 800-53 (as an example), Xacta will report on all assets from a control perspective and show which are compliant and non-compliant.
Non-compliance can be an asset failing a test from a scanning tool that has a direct connection to a regulation control. In the PrintNightmare example, CVE-2021-34527 falls under the umbrella of CWE-269, “Improper Privilege Management,” which directly impacts compliance with AC-4. In this case, a control tester using Xacta would have seen fails for AC-4 and been prompted to take action.
Protecting exploitable vulnerabilities is a full-time job for information security teams and using the data aggregation capabilities of Xacta can be a giant leap forward for your organization’s security and compliance management. Learn more about how Xacta can help here, and let’s put a stop to 3 AM phone calls.