Here we go again.
Another vulnerability that stands out from the crowd, making front page news – and this time, it has its own website and even its own logo! OK, great, but vulnerabilities are nothing new, and once in a while there’s a doozy. Is this one a doozy? Sure, although the hype machine can overstate that. (Check the NVD CVSS scores– pretty interesting how undramatic they are!)
Security teams everywhere are scrambling – we always scramble, because vulnerabilities matter. But some scrambles are more significant than others, because some vulnerabilities get “C-level attention”. Once a vuln is being mentioned at executive levels, the intensity goes way up.
How can we survive, and better yet, plan for the attention tsunami that goes with events like this? By making sure we will be able to answer the questions that always come up. Answer them fast, and answer them accurately, and you’re way ahead of your camping buddy as you try to outrun the bear.
Questions include “do we have it?”. In this case (similar to the TCP stack vuln a few years ago) the answer is almost certainly yes at the organization level, because the library is so widely used. It’s not likely that ALL your infrastructure is up to date on the necessary patches. Then there’s “OK, how pervasive is it?”, followed by “can bad guys hit it?” and “how far will they be able to get?”
All these questions are hard to answer when you’re already in crisis. What you need is automation – not just vulnerability scanning (which can find those unpatched machines), but also a pre-built map, and a way to automate and speed up the query for “Where are these machines suffering from Heartbleed, and what are they exposed to?”. Wise organizations plan for this – we know it’s going to happen again.