On Monday (22nd of March 2021), the OpenSSL Software Foundation pre-announced their next release for this Thursday (25th of March 2021) which stated that “The highest severity issue fixed in this release is HIGH”. For OpenSSL, HIGH, the second-highest of their severity levels. With OpenSSL being present on the majority of HTTPS websites and endpoints on the internet, an upgrade at a high priority is significant.
For example, with the recent Microsoft Exchange zero-day exploits, active mass-scanning began only hours after the emergency patch was released giving a very small window of reaction for operations professionals.
It is clear that this cat and mouse game is becoming harder to keep up with so we need to adopt a new approach. So what can we do? Enter automation...
Working with one of our larger customers this week, we prototyped how we could do two things:
We deployed an Avantra custom check to verify, on a daily basis, the current OpenSSL version on Unix servers and compare it to the latest public version within the OpenSSL Github repository. This would trigger an alert that highlighted that immediate action is required.
Once you know that software is out of date, you’re likely already behind the curve in response time so, where possible, you should add automation as a reaction. This doesn’t need to be a full upgrade of the software but, at least, trigger the change and approval workflow allowing for the work to be completed during the next available maintenance window.
We proved this scenario by linking our detection of an out of date version to an Avantra automation that downloads and applies the latest version of OpenSSL.
This is just one example of how you can speed up your reaction times for scenarios where time is of the essence (e.g. security). Anything you can do in the process of Detection, analysis and reaction will help secure your business and also reduce manual effort.