Security Advisory Assessments Before Your Coffee Gets Cold
How a NetDevOps approach led to a 97% reduction in effort to assess impact of a critical security advisory
With the regular and continued release of security advisories affecting network equipment, the need to assess your environment quickly to determine affected devices is a critical skill for operational staff. While implementing patches frequently can help limit the threat of security vulnerabilities, you can’t always depend on recent patches when a zero-day vulnerability is announced. As a result, you’re in a race against the clock to identify and remediate vulnerable devices before a malicious actor takes advantage.
Advantages of a NetDevOps Approach
At Optanix we have switched to a NetDevOps approach to enhance several areas of our Optanix Remote Management Service (RMS). One benefit of this approach is that it provides us with the ability to quickly turn around a network vendor’s security advisory announcement into a repeatable and programmatic analysis of customer network devices for vulnerability assessment. In the most common cases, a security advisory requires that we validate a device:
- Is running an affected version of software
- Has a particular configuration installed
- Has an operational status matching a specific condition(s)
The traditional approach of manually validating this information on each network device in an environment doesn’t scale well, can be prone to human error and can lead to repetition fatigue. While there are some efficiencies that can be gained via inventory management tools showing software versions, such tools are often outdated and unreliable, and may only provide partial information.
Validating directly against the network devices is the most accurate way to go. Using a NetDevOps approach not only drastically increases the speed of the assessment, but also increases consistency and accuracy. These optimizations made possible through a NetDevOps approach manifest themselves as reduced total cost of ownership (TCO) and increased return on investment (ROI) on those network devices for businesses and network operations staff tasked with plugging holes in network security.
IKEv2 Denial of Service Vulnerability Example
Cisco’s June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication saw the release of 23 security advisories covering a range of severity levels. For one global enterprise customer serviced by the Optanix RMS team, there were over 1,100 devices running IOS and IOS XE software versions under review that could potentially be affected by this security advisory. In the case of the IKEv2 Denial of Service vulnerability, the Optanix RMS team was required to perform the following tasks for each of those 1,100+ devices:
- Confirm each device against a list of affected software versions (there are 793 vulnerable versions in this advisory)
- Validate that the device is configured with IKE
- Verify that the IKE configuration is using IKEv2
To manually perform this validation at approximately three minutes per device on 1,100 devices would have required 55 hours of effort on assessment alone – and that’s not even considering the time required to remediate devices that are identified as vulnerable. Depending on the vulnerability, 55 hours could be the deciding factor on the vulnerability being actively exploited.
Validate Your Enterprise In Minutes
Thankfully, having already built a simple framework for these types of assessments, only 15 minutes of effort were required on Optanix’s part to add this new vulnerability to that framework. This approach enables us to have a repeatable and consistent manner of assessing this and other vulnerabilities for our customers in a fraction of the time that would be required to do so manually.
Running the automation against all 1,100 devices in question to identify impact against not only this IKEv2 vulnerability but the remaining other 22 advisories that were released required only 60 additional minutes. This included gathering information from each device and assessing it against the logic created based on the conditions in each security advisory. With just 75 minutes of effort, the Optanix RMS team was able to produce an accurate assessment report to present to our client – representing a 97% reduction in level of effort from the traditional manual approach. Exploiting these efficiencies enables us to focus less on assessment and more on the critical steps of remediating vulnerabilities and reducing risk for our customers.
The approach to NetDevOps doesn’t end at the assessment phase. In a future article we will discuss how this new approach enables us to remediate these security advisories and provide positive verification of remediation and overall device health.
This blog post was co-authored by Brian Yaklin and Jeff Hamlin, two engineers from the Optanix RMS team.