SecurityHive informs Log4j-vulnerable customers using Threat Intelligence

Dutch Cyber Security vendor SecurityHive managed to inform Log4j-vulnerable customers around the world on the same day of exploit without extra scans. Due to our vision, SecurityHive developed several features to make this happen.

About Log4j

Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks. Log4j is an integral part of the core of many software solutions available for both enterprises and small businesses. Almost every company uses a solution where Log4j is being used.

The vulnerability

New high critical vulnerabilities appear every day. To check an IT environment for those vulnerabilities, SecurityHive developed a Vulnerability Management solution. Organizations with Vulnerability Management in their daily processes intertwined can check for new vulnerabilities automatically.

But, with the Java Log4j vulnerability Affecting UniFi, Apple, Minecraft, and Many Others, it’s different. The list of vulnerable applications is growing and being updated in the following days by the National Cyber Security Center (NCSC). This means, that you’re not known as vulnerable today but, tomorrow you can. SecurityHive found a way to research all their customers around the world and figure out who is vulnerable and who is not, on the same day this vulnerability became known. Without extra scans.

Follow the latest updates regarding vulnerable applications here: https://github.com/NCSC-NL/log4shell/tree/main/software.

Vendor Statement

The software of SecurityHive which customers use is not vulnerable for Log4j since we are not using Log4j in our solutions. However, while SecurityHive uses solutions in their infrastructure which use Log4j on their part, SecurityHive was not found to be vulnerable. We are actively monitoring any changes on this subject and have taken preventive measures.

How did SecurityHive manage this?

SecurityHive didn’t wait for the databases to be updated. But, used a built-in feature instead. Here’s our way of working:

  1. Asset Management, a feature of SecurityHive’s Vulnerability Management solution, recognizes all applications. These applications are still known once a new vulnerability appears. There are no extra scans necessary to move on.
  2. The list of vulnerable applications is what SecurityHive continuously monitors.
  3. All customers using vulnerable applications are decomposed from others (in a messaging way).
  4. All customers received a message with the latest update regarding Log4j vulnerability, for their information.
  5. The vulnerable customers received an extra message with included advise how to respond.
  6. New known-vulnerable applications (and customers) receive a message once they are vulnerable too.

Future of Threat Intelligence

SecurityHive expects this way of working as a standard in the future. It’s important that customers can respond fast to new high risks.

This means knowledge of emerging threats is very important to take further actions. SecurityHive’s global distributed Honeypot network contains several sensors alerting SecurityHive’s SOC about new threats. These findings will be applied to improve the scan coverage of its Network Vulnerability Scanner.

Want to know more about SecurityHive or get in touch with one of our experts? Visit: www.securityhive.nl.