Skip navigation

SecOps Response Service

2 Posts authored by: Sean Berry Moderator

Patches have been available for a bit for Meltdown and Spectre, the "Winter 2017/2018" vulnerabilities so visible that your relatives have likely heard of them, and teenagers are updating their various screens on pain of even slower performance than having a low battery in a 2-year-old iPhone.  (I should know, I have a 1+ year old iPhone that I talk on for several hours a day).


Everyone is rapidly tracking and remediating this vulnerability, and I want to show you how easy and fast it is to do with BMC SecOps Response and BSA or SCCM.


First, like everyone working in Security, I've got regular vulnerability scans running.  I can pull the latest scan info from my vulnerability scanner, and upload it to SecOps Response.


I can run this hands off (auto-importing from Nessus etc., loading from a folder or other source), but I want to spot check this particular scan.



These vulnerabilities auto-map to patches on load, and I can review them to make sure they're what I want to use.  My hosts are already mapped, but if we scanned something new, auto-map will quickly line them up with the endpoint managers, here BSA, SCCM, or BNA (less a target for this particular vulnerability).


Now I go to the Security Dashboard to understand both the overall security view, and that for these specific vulnerabilities.  Here's my overall, showing that I've got some Severity 4/5 vulnerabilities that are getting beyond the SLA: I'd better come back to those when I'm done dealing with this particular issue.

I filter by CVE, put in part of the number to quickly find it, and select them.  I click "Apply Filters" and I'm filtering in seconds.



The dashboard focuses down to giving me visibility into the state of these specific vulnerabilities.  These vulnerabilities were scanned on a certain date, and now we need to go remediate them.





Great, let's flip over to the operator dashboard.   Here we see the discovered vulnerabilities, filtered as they were in the Security dashboard, automatically mapped to remediations in our Patch Catalogs. We can narrow down to the set of servers we want to work on using Server Groups and other filters above, and then click the "Remediate" button to build out the remediation task, automatically create a Change Management Request, etc.:



We can quickly step through this process to name this particular Operation:

We can also exclude hosts here, schedule the remediation, etc., and track its execution in the dashboard.


Here we're going to automatically create and document a change management request, typically one of the more important but tedious steps in doing production changes, which will happen with minimal work on my part.  We can also skip this, or mark it for Emergency Approval, depending on how your particular Change Management workflow works best.

And here's our operation, ready to go once the change approval has been granted and the maintenance window starts:

Once the Remediation runs, we'll see immediate feedback on the security dashboard, as the vulnerabilities move from "Awaiting Attention", through Awaiting Approval, Execution, and our favorite state, Closed.


So we get integrated vulnerability imports, automated vulnerability and asset mapping, tightly linked remediation, status reporting back to our Security Operations team via the Security Dashboard, and best of all, vulnerabilities that close without war room marathons, but instead Business As Usual.



So, CVE-2017-0144, a vulnerability that was identified about two months ago (published Mar 16 2017), is now being widely exploited in the wild, most visibly impacting hospitals in the UK’s National Health Service to the point that they’ve had to redirect incoming patients to other facilities.

This vulnerability is addressed by Microsoft Bulletin MS17-010, which is also included in OS-specific Security Bulletin (roll-ups) SB17-002, SB17-003, SB17-004.  MS17-010 applies to Server 2003 and Server 2008, while SB17-002 applies to Server 2008 R2, SB17-003 applies to Server 2012 R2 and SB17-004 applies to Server 2012 (thanks to Joe Schuler)


Part of what makes the vulnerability so serious is that it doesn’t require direct action by the user, simply having the vulnerability and being on the same network as an infected host can expose your system to the ransomware.


Wana Decrypt0r screenshot.png

(source: Wikipedia)


So, how do we address this using SecOps Response?


I imported my latest scan info, then went over to the Operator Dashboard.  Filter by "CVE-2017-0144", and it shows me exactly which systems have this vulnerability detected on, and that the oldest detection is 22 days old (and now in violation of SLA, being a critical vulnerability): 

I scroll down and see all the systems that I can remediate.


Click remediate: 

I'm going to deselect one server, but continue with the rest:

Select "Execute Now":

Select some notifications, then hit execute now.

Isn't that easy?