Hello dear reader! Today we are going to talk about SSL and TLS, and vulnerabilities! It is not new that SSL is de-facto standard for mass-usage secure communications of our interconnected digital world. It is also not new that being one of the foundations of secure information exchange, the fact of implementing SSL/TLS and purchasing a trusted certificate from Thawte, Verisign or GoDaddy does not guarantee security of your internet-facing assets, be it websites, customer services or payment portals. Let us quickly recall how many SSL vulnerabilities we witnessed in last 4 years? Of top of my head I can recall 7. Those vulnerabilities are so infamous that they even received names and logos, but just to list loudest of them once again: BEAST attack, CRIME, RC4 attacks of March 2013, Heartbleed, POODLE, FREAK and LogJam. Long story short, how does one check for secure SSL/TLS implementation? There is a free and publicly available solution for it, used worldwide to run on-demand check of their public-facing assets. A question is, how often do you check your website? It is yet another manual task of many tasks that falls on the shoulders of your IT security team or even IT administrators. And, being bluntly honest at SOC Prime we are obsessed with automating routine and repetitive tasks. As you may already heard, we have released a free and open-source add-on that uses Qualys SSL Labs open API to automate the SSL scans on daily basis for any number of domains you may have. And it does so without posting the scan results on public. Instead, the SSL Framework streams scan data in real-time to the most adopted SIEM solutions in industry, such as HPE ArcSight ESM, IBM QRadar and Splunk. The idea behind SIEM integration is that you have a live insight into all your SSL certificate implementations, their security scoring and remediation, as well as 2-click drilldown to SSL Labs full report without actually having to store it entirely in the SIEM itself. Some examples are on screenshots below:
I almost forgot to mention the email why I came up with writing this article. Thing is, as with any R&D company we have the developers creating things and DevOps having fun with consequences of those creations coming to life! Since SOC Prime, as any other business present on the internet uses SSL Certificates for public website, we have to continuously track not just security status of the certificate but also its expiry time, revocation status and all the other parameters. Therefore, I got an urgent call from our DevOps last evening saying that they received an automatic notification that one of our Thawte SSL certificate will expire in 60 days. First I was like wow, our CFO must have been really persistent with cost planning and managing, so he even took care of alerts being sent out on SSL certificate expiry.. which kind of is too much to expect from a CFO! Even in Cyber Security startup.. You may have guessed by now that email actually came from our internal deployment of SSL Framework, that was implemented into production more than 10 months ago, and automatic alerting was enabled to all participants of the certificate management process. Some details on the alert are here:
Thus, we can confidently conclude that SSL Framework acts as human intelligence augmentation module and is applicable to DevOps operations! Just kidding, yet the toolkit definitely proved its value yet again.
p.s. Oh, did I mention that package takes 5 minutes to setup and is available for download for free at official marketplaces such as Splunkbase, HPE ArcSight Marketplace and IBM Global Solutions Directory as well as SOC Prime website directly. So, DO NOT keep the door to your revenue services unlocked – automate the SSL implementation security analysis and stay ahead of the threats! Be safe.