A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Breadcrumb Home Insights Source Zero Accelerating Vulnerability Remediation with Automation April 12, 2021 Accelerating Vulnerability Remediation with Automation One way Optiv helps its clients is by speeding up their vulnerability management process. In a recent project we sought to reduce mean time to remediate (MTTR) by accelerating the processes from vulnerability discovery to the deployment of a corrective system update. The vulnerability management process for user workstation and on-premise servers is ripe for revision. Taking cues from current systems management and application development processes, legacy vulnerability management can be transformed and accelerated by adopting two components: patch unit testing and automated patch identification and deployment. The technologies required to incorporate these components into the vulnerability management process are robotic process automation (RPA) and systems management tools that offer the orchestration of vulnerability scan data, patch correlation and rules-based deployment through patch management solutions. During our research we found that there’s no standardized method to model and analyze vulnerability management workflows. To have a better method to model these workflows Optiv created a “vulnerability management pipeline” concept. The pipeline is based on a set of building blocks that align with the major and minor phases organizations perform during the vulnerability management process. In order to improve remediation times, an organization will first need to understand what factors are contributing to the overall time to remediate. Rather than building on a dated model, the goal of the pipeline is to break the process into better defined and measurable phases. This post will focus on how Optiv achieved automated end-to-end discovery to remediation for Windows workstations. An example of this pipeline is shown below. Image Figure 1 – Windows workstation remediation pipeline Lab Architecture Image Lab Environment SaaS Tenable.io Vulcan Cyber Azure Power Automate Cloud flows Azure Automation runbooks ESXi Active Directory System Center Configuration Manager (SCCM) Windows 2016 servers Windows 10 hosts Integrating Vulcan Cyber Into the Remediation Pipeline Image Figure 2 – Adding Vulcan Cyber to a basic vulnerability management configuration Vulcan’s solution was added to the remediation pipeline as a method to correlate Tenable.io vulnerability scan data with the appropriate corrective action. The initial design is shown above. Using the API integrations between Tenable.io, Vulcan Cyber and Microsoft SCCM, the flow of the pipeline is as follows: Tenable scans the Windows 10 desktops and Windows servers for vulnerabilities. Tenable.io sends vulnerability scan data to Vulcan. SCCM also sends host information to Vulcan. Vulcan sends a remediation package to SCCM. The Vulcan remediation package creates a device collection and a software update group in SCCM. At this stage an operator can initiate patch deployment from SCCM to the device collection. An example Vulcan runbook used in this proof of concept is shown in Figure 3 below. When Vulcan receives vulnerabilities with fixes from Tenable.io matching asset names that begin with PRS-KS, it creates an SCCM remediation action. Image Image Figure 3 – Example Vulcan runbook At this stage we have not reached a fully automated remediation pipeline. In this environment the “last mile” of remediation requires a human to perform four steps: Create a deployment package. Download the software for the deployment package. Assign a distribution point for the deployment package. Start the deployment update. Deployment Automation In order to automate the “last mile” of the Windows remediation pipeline Optiv used the automation functionality provided in Microsoft’s Power Automate and Azure Automation. In figure 4 the additional components of the remediation pipeline are highlighted in green. Image Figure 4 – Additions to the vulnerability management configuration An action is added to the Vulcan lightweight automation runbook that sends an email with all of the aggregated information to a service email account. The Playbook note, which is optional, was added as a way for Power Automate to down select only certain emails as a trigger. This will be explained further in the steps below. Image Figure 5a – Kicking off a Vulcan runbook A Power Automate flow was created to assist with the automation. The flow is triggered by an email from hello@vulcan[.]io that has attachments. Image Figure 5b – Power Automate flow trigger from Vulcan runbook The next step in the flow is to narrow the scope of the emails with attachments by performing a regular expression search for a particular note in the body of the email. This information was added in the Vulcan action shown above in figure 5b. Image Figure 6 – Conditional step If the condition is met when the body of the email matches the regular expression the flow continues on to the next step, which is an Azure Automation runbook. Image Figure 7 – Azure Automation runbook The details of this Azure Automation runbook are shown in the PowerShell code below. When the code is executed on the hybrid-worker, it will perform the “last mile” tasks that were still manual in the first iteration of the remediation pipeline. Calls the Automation account credential store to use the account named service for the RunAs account Logs into the SCCM server from the hybrid-worker Installs the Configuration Manager PowerShell cmdlets Checks the current time vs. the time that SUG-RPA software update group was last modified; if the time was modified within the last 10 minutes, SCCM is instructed to:Create a deployment package Download the software for the deployment package Assign a distribution point for the deployment package Start the deployment update #Get credentials to perform RunAs from the automation crendtial store.$Credential = Get-AutomationPSCredential -Name 'service'$computername = 'PRS-SCCM01'$ScriptBlock = {$DriveName = 'P01'$Root = 'PRS-SCCM01.optivtest.com'#Importing the Configuration Manager PowerShell cmdlets cd "C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager\" -verbose; Import-Module .\ConfigurationManager.psd1 New-PSDrive -Name $DriveName -PSProvider "AdminUI.PS.Provider\CMSite" -Root $Root -Description "Primary site"; Set-Location P01: #Ignore error message “A drive with the name ‘P01’ already exists.”#Time Difference Check$DateTimeNow = Get-Date $CollectionModifiedTime = Get-CMSoftwareUpdateGroup -Name SUG-RPA$DateLastModified = $CollectionModifiedTime.DateLastModified$Difference = New-TimeSpan -start $DateLastModified -End $DateTimeNow$Minutes = $Difference.TotalMinutes$Minutesif($Difference -le 10){"New Deployment Modification Time" #Create Deployment Package#Note: If the Deployment Package Name exisits then it will throw an error message and continue with the next command.New-CMSoftwareUpdateDeploymentPackage -Name "RPA" -Path "\\PRS-SCCM01\Sources\SCCM\PackageUpdates\RPA"#Download Required Updates#Note: If the Required Updates are already downloaded then it will throw an error message and continue with the next command.Get-CMSoftwareUpdateGroup -Name SUG-RPA | Save-CMSoftwareUpdate -DeploymentPackageName RPA#Create Distribution Point#Note: If the Distribution Point for the package already exisits then it will throw an error message and continue with the next command.Start-CMContentDistribution -DeploymentPackageName "RPA" -DistributionPointName "PRS-sccm01.optivtest.com"#Start Deployment Update Start-CMSoftwareUpdateDeployment ` -SoftwareUpdateGroupName "SUG-RPA" ` -CollectionName "DC-RPA" ` -DeploymentName "Automation" ` -Description "Push from Automation Pipeline" ` -DeploymentType Required ` -VerbosityLevel AllMessages ` -TimeBasedOn UTC ` -UserNotification DisplayAll ` -PersistOnWriteFilterDevice $False ` -DisableOperationsManagerAlert $True ` -GenerateOperationsManagerAlert $True ` -ProtectedType RemoteDistributionPoint ` -UnprotectedType NoInstall ` -UseBranchCache $False ` -DownloadFromMicrosoftUpdate $False } else {"Deployment Modification Time Not New" } } Invoke-Command -ScriptBlock $ScriptBlock -Credential $Credential -computername $computername This particular runbook is rather static, as it lists a specific software update group, device collection and deployment name, but it can be altered to include others. The script is shown as the first action step highlighted in red in the flow below. Image Figure 8 – Power Automate Cloud Flow Patch Unit Testing with Robotic Process Automation Optiv recently surveyed a sample set of clients regarding vulnerability remediation. All of the clients surveyed responded they would allow for end-to-end automated remediation, with no human intervention, if user testing was completed. Optiv has shown that user acceptance testing, post update, can be automated with the use of robotic process automation. Not only can the testing be automated, but it can be an integrated step of the pipeline. While this post is not intended to provide detailed guidance on the use of RPA, it is important that once user workflows are captured, they are tested repeatably to ensure a consistent and expected outcome. Once confident in the RPA’s expected outcome of the workflow(s), the execution of the workflows can be added as a step in the pipeline. Adding unit testing: Image Figure 9 – Adding unit testing to the vulnerability management configuration In the final iteration of the pipeline, Optiv used several Azure Automation runbooks and a Power Automate Desktop flow as additional actions that are added on to the previous Power Automate cloud flow. In order for RPA to be used as a workflow test, Optiv needed to ensure the software updates were applied to the test host. Optiv created an Azure Automation runbook to force the test client to check for updates: #Get credentials to perform RunAs from the automation crendtial store.$Credential = Get-AutomationPSCredential -Name 'service'$computername = 'PRS-SCCM01'$ScriptBlock = {$DriveName = 'P01'$Root = 'PRS-SCCM01.optivtest.com'#Importing the Configuration Manager PowerShell cmdlets cd "C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager\" -verbose; Import-Module .\ConfigurationManager.psd1 New-PSDrive -Name $DriveName -PSProvider "AdminUI.PS.Provider\CMSite" -Root $Root -Description "Primary site"; Set-Location P01: #Ignore error message “A drive with the name ‘P01’ already exists.”#Ignore error message “A drive with the name ‘P01’ already exists.” Invoke-CMClientAction ` -DeviceName PRS-KSRPA ` -ActionType ClientNotificationSUMDeplEvalNow } Invoke-Command -ScriptBlock $ScriptBlock -Credential $Credential -computername $computername This is what this action looks like in the Power Automate flow. Image Figure 10 – Power Automate Flow After the host is “forced” to run the update a delay timer is executed. The delay timer is intended to provide the host enough time to install the updated. After the time has expired an Azure Automation runbook is used to query that the update was installed. Image Figure 11 – Power Automate Flow details The third Azure Automation runbook that was used is listed below. The runbook checks if the deployment to the host was successful by running the Get-CMDeployment command and checking the NumberSuccess object. #Get credentials to perform RunAs from the automation crendtial store.$Credential = Get-AutomationPSCredential -Name 'service'$computername = 'PRS-SCCM01'$ScriptBlock = {$DriveName = 'P01'$Root = 'PRS-SCCM01.optivtest.com'#Importing the Configuration Manager PowerShell cmdlets cd "C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager\" -verbose; Import-Module .\ConfigurationManager.psd1 New-PSDrive -Name $DriveName -PSProvider "AdminUI.PS.Provider\CMSite" -Root $Root -Description "Primary site"; Set-Location P01: #Ignore error message “A drive with the name ‘P01’ already exists.”#Ignore error message “A drive with the name ‘P01’ already exists.”$NS = Get-CMDeployment -CollectionName "DC-RPA" -FeatureType SoftwareUpdate | ForEach-Object NumberSuccessif($NS -contains 1){"Host is up to date" } else {"Host has not been updated" } } Invoke-Command -ScriptBlock $ScriptBlock -Credential $Credential -computername $computername If the deployment was successful the host will execute the user workflow test(s) using Microsoft’s Power Automate Desktop flow. Image Figure 12 – Power Automate Desktop Flow Using a Power Automate Desktop flow, a simple user workflow is executed after the host is patched to ensure that the software or security update does not disrupt any workflow or business process. In Optiv’s proof of concept a single user workflow was tested in the remediation pipeline, but multiple local and web application workflows can be added to this flow to ensure all possible user tasks are tested before scheduling an update for the entire organization. Automated Remediation Pipeline With the assistance of Microsoft Desktop flow, user workflow testing is complete. The last step in the automated remediation pipeline is to deploy the software update to a larger device collection in SCCM. Optiv was able to do this using an additional Azure Automation runbook. The runbook below assigns the software update group to an existing device collection that contains additional Windows 10 hosts. These hosts are running the same version of Windows 10 and have the same applications installed as the one tested in the RPA action of the Power Automate flow. #Get credentials to perform RunAs from the automation crendtial store.$Credential = Get-AutomationPSCredential -Name 'service'$computername = 'PRS-SCCM01'$ScriptBlock = {$DriveName = 'P01'$Root = 'PRS-SCCM01.optivtest.com'#Importing the Configuration Manager PowerShell cmdlets cd "C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager\" -verbose; Import-Module .\ConfigurationManager.psd1 New-PSDrive -Name $DriveName -PSProvider "AdminUI.PS.Provider\CMSite" -Root $Root -Description "Primary site"; Set-Location P01: #Ignore error message “A drive with the name ‘P01’ already exists.”#Start Deployment Update Start-CMSoftwareUpdateDeployment ` -SoftwareUpdateGroupName "SUG-RPA" ` -CollectionName "WindowsWorkstations-Win10" ` -DeploymentName "Automation" ` -Description "Push from Automation Pipeline - Post RPA Test(s)" ` -DeploymentType Required ` -VerbosityLevel AllMessages ` -TimeBasedOn UTC ` -DeploymentAvailableDay $DateTimeNow ` -DeploymentAvailableTime $DateTimeNow ` -UserNotification DisplayAll ` -PersistOnWriteFilterDevice $False ` -DisableOperationsManagerAlert $True ` -GenerateOperationsManagerAlert $True ` -ProtectedType RemoteDistributionPoint ` -UnprotectedType NoInstall ` -UseBranchCache $False ` -DownloadFromMicrosoftUpdate $False } Invoke-Command -ScriptBlock $ScriptBlock -Credential $Credential -computername $computername The code above is in the action highlighted in red in the flow below. Image Figure 13 – Power Automate Desktop Flow details Complete Flow: Image Figure 14 – Complete flow Power Automate checks the service email account for new email from Vulcan.io Email matches regex criteria Azure Automation RunbookCreates a deployment package Downloads the software included in the software update group for the deployment package Assigns a distribution point for the deployment package Deployment update is started Azure Automation RunbookForce the test client to check SCCM for new software updates and download Sleep timer used to wait 1 hour until to ensure the software update is installed Azure Automation RunbookChecks to see if the deployment package was successfully installed on the test host Power Automate flow checks to see that the previous set was successful Power Automate Desktop flow is executed to simulate a user workflow Azure Automation RunbookThe software update is applied to a larger device collection in SCCM An email notifies the admin that the software update has been tested and pushed to a larger device collection This pipeline shows that workstation vulnerability management can be fully automated, including user workflow testing, with no human interaction. In a previous project, Optiv validated that endpoint remediation can be tested using a similar flow with Mandiant Security Validation. This research was completed in 2020 and Optiv was able to create an Azure host, install the MSV agent and perform testing with no human interaction. In my next Source Zero post I will add the ability to provide efficacy testing, through Mandiant Security Validation, to the existing remediation pipeline, further automating validation of the remediation action. By: Dan Kiraly Senior Research Scientist | Optiv Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv. Share: Blue Team Source Zero® Vulnerability Management Remediation Automation MTTR Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com
Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com