Posts

The integration of macmon NAC with the Greenbone Security Manager creates a fast-acting, fully automated security concept. New devices or devices that are absent from the network for a longer period of time are automatically detected by macmon NAC and then checked for vulnerabilities by the Greenbone Security Manager. Learn more about the partnership between Greenbone Networks and macmon secure here.

Available as a physical and virtual appliance, the Greenbone Professional Edition, based on the Greenbone Security Manager (GSM), identifies security vulnerabilities in corporate IT and assesses their risk potential. In addition, the GSM recommends measures for remediating any found vulnerabilities.

The goal is to identify points of attack before cyber criminals do and thus prevent attacks. After all, practical experience shows that 999 out of 1,000 exploited vulnerabilities were already known for more than 12 months and could therefore have been closed. The solution includes a daily security update of the vulnerability tests that are run to detect the vulnerabilities. Currently, over 87,000 vulnerability tests are available. The GSM is now used in over 50,000 professional installations and integrations across all industries and company sizes. The turnkey appliance is based on open source software and can be deployed in a very short time.

Greenbone Networks has been a technology partner of macmon secure GmbH since 2018.

How does the technical partnership between macmon and Greenbone Networks work?

macmon NAC ensures that any new end devices are scanned for malware by the GSM when they are added to the corporate network and regularly evaluates the compliance status in order to protect the network. Christian Bücker, Managing Director of macmon secure GmbH, explains: „It is vital that a corporate network be scanned regularly to maintain IT security. The result of this scan is provided by GSM and evaluated at regular intervals by macmon NAC. If the device complies with company policies, it will be permitted to access the corporate network. If the device does not comply with the policies, macmon NAC can isolate the endpoint by means of a configurable response or disconnect it from the network and notify the administrator. This ensures that network access control is fully compliant at all times.“

macmon NAC recognizes new and known endpoints and initiates scans

New devices are constantly being added to a corporate network. An administrator usually ensures that a new device is not infected with malicious code and does not pose a threat to data integrity or network security. macmon NAC detects a new endpoint when it is connected to the network and instructs the GSM to perform a scan. Depending on the result of this scan, access is either granted or denied.

macmon NAC also detects a known endpoint and initiates a scan by the GSM if the device has been disconnected from the network for too long. Some endpoints cannot be scanned regularly because they are not permanently connected to the corporate network.

For example, an employee in the field can be away from home for days or weeks. When the employee returns home, the endpoint reconnects to the corporate network, macmon NAC detects the device and instructs the GSM to perform a scan. The result of this scan is provided by the GSM: if the device complies with company policies, it will be permitted to access the corporate network.If it is not, macmon NAC can isolate the end device with a configured response, just as it would for a new end device, and again notify the administrator.

macmon NAC thus regularly checks the integrity of new and temporarily disconnected endpoints, according to the time period specified by the user.

The CEOs of macmon secure and Greenbone Networks confirm the benefits of the partnership for the security of their customers

Dr. Jan-Oliver Wagner, CEO and co-founder of Greenbone Networks: „Both macmon and Greenbone pay attention to fast, fully automated response to ensure compliance with security policies. Attackers also use automation. We counter them with an individual system team acting according to customer specifications. Potential attack surfaces are quickly and specifically isolated, checked and released. Even at 2 a.m. at night. The strengths of both companies complement each other perfectly to ensure the greatest possible security for customers.“

Christian Bücker, Managing Director of macmon secure, comments: „The great advantage of this integration is that as soon as macmon NAC detects the presence of an endpoint, a scan is carried out immediately and fully automatically. If the device is not compliant, macmon NAC is informed directly and responds immediately and automatically with a device lockout or quarantine. The key to success is fast, automatic responses without the need for administrator intervention. By combining the strengths of the two solutions, the security concept will naturally be enhanced. Macmon NAC is able to detect new devices added to the network very quickly and enforce security rules on behalf of Greenbone where it is not able to enforce these rules itself. Greenbone, on the other hand, is highly adept at identifying vulnerabilities, which is not macmon’s area of expertise.“

Integrating the Greenbone Security Manager with macmon NAC is easily done through macmon NAC’s web interface.

It was one of the most spectacular cyber attacks of all time: hackers attacked SolarWinds in the fall of 2019 and injected malware into an update of SolarWinds’ Orion platform in the spring of 2020. Customers who installed the compromised version of the network management software got the “SUNBURST” backdoor right out of the box – including numerous U.S. government agencies and large corporations. Well camouflaged, the hackers were able to spy on data unnoticed for a long time. Here you can learn if you are affected by the SolarWinds attack and how you can protect yourself using Greenbone Networks’ solutions.

The cyber criminals have thus pulled off an almost perfect coup. There is an element of irony to the attack since SolarWinds’ customers use the Orion platform to monitor their IT environment for suspicious behavior. The hackers were hiding in plain sight, as it were, and proceeded in a very targeted and extremely sophisticated manner. They first attacked SolarWinds with the specially developed “SUNSPOT” malware. This injected the malicious “SUNBURST” backdoor, also called “Solorigate”, into the “SolarWinds Orion Platform” update product line. The malware was embedded directly into the code where it obtained valid software signatures, making it perfectly camouflaged. With the update compromised, the backdoor could then be distributed to customers undetected.

Undetected for a Long Time

On 12th December 2020, SolarWinds was informed about the incident and launched an investigation. Security firm FireEye, which itself had been infected with the malware, published additional information about the intrusion into its network. According to its research, the cyber criminals had stolen various attack tools from FireEye, which the company use for testing its own customers’ security. Other SolarWinds customers also reported security breaches. In addition, during the investigation of the incident, security researchers found another backdoor that had apparently originated from a second, independent hacker group. The attackers had exploited the previously unknown vulnerability CVE-2020-10148 in the Orion platform to install a malicious web shell called “SUPERNOVA” on targets running the Orion platform. More recently, multiple new vulnerabilities have also been discovered, vulnerabilities that could allow full remote code execution if left unpatched.

In the Greenbone Security Manager, the Appropriate Vulnerability Tests Are Already Integrated

Around 18,000 customers have received the compromised SolarWinds update, making them particularly vulnerable to an attack. However, not all of them have been hacked by cyber criminals through the back door and have tapped into data. The hackers have so far concentrated on particularly attractive, lucrative targets. Are your networks also at risk? As a Greenbone Networks customer, you can find out right away as we integrated corresponding vulnerability tests into the Greenbone Security Manager (GSM) as soon as the incident became known. Our vulnerability scanning will show you whether your IT environment is at risk via “SUNBURST”/”Solorigate” or CVE-2020-10148, making you one of the potential attack targets. In addition, the GSM can check whether you have already fallen victim to “SUPERNOVA”, or the additional malware tools used by the hackers “TEARDROP” or “Raindrop”.

The Situation Is Serious, but There Are Solutions out There

Anyone affected by the vulnerabilities mentioned above should work to close them immediately using the hotfixes and patches SolarWinds has published for them as the unknown hacker group is still active and at large. Only recently, the security firm Malwarebytes announced that it was the victim of a cyber attack. Obviously, the same actors are behind this as in the SolarWinds hack, although Malwarebytes itself does not use SolarWinds software at all. In this instance, the cyber criminals misused applications with privileged access to Office 365 and Azure environments as an attack vector. Fortunately, the damage was reported to be minor and Malwarebytes software was not compromised.

All these incidents have shown that we have reached a new dimension of cyber crime. Actors are carrying out perfectly planned, complex and multi-stage attacks, first hijacking trusted software to then gain access to other more lucrative victims. To ensure such attacks have as few chances as possible to succeed, it is important to identify and close vulnerabilities as soon as possible.

Are there actually independent reviews of Greenbone Networks solutions?
Of course – we are proud to present the latest report from a leading industry magazine: “IT-Administrator tried the system [solution from Greenbone Networks] and was thrilled with its functionality”. (IT Administrator 01/2021)

In September 2020, the magazine IT-Administrator – a German professional journal for system and network administration – asked Greenbone Networks if they could write a test report about a Greenbone appliance.

The report is currently published in the January issue of the magazine. Here you can read the detailed report.

In the test, IT-Administrator took a closer look at the Greenbone Security Manager 150. The GSM 150 is a physical appliance designed for vulnerability management in small to medium-sized businesses, or organizations with medium-sized branch offices. It scans up to 500 IP addresses within 24 hours and can also be used as a sensor for larger appliances.

Everything that must be done in a standard deployment of a Greenbone Security Manager was tested: from the initial setup via the console, to configuring scans on the web interface, to evaluating a scan report.

For testing the vulnerability scans, IT-Administrator had prepared different target systems with different security status to examine the differences in the results. Authenticated scans were also part of the test.

Read the full article here (German only).