RSA Admin

How to detect the Heartbleed Vulnerability using RSA Security Analytics

Discussion created by RSA Admin Employee on Apr 10, 2014
Latest reply on Apr 11, 2014 by huan zhou

What is Heartbleed?

The Heartbleed OpenSSL vulnerability is a serious weakness in specific implementations of the OpenSSL software on servers, Virtual Private Networks and other applications.  For full details on this vulnerability, please visit http://heartbleed.com

 

How can RSA find instances of Heartbleed?

RSA Security Analytics gives users the ability to identify servers vulnerable to the Heartbleed exploit, as well as detect attempts to exploit the service. This is a perfect example of the type of incident investigation and forensics that can be achieved utilizing full packet capture and RSA Security Analytics.

 

What rules and/or parsers have been created to help find Heartbleed?

Parsers that have been created to address Heartbleed are now available in RSA Live.  These are available for all RSA Live subscription tiers.  The specific parsers are “TLS” and “TLS_lua”. Users subscribed to either of these parsers will be automatically updated. For users that are not currently subscribing to either piece of content, they should disable the default TLS parser and subscribe to one of the two TLS parsers available on RSA Live. For customers running RSA NetWitness / RSA Security Analytics version 10.2 and below, use the Flex parser “TLS”. For those running versions 10.2 and above, use the LUA parser “TLS-lua”.

To detect vulnerable  servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational meta-key. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning meta-key.

 

Once detected how can Heartbleed be remediated?

To fully remediate this vulnerability, upgrade weak systems to the latest fixed version of OpenSSL and revoke old keys. Renew your SSL certificate, and if applicable, change passwords for sensitive accounts.

Outcomes