Responding to remote service appliance vulnerabilities with Sumo Logic

For those responsible directly or indirectly for the cyber defense of their organizations, June 2023 is proving to be an extremely challenging month.

In this month alone, vulnerabilities were discovered in various appliances, ranging from CVE-2023-27997 impacting FortiGate devices to CVE-2023-35708 impacting MOVEit Transfer software as well as the exploitation activity discovered of Barracuda appliances via CVE-2023-2868.

Responses to each one of these vulnerabilities involve following multiple and fast-moving vendor advisories, in addition to performing different and often complex patching procedures.

Although well-meaning, it is often difficult for organizations to follow “just patch” type guidance - as there could be various extraneous circumstances preventing the swift patching of such appliances.

Similarly, building threat detection use cases for such appliances is not a simple task for several reasons:

• Appliances may not allow the installation of custom telemetry collection agents

• Telemetry from these devices tends to tilt towards debug and operational information and not security use cases

• Log formats from these appliances are often generated in non-standard and difficult-to-parse formats

• These appliances may be located in network segments that do not allow for simple telemetry collection

• The exploitation of these devices may occur in a “0-day” fashion that exploits gaps in existing threat detection coverage

Despite the above – in many networks – these devices still generate egress and ingress traffic that traverses corporate firewalls. Also, some of the above-mentioned appliances install on top of Linux or Windows operating systems as a piece of software, with both operating systems generating telemetry that can aid us in gaining some visibility into the operations performed by such devices.

Given the above context, this blog aims to showcase how the Sumo Logic platform can be brought to bear in detecting threats that stem from vulnerabilities discovered in remote service appliances using telemetry found on corporate firewalls and endpoints.

Threat detection with telemetry from corporate firewalls and endpoints

To aid in any response efforts, organizations must maintain an up-to-date inventory of assets. Organizations that follow NIST best practices can refer to NIST SP 1800-5 for information regarding IT asset management.

Once a vulnerability is identified in a remote service appliance, you can reference your inventory and gather information, particularly IP addresses of vulnerable appliances.

Once a vulnerable appliance is identified in the network, you can create a Sumo Logic Cloud SIEM match list with the relevant information.

Let’s create a match list with the following parameters: