What to Know. What to Do. And How to Stay Ahead.
IDENTITY SECURITY BEST PRACTICES TO CONTAIN LOG4J RISK
Log4Shell highlights the importance of defense-in-depth and multi-layered security
Apply patches Apply the software updates already released by Apache in Log4j and monitor the page for updates. Review vendor recommendations and updates for all enterprise software platforms in use, along with any underlying OS and enterprise integrations. Check in with all your third-party vendors to make sure they’ve also patched the software you use.
Restrict access to environment variables and local credentials stored in CI/CD pipelines. If an application requires a secret be handed over as an environment variable, use a secrets manager to help ensure only authenticated users get access to the clear text secrets.
Protect Tier 0 assets
Only allow privileged access to Tier 0 assets like Active Directory and DevOps workflow orchestrators from specific bastion hosts. This will make it exponentially more difficult for the attacker to escalate privileges and compromise more assets.
Implement Least Privilege
Restricting access to the minimum level needed — and taking it away as soon as it’s not needed — can go a long way in slowing down or halting an attacker’s progress by preventing lateral movement, and ultimately, minimizing the blast radius and overall impact.
If you are a current CyberArk Endpoint Privilege Manager customer, you can enable detection and protection from certain Log4j-based attack vectors by configuring an advanced Application Control policy in EPM SaaS. This will help to reduce the blast radius, alert about an ongoing attack and complicate lateral movement for the attacker.
Enable Multi-Factor Authentication (MFA)
Attackers are much less likely to succeed when required to provide a second authentication factor or another piece of approval — so this is always a best practice.
Explore Log4j Resources
LEARN HOW CYBERARK HELPS MITIGATE SOFTWARE SUPPLY CHAIN ATTACKS EXPLOITING LOG4J
Comprehensive Identity Security
Multi-layered ransomware protection
Credential Theft Protection
Continuous Adaptive Trust