Log4j Vulnerability

What to Know. What to Do. And How to Stay Ahead.

Identity security best practices to contain Log4j risk

Log4Shell highlights the importance of defense-in-depth and multi-layered security

Apply Patches

Apply patches Apply the software updates already released by Apache in Log4j and monitor the page for updates. Review vendor recommendations and updates for all enterprise software platforms in use, along with any underlying OS and enterprise integrations. Check in with all your third-party vendors to make sure they’ve also patched the software you use.

Deploy Peripheral Defenses

Apply web application firewall (WAF) rules to mitigate common exploitation attempts as part of a comprehensive defense-in-depth strategy.

Protect Credentials

Restrict access to environment variables and local credentials stored in CI/CD pipelines. If an application requires a secret be handed over as an environment variable, use a secrets manager to help ensure only authenticated users get access to the clear text secrets.

Protect Tier 0 assets

Only allow privileged access to Tier 0 assets like Active Directory and DevOps workflow orchestrators from specific bastion hosts. This will make it exponentially more difficult for the attacker to escalate privileges and compromise more assets.

Implement Least Privilege

Restricting access to the minimum level needed — and taking it away as soon as it’s not needed — can go a long way in slowing down or halting an attacker’s progress by preventing lateral movement, and ultimately, minimizing the blast radius and overall impact.

If you are a current CyberArk Endpoint Privilege Manager customer, you can enable detection and protection from certain Log4j-based attack vectors by configuring an advanced Application Control policy in EPM SaaS. This will help to reduce the blast radius, alert about an ongoing attack and complicate lateral movement for the attacker.

Enable Multi-Factor Authentication (MFA)

Attackers are much less likely to succeed when required to provide a second authentication factor or another piece of approval — so this is always a best practice.

Explore Log4j Resources

Learn how CyberArk helps mitigate software supply chain attacks exploiting Log4j

Comprehensive Identity Security

Multi-layered ransomware protection

Credential Theft Protection

Continuous Adaptive Trust

Request a demo