Protecting Machine Identities
With every laptop, phone, and internet-connected device a potential entry point for cyberattacks, protecting and updating machine identities is very important. As organizations are occupied with more immediate threats and firefighting, equally critical tasks like certificate and key management often slip under the cracks.
According to a recent survey, 79% of respondents suffered at least one certificate-related outage in 2016, and over one-third suffered more than six certificate-related outages in the same period. In such a situation, sub-par certificate and key management can have perverse effects on business continuity, productivity, revenue, and employee satisfaction.
Automating Certificate Management
Here, the playbook is run at regular intervals to check the certificate status on all machines within the organization. If any certificates are expired or close to expiry, the playbook pulls up user details from Salesforce and sends a mail with the relevant warnings and information. If the certificate status remains unchanged, the playbook ropes in the users’ managers to escalate the situation and ensure that machine identities always stay up to date.
Let’s examine a simpler version of the process flow given above.
This playbook uses Venafi to check certificates that have expired or are close to expiry, opens a ServiceNow ticket for any instances that are found, and sends a mail to the relevant analyst.
Task #1:The first task uses the venafi-get-certificates command to find certificates that have expired or are nearing expiry. You can get a host of details about these certificates like domains, IDs, parent domains, scheme classes, and timeline information using Venafi’s powerful database.
Task #2:The second task uses servicenow-create to create a new ticket with customized short description. This task prevents the need to manually create tickets every time a potentially compromised certificate is found – a bottleneck that can lead to fragmented record keeping and an increased rate of error.
The final task uses the SendEmail command to inform the analyst/owner of this incident that a certificate nearing expiry was found, along with other relevant details. This ensures that the analyst is up to date with latest machine identity health of the organization without needing to perform repetitive, mundane tasks.
While the playbook we’ve shown here is straightforward, there is no limit to the depth and variety these playbooks can have. You can send mails to the user of the machine with the compromised identity, include their managers in the mail thread for accountability, create tickets in other ticket management tools instead of ServiceNow, and get more details about the certificate through Venafi commands.
To learn more about how Demisto’s integration with Venafi enables security orchestration of certificate management, watch our video demo.