could be raised and potential concerns
about robust and real-time risk management, our bill could potentially see
a significant increase to compensate
for the lost computing power.
Server patching then actually becomes a question of understanding
the firm’s thousands of internal applications and making a risk-based
decision on them. For some applications, performance is critical, and the
likelihood of running untrusted code
is low. In those cases, we—and the
other major firms we talked to—
decided not to patch. For those applications, we relied upon compensating
controls and the fact that they are very
unlikely to run untrusted code. For
other applications, we assessed the
risk to be higher and patched their
servers. To do this type of risk-based
analysis, a firm has to understand
both the behavior (application profiling) and risk (risk-based categorization) of its applications.
Endpoints. Employee endpoints,
such as desktops and laptops, were
also a high priority within our triage
process, as they have access to the Internet via the Web and email. These
are key channels through which
threat actors looking to exploit these
vulnerabilities could attempt to deliver malware.
The Goldman Sachs endpoint response had two key themes: patching
and controls. Because user endpoints
are much more likely to run untrusted code than servers, we decided to
patch in all but the most exceptional circumstances. We thus rapidly
deployed patches to our managed
Windows, macOS, and iOS devices
as they became available. Because of
concern over potential end-user performance impact, it was hugely beneficial to be able to run repeatable,
automated testing on an isolated
set of endpoints before pushing the
patches across the enterprise.
Patching was not focused exclusively on the operating system. We also
considered the availability of patches for components on the employee
desktop that could allow for untrusted
code execution—for example, applications that open business-related documents. Unfortunately, even months
later many of those applications have
not been patched by their vendors.
Our assessments included the
broader control set available on the
endpoint—both preventative and
detective. We were most interested
in determining which layers of defense could play a role in mitigating
risk. For prevention, we reviewed
the configuration hardening for our
builds and application whitelisting
capability and concluded that they
did not require any changes. We also
use both signature-based and heuris-tic-based malware detection on our
endpoints and on incoming email.
Of course, the signature-based tools
will have value only when exploits become public.
Not only is it important to look at
all of the potential options to mitigate the risk, but also to have the
foundational blocks in place for controls that can be adapted to mitigate
a broad set of threats in a constantly
Browsers. The Web contains plenty
of malicious websites that could attempt to exploit these vulnerabilities.
Even legitimate websites may inadvertently host malicious advertisements.
Or, in the case of a watering-hole attack, an adversary could compromise
a website that a company’s employee
population is known to visit and use it
to deliver malicious code.
At Goldman Sachs we use a Web
proxy and service to categorize domain
names to reduce risk. Our proxy settings are extremely conservative, blocking entire categories of Web pages that
are not relevant to our business or are
potentially risky. That includes many
of the servers used to host advertisements, so we already have a reasonable
amount of advertisement blocking.
The proxies also block the downloading of executable files.
In addition, Google Chrome and
Microsoft Edge have site isolation
capabilities that stop malicious code
from impacting more than one tab
in the browser window. Like patching, this is not a perfect mitigant for
these vulnerabilities, but it does provide a partial control and another
layer of defense. As this feature was
ready even before some patches, it
was implemented rapidly. Although
we feared that it would break many
internal or external sites, there were
actually very few problems.
difficult to patch.
It was clear early
on that certain
were impacted, but
the full scope was
suspected to be