What do the Pentagon, the U.S. State Department, The White House, the NSA, all five branches of the US military, the top ten U.S. telecommunications companies, and four hundred twenty-five of the Fortune 500 all have in common? Given the title of this article, you already have a clue, which is that they are all SolarWinds customers. Those are just some of the higher profile organizations, but in all there are 300k SolarWinds customers around the world, with about 18k identified as impacted. The impact of this breach is so far and deep, the actual repercussions will not be fully understood for years potentially. However, we don’t have to wait years, months, or even days to fully understand the lessons learned, some security norms that need to be challenged, and what should be done next.
First, a high-level summary of what actually happened. In short, a SolarWinds product called Orion that provides “Centralized monitoring and management of your entire IT stack, from infrastructure to application” (source: SolarWinds), has a service that automatically updates the software on a regular basis for customers. It’s that service that was infected deliberately with malware, thus every time a customer’s Orion platform received an update, it also received the malware. Given the nature of Orion’s reach into each customer’s IT stack, it enabled broad access to the perpetrators to steal data. Layered on top of this attack, further vulnerabilities were found with VMWare products (VMWare Access and VMWare Identity Manager). Once hackers were able to penetrate a system via SolarWinds’ Orion, many were then able to take advantage being on the inside a company’s network, of VMWare’s vulnerability, which to put it mildly, is a bit scary. Put simply, the VMWare vulnerability enabled creation of authentication tokens which could be used to access email, APIs, and a host of other protected data according to the NSA.
First Lesson: Zero Trust Security
“Be careful who you trust…the devil was once an angel.” Unknown
What was particularly devious about this attack was how the hackers used trusted sources to deliver their malware. By infiltrating a trusted source first, the delivery method became almost unstoppable. Almost anyone who buys software trusts the provider when they send an update. When is the last time you denied your phone a software update coming from the provider? In this case, by hacking the update delivery system for the Orion platform, customers were welcoming the malware into their environment since it was coming from a trusted source. What makes this somewhat ironic is customers receiving these automatic updates were doing one of the most basic elements of good security: patching their systems.
Going forward, organizations must adopt a zero-trust methodology. A great definition from Crowdstrike:
Zero Trust is a security concept that requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data.
Traditional access technologies, like VPN, rely on antiquated trust principles, which has resulted in compromised user credentials which have led to breaches. IT needs to rethink its access model and technologies to ensure the business is secure, while still enabling fast and simple access for all users (including 3rd party users). Zero Trust security can reduce risk and complexity, while delivering a consistent user experience.
Enterprise access and security is complex and constantly changing. Traditional enterprise technologies are complex and making changes often takes days (and often across many hardware and software components) using valuable resources. A Zero Trust security model can reduce FTE hours and architectural complexity.
Second Lesson: Best Practices (for who)?
“Assumptions are made, and most assumptions are wrong.” Albert Einstein
For me, best practices are another way to say assumptions. In my view, companies need to develop their own stringent methodologies based on threat vectors identified that are specific to their environment. This notion of “best practices” is a major contributor to the poor state of security in many corporations and their difficulties detecting a breach with anything less than the intruder blowing the entire infrastructure to pieces. Yes, we can always learn what others are doing to mitigate risk, but more often than not, organizations are using them to check off security boxes without the in-depth analysis to ensure its should be their best practice.
The only best practice I would recommend, is that IT organizations treat specialized IT security as an ongoing, operational cost. Far too many firms with a high-risk factor treat security as a ‘once in a while’ investment and check-up, rather than an ongoing, aggressive campaign that never ends.
Third Lesson: Resources
“Most business meetings involve one party elaborately suppressing a wish to shout at the other: 'just give us the money'.” Alain de Botton
Zero trust policies and proactive security management take money. There is no other way to say it. If you aren’t going to allocate the budget and resources to protect your data and working environment, then you probably don’t deserve to enjoy peace of mind. Technology has afforded vast transformation across IT enabling companies to do more with far less. It may be time to aim that transformation focus and realized gains back to securing it all. Taking a Zero Trust security approach is costly, complex, resource intensive, requires special security skills, and requires a substantial commitment from the organization. Consider how long it would take the current security technicians to perform a full top-down assessment if they had to do that in addition to their current workload? During that time, vulnerabilities will continuously be introduced in the environment, and some of them may remain unknown until the next audit, so there’s quite a large window for a threat actor to use it.
Said another way, do you think SolarWinds wished it would have invested more in configuration change management and ongoing security reviews?
There are many lessons and take always that could be added to this list but suffice it to say that if you only take heed to these three and implement change to ensure their covered, the organization will thank you (eventually). NET(net) specializes in helping companies fund transformation efforts by streamlining their technology supply chain, and optimizing IT spend. Maybe we can help you find the budget you need to find the budget for operational security that supports a zero-trust environment.
Founded in 2002, NET(net) is the world’s leading IT Investment Optimization firm, helping clients find, get and keep more economic and strategic value. With over 2,500 clients around the world in nearly all industries and geographies, and with the experience of over 25,000 field engagements with over 250 technology suppliers in XaaS, Cloud, Hardware, Software, Services, Healthcare, Outsourcing, Infrastructure, Telecommunications, and other areas of IT spend, resulting in incremental client captured value in excess of $250 billion since 2002. NET(net) has the expertise you need, the experience you want, and the performance you demand. Contact us today at email@example.com, visit us online at www.netnetweb.com, or call us at +1-866-2-NET-net to see if we can help you capture more value in your IT investments, agreements, and relationships.
NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.