The Solarwinds Hack brings to light several new findings everyday, even as federal agencies and corporate security teams continue scurrying to strengthen their architecture and prevent such attacks in the future. What has been labelled as one of the most advanced intrusion attacks in the past 20 years, has brought more questions than answers, but it has also given organisations a chance to reorient their security policies and move to an approach that embraces protection of identity and applications, while ensuring that their data is accessible, at its core, only to them.
What was the Solarwinds Orion Breach?
Solarwinds is an IT giant that builds IT management and monitoring tools for various federal and private entities. One of its primary products, Orion, is used to monitor availability and performance of systems in corporate environments. In December 2020, Solarwinds revealed a large scale breach, wherein hackers had breached Solarwinds and uploaded Trojan files to the source code of Orion. Orion, at the time, was being used by 80% of the Fortune 500 companies, and most of the US federal agencies. This essentially meant that via Orion, the state-actors had breached some of the most critical assets of the world. The malware secretly moved laterally through the network of 18,000 of the customers that Solarwinds served, exploiting mission critical data.
While the consequences of the breach has been undetermined, it is assumed that potential losses due to the breach run into hundreds of billions. At the same time, it exposed the loopholes in expensive cybersecurity policies and technologies.
Who will guard the guards?
The anatomy of supply chain based cyberattacks is such that an attack on a single supplier could result in a chain reaction, affecting a myriad of consumers. As such, it is imperative to ask the question, why do we have to give our suppliers unfettered access to our data? And additionally, third party hacks can be nipped in the bud with periodic vetting of their security posture and contractual obligations relating to upgrading their security.
A major reason why such attacks were left untended is a lack of constant visibility and monitoring over the organisation’s entire network. Large multinationals have some of the most complex security policies that one can ever witness, with a veritable bedlam of tools that create an intricate web of vulnerabilities. In addition, multiple tools being used to secure multiple assets leads to an opaque environment in terms of visibility.
In this scenario, organisations have adopted a proactive approach to vendor risk management. While some MNCs are performing supplier security posture assessment on a deeper level, other prefer to have a security strategy that is all encompassing, taking into account their suppliers as well.
One of the preferred strategies for handling supply chain attacks is the now famous Zero Trust Strategy. Taking strongly after the Bond movies, Zero Trust models are known to extend only ‘need to know’ access of resources to vendors, and keep the entire network inaccessible by blackening servers and dropping all traffic at the IP. This essentially means that no one but an authorised user can actually see the network, and even then, they see only what they are allowed to see.
But how does this stop a supply chain attack? Zero Trust models delve deeper into the realms of data privacy by following what is called a Split plane architecture. In essence, a Zero Trust vendor applies the Zero Trust idea of “Need to Know” to itself as well when accessing its customers data. It separates data into a control plane, where authentication of the user is done, and a data plane, where critical user data flows. As per Zero Trust principles, the data plane simply doesn’t flow through vendor machines. No one but the company itself can actually access the data. This approach has been hugely successful in preventing supply chain attacks, and is looked at as the future of cybersecurity.
But the buck doesn’t stop here. To ensure a more comprehensive approach, companies may have to be stringent, doing comprehensive penetration testing of any software before it is deployed in their network, to nip the potential bug in the bud. They are also using vendor access monitoring and management tools which basically monitor and record any vendor access sessions to flag off any suspicious activity.
The Solarwinds breach has certainly been an eye-opener for federal and private agencies alike. As such, one hopes that it will result in a stronger security assessment process, and a better security posture, with a focus on adoption of newer, innovative technologies.