SolarWinds Fallout: Practices to strengthen data protection
The SolarWinds attack is already being described as one of the worst cyber-espionage cases in history. This massive hack has compromised local, state and federal agencies in the U.S., as well as the European Parliament and NATO.
The sweeping impact of this data breach, which keeps broadening as new information emerges, is a shrill wake-up call for government organizations to rethink their data protection strategies.
Anatomy of the SolarWinds attack
In March 2020, attackers injected a malicious Trojan into an update of the SolarWinds Orion IT infrastructure management software, which was then inadvertently distributed by SolarWinds and installed as an update to all Orion users — 18,000 government and private users downloaded the compromised versions.
Supply-chain attacks of this nature are particularly difficult to defend because they package malware inside a trusted piece of software. Once inside the target’s network, the malware often spreads laterally to other machines or steals sensitive data by exploiting additional vulnerabilities.
The breach was revealed in December 2020 by cybersecurity firm FireEye, which had installed the Orion update. FireEye discovered that the attackers had stolen its “red team” hacking tools and compromised internal networks. Microsoft also detected malicious SolarWinds applications in its environment. Although Microsoft has tried to downplay the attack’s impact, the mere fact that it was targeted is cause for concern.
What can government agencies learn from this attack?
Findings show that malicious code was installed in 18,000 sensitive networks, operating without disruption from March to December 2020. How did this malware evade detection for so long?
The answer is that government and enterprise organizations lack visibility into the security processes of their IT vendors. As cloud services have become integral elements of IT agendas, it’s jarring to see companies like Microsoft, VMware and others being impacted by this supply-chain attack, which could also affect the users of their products and services. To ensure supply-chain security, organizations should require their IT suppliers to implement stringent standards and certifications, such as Open Trusted Technology Provider Standard (O-TTPS).
New approaches to strengthen data protection
The SolarWinds attack highlights the need for new technologies and practices to protect sensitive data, beyond traditional network security, such as firewalls. Governments should consider the following:
Continuous security. The larger the organization, the more complex the process for rolling out software updates and patches. DevOps methodology aims to accelerate these processes, but speed should not come at the expense of security.
The continuous security approach is designed to create the right balance between agility and security. Continuous security implements “pipelines,” which are automated security controls, integrated into the continuous integration/continuous delivery process to verify the security of a particular software update or release. This approach can be implemented by vendors or end customers as part of the build and distribution processes, respectively.
Zero trust. As data breaches continue to proliferate, agencies should always assume their internal networks have been penetrated. Since user identities can be easily compromised, every access attempt should be considered “suspicious” until proven otherwise. Based on a “never trust, always verify” approach, zero-trust architectures authenticate each access attempt from every endpoint. By employing a zero-trust approach for data access, storage and management, agencies can build higher walls around their sensitive data.
Machine learning. When combined with a good dataset, machine learning is a powerful tool for predicting user behavior related to application usage, file access, shared folders, etc. It can be used to build user profiles and identify anomalies, which can help detect potential data breaches. The more information agencies feed into a learning model about a user’s identity and context, the more effective the results.
Machine learning is particularly potent for “shared everything” architectures, where it can capture signals and share data among globally distributed systems to continually improve security.
Node security. Agencies should incorporate the zero-trust principles into every node in the network and in the traffic in between based on an entity’s identity and real-time context. Enriched identity and context for such as devices, location or branch office can be used to enforce data protection policies and help prevent unauthorized access.
Encryption keys. Encrypting data is not enough. Agencies should generate and own the data encryption keys, and no third party — not even the cloud provider — should be able to access or control them. On-premises hardware security modules or key management solutions can help centrally manage and secure access to protected information. This added level of control will ensure agency data is not exposed even in the event of a hack.
Saimon Michelson is field CTO for North America, CTERA.