Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

The Real Takeaway From The SolarWinds Breach

Consider SolarWinds breach a wakeup call, an opportunity to revisit fundamentals where you might be procrastinating.

Post by Brandon Hoffman Dec 21, 2020

Attacks happen and no amount of investing in cybersecurity buys complete immunity; we’ve seen that time and time again. The headlines will continue as new evidence reveals the extent of potential risk and collateral damage. And we’ll revisit, as an industry, the timeless debate about balancing security and speed, efficiency, and transparency.

Things will play out. In the meantime, what matters to us, and to you, is determining whether your organization is at risk, and if so, how great the risk is and what can you do about it. The short-term answer will mean evaluating three things: your SolarWinds deployments if any, your basic day-to-day security processes, and your ability to assess third-party risk.

The longer-term answer will mean taking stock of where you are on your digital transformation and security journeys and may prove more revealing and, believe it or not, actionable.

What happened to SolarWinds and why?

There is no shortage of reporting on this attack but our basic understanding is that SolarWinds was breached allowing an adversary to package malware in updates delivered through standard update processes. Orion customers worldwide potentially installed code-signed updates that included malicious artifacts.

Smarter Operations For Smarter Security | Download eBook

This method proves extremely effective because the code is signed by a trusted provider and comes through its standard update engine. This particular malware was specially crafted to be delivered this way. It leveraged a digitally signed component of SolarWinds that has a flaw allowing anybody to write to an executable. This essentially comes down to improper privilege management in a tool that is deeply embedded into system administration.

Weaponizing flaws like these essentially allows adversaries to execute the same capabilities as a remote management solution. Systems like SolarWinds make good targets because they’re deeply embedded in systems operations and administration and tools granted deep access to systems in a broad sweep across the enterprise. Most enterprises need RMM tools to manage and maintain the volume of systems and ease administration, but the access granted lets adversaries execute everything from file transfer to system modification.

Orion users need to dig deep to understand their contingencies and implications. As we determine whether attackers have been fully rooted out of breached systems, and the full extent of their lateral movements, it may be worth shutting systems down until there’s a proven fix. This may seem like overkill but the risk is obvious, and real, particularly for the most attractive targets. Orion solves fundamental people/capacity planning issues, but the level of skill shown by this adversary merits consideration until we know for sure that the worse is over.

Time will tell whether other SolarWinds code has potentially been compromised and whether forthcoming updates can be considered secure. Evaluation of keys, packages used in development, and other open source packages that might have been injected into other products will continue.

In the meantime – and in the long run – consider this breach a wakeup call, an opportunity to revisit fundamentals where you might be procrastinating.

Is Your SOC Intelligent?

Are your bases covered?

Like WannaCry a few years ago, this latest “stand up and take notice” breach underscores the need to constantly track and update basic security processes, including those that have been in place for decades, and to fully grasp the risk introduced by embedded tools. IT and security tools get deeply embedded and given a broad scope of access and authority—how are you tracking that?

We once again see the importance of patching. This literally cannot be overestimated. We know it, we know it, we know it, but putting out fires regularly supersedes patching efforts on the priority list.

Companies need better, faster ways of correlating and contextualizing vulnerabilities in order to prioritize efforts based on their unique risk.

Your third-party risk and digital exposure overall warrant a fresh look. Several major breaches in recent history took advantage of flaws or defects in provider solutions. Partners and customers alike need better visibility and automated ways to constantly assess third-party risk, either by doing due diligence in general or holding other companies accountable for patching and secure coding practices.

At Netenrich, we address this with highly contextualized free threat intelligence (visit know.netenrich.com to get this yourself, it makes a huge difference!). But reevaluating and updating security controls and best practices is only the tip of the iceberg whose devastation continues to ripple on a worldwide scale.

What’s your next step with SolarWinds? We can help . . .

The events of this week should have us all looking to take stock and modernize legacy ops solutions, and that’s a good thing. You may decide to migrate or simply supplement IT operations management (ITOM) platforms and processes, and Netenrich makes it easy with rapid onboarding to “security-first” managed and SaaS-based solutions backed by proven expertise.

Use the need to reevaluate to hold new approaches to higher standards, based on better target outcomes:

  • Be first to know when something goes wrong; stop events from becoming outages
  • Increase agility with modern Ops for modern networks and applications
  • Trade blind spots for unified visibility
  • Reduce the noise and add the context needed to correlate and prioritize
  • Never stop watching your attack surface. They are!
  • Shift your spend from Ops to transformation with AI freeing experts to do expert things

As you evaluate new solutions, ask questions. Providers’ cybersecurity equals your brand credibility.

Regroup and right-size with Resolution Intelligence 

Netenrich can offload or optimize investments in legacy solutions with Resolution Intelligence. Our Intelligent SOC solutions helps find and plug the holes in your digital attack surface, and SOC processes. Buy (only) the outcomes you need – speed response, reduce noise, streamline tool complexity, bridge skills gaps, etc. And, break free of the 80/20 rule to focus more resources on growth and innovation and a lower percent of your budget just keeping the lights (on not). 

Resolution Intelligence For Security

 Try Intelligent SOC and other offerings to take our 25/50/75 challenge: 

  • Fast-track onboarding in < 25 days 
  • Reduce run spend in < 50 days 
  • Reduce noise by > 75% 

 If you’re not 100% satisfied, we’ll make it right. That’s resolution! 

About the Author

Brandon Hoffman

Technology enthusiast, avid traveller and culinary expert (in my own mind). Trying to contribute meaningfully to the cyber security community and solve problems while maintaining my time ninja status.

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Feb 22 2021

Attack Surface for Dummies Takeaways: Integrating with Cyber Threat Intelligence

Learn how integrating cyber threat intelligence and ASI guides prioritization.

Read More