It’s only when we see anomalous results, or outages, that we notice the presence of security intrusions.
The SolarWinds, Colonial Pipeline, and Kaseya security breaches point up the continuing issue of ensuring security in an increasingly uncertain world. Clearly, the scope of security breaches is changing – and IT organizations are finding that they must become far more proactive in protecting their systems, their storage and their networks.
What set the SolarWinds breaches apart was the breadth and methodology of the attack through third-party periodic software updates. Intruders gained access to corporate networks, then maintained low-visibility for weeks on-end, before finally attacking vast repositories of information and gaining access to corporate data. The Colonial Pipeline attack, meanwhile, demonstrated that no one, especially our utilities, is safe from attack.
These incidents prove that CxOs and IT executives can never let their guard down, and that they must closely monitor any anomalous activities on the network. Many organizations are finding that the remedy to breaches will be replacing entire systems found to have a snippet of malware code, or using IAC, (infrastructure as code) configuration files that can be quickly replaced, if needed.
IT executives must assume that no matter how much they spend on prevention, hackers will find and exploit vulnerabilities. Therefore, IT executives must ensure that they have deployed solutions that detect breaches early, contain the attack surface and minimize exposures.
The SolarWinds intrusion was effective for the hackers, and especially shocking for IT professionals, because it was a severe and widespread threat whose full impact is not yet known. The intrusion occurred via malicious code that was embedded in an update of the SolarWinds monitoring software. As is standard industry practice, the software was assumed to be safe to install and it was propagated across all of the vendor’s customers. That means that the malware was applied widely and that it was “lurking” in the update software for weeks and months before being detected.
Because it had such a low profile before becoming active, it was a jarring surprise when the security attacks began to be detected affecting more than 18,000 organizations worldwide, including enterprise data centers, federal agencies, and a number of high-tech companies, including Microsoft, Intel, Cisco and NVIDIA.
Lurking in Plain Sight
For many cybersecurity incidents, delayed detection – months after a cycle of security breaches begins – is typical. Customers don’t realize they have been attacked until a number of companies find the malware, and news of the breaches begins to bubble up in news accounts, webcasts and TV broadcasts.
It’s only when we see anomalous results, or outages, that we notice the presence of security intrusions. And, often, that later detection is by-design, so that intruders can get their software tendrils installed first before beginning to access production data. Otherwise, the offended software could have been “backed out” and removed as soon as it was installed or updated. In this case, organizations are saying it will take many months to find all the compromised systems – and to root out the malware.
Given these types of breaches, it’s clear that organizations need to re-evaluate their approach to software security, looking at everything from their trust in open source and vendors’ software to their own deployment, configuration, quality assessment monitoring, audit intervention, and remediation processes of mission-critical systems. During internal audits, companies must leave no stone unturned in the task of assessing how much damage can be done through the use of externally developed code. Furthermore, IT executives must also extend these concepts to the new low-code and no-code software providers.
Closing the Security Gaps, Minimizing Cyber-Attack Damage
IT organizations need to do far more to discover and address this type of cybersecurity attack – including replacement of infected hardware throughout their large networks around the world.
These security measures include:
- Finding better ways to detect potential security threats, especially as a follow-on effect after the installation or update of third-party software.
- Improving detection software in the Security Operations Centers (SOCs) – creating greater visibility for warning alerts about any security breaches.
- Including mobile devices and smartphones in the alerting process, to reduce reaction time in the event of a security breach.
- Becoming more pro-active about closing an array of potential security gaps in our networks – an activity that has become more challenging because of work-from-home (WFH) support of remote employees.
- Implementing on-going risk assessments, preferably more than once a year, if at all possible.
- Determining Best Practices for identifying potential security threats and shutting them down before too much harm is done. One example is detecting malicious code and then replacing software updates that might have had a role in spreading the malware, using pre-tested code.
- Improving protection of high-value assets within the network, including approaches to limit the blast radius of an attack.
- Adopting important industry standards for security, including the FedRAMP and NIST (National Institute of Standards and Technology) standards for federal work with the U.S. government. Track updates from CISA, the U.S. Cybersecurity and Infrastructure Security Agency.
- Ensuring a consistent supply-chain for application code, and a chain of custody for sensitive data; both will protect end-to-end security within a large enterprise or cloud deployment.
- Adjusting contracts with third-party software vendors to protect against damages caused by flaws that are found in the software products.
- Updating a risk-mitigation strategy for the company, to make it more defensible from a software security perspective.
- Ensuring that SMB firms have an appropriate detection and response system in place, even though they have fewer IT staffers to monitor their networks and systems than large organizations do.
The Bottom Line
Business and IT executives must formulate new security policies that envision the potential for broad-based cybersecurity attacks. They must find ways to identify them when they occur, to limit their attack surface and to close those security gaps quickly to limit damages if similar incidents occur in the future. Now that the cost of malware is becoming so high and public, it should be easier to make a business case for funding security projects that can materially impact the enterprise or damage its image.
Enterprise organizations need to re-evaluate their approach to relying on third-party security software. IT organizations need to implement a better process for attestation and acceptance of all third-party software that enables them to acknowledge and evaluate the common vulnerabilities and exposures (CVEs) of new or patched software before issuing a go/no-go for implementation. Additionally, IT must implement tools that can alert the SOC and other appropriate parties to any unusual exfiltration of data. Moreover, IT executives and architects need to perform an extensive review of all their applications, datasets and systems to determine how they can construct smaller security domains so that when security breaches occur, their organization’s exposure is minimized.