The Key Lesson From The SolarWinds Hack Is Visibility

4


15

It’s one of the most severe cybersecurity breaches of all time, but with the situation still fluid it’s hard to know where to begin with the SolarWinds hack. What we do know is this: hackers most likely working on behalf of a foreign state had nearly a year’s worth of access to a substantial portion of the US government’s IT infrastructure before this terrifyingly sophisticated attack, codenamed Sunburst, was even spotted. Had it been noticed, events could have played out very differently—and that should be a wake-up call for security teams everywhere.

SolarWinds' ubiquitous network monitoring platform, Orion, is used by enormous customers including the UK and US governments, NATO and many of the biggest companies in the world.

After gaining access in late 2019, the hackers trojanized regular software updates to Orion between March and June 2020, infecting around 18,000 of its 33,000 customers. Cozy Bear, an Advanced Persistent Threat hacker group associated with the Russian government, is believed to be the culprit, though it’s been alleged that China is also involved. The hackers used Orion as a launchpad to make lateral attacks on its highest-value clients; in other words, SolarWinds was not the target but the vector.

While it's known that the culprit was a Solarwinds software build server, it remains unclear how that was infected in the first place, although there are some theories. Perhaps one of its own suppliers was compromised, or maybe a phishing attack paid dividends.

Whichever theory is closest to the truth, a solid, holistic security setup remains everyone’s best bet for defense. Supply chain attacks can be hard to predict and harder to defend against, but they can be mitigated to a significant degree with sufficient data visibility. Security firm FireEye uncovered the hack simply because it deployed two-factor authentication for all its employees and queried unusual activity.

It’s clear that a unified approach to data throughout the supply chain is required. This attack has laid bare the interconnectedness of IT infrastructure: if most government and business infrastructure uses overlapping software packages, we’re clearly not as separate from one another as we would like to think. Vulnerabilities could be anywhere throughout thesupply chain. Why would hackers attack a single end-user when they can backdoor their way into all of them at once via a single service platform?

The SolarWinds episode showed that today’s attackers understand the power of a supply chain attack, and the potential upside of zeroing in on blindspots.

But the good news is that a unified view of data, encompassing all applications and infrastructure—and the right tools to process and manage it—means it's possible to eliminate blind spots and uncover hidden threats.

Although this particular attack paid very close attention to operational security to avoid being noticed, there is a strong case for anomaly detection to help mitigate other attempts of its type. By linking every data point in real time and achieving visibility into all applications, servers, and system components, irregularities on the build server could feasibly have been surfaced when source code in Orion was replaced with malware.

Had this occurred before the code made its way to an official update, the problem could have been stopped in its tracks, and an investigation promptly launched.

Although too late for SolarWinds, pulling data from every source and user—every cloud, every on-prem server, and every application—helps build a profile of what's occurring and where, enabling organizations to catch future threats early.

If the SolarWinds incident teaches us anything, it’s that even the subtlest trojan will leave a trace—and that attacks can be uncovered and resolved with visibility across the full technology stack.

Here's the bottom line for CISOs. Traditional perimeter defense is dead, and only a data-led, advanced security capability is able to detect lateral movement and other common tactics of today's sophisticated attackers. Security leaders need the ability to ingest and analyze all their data in order to take an effective, proactive approach to find any potential threats.

Moreover, they need to expand monitoring across their whole network, and the full software development lifecycle, on an ongoing basis. Without all of that in place, organizations are shooting in the dark.