SolarWinds Hack: More Surprises, Plus Why Heads Didn't Roll
That and more news from day three of RSA.
![Surprised Businessman Surprised Businessman](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt9b1d9b76fdde989d/652432a959401e94cc202b05/Surprised-Businessman.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Tim Brown, SolarWinds‘ vice president of security architecture, didn’t lose his job in the aftermath of the hack. In fact, he’s taken on the additional title of CISO.
Ramakrishna said he had no intention of making Brown pay in the aftermath of the attack.
“This is a very important part of how I like to lead,” he said. “I do not like to flog failures, so to speak. And it is not even clear that this failure is one person’s fault. When a nation-state attacks you, it is impossible for one person to be able to thwart that entire attack or take full responsibility for it.”
Brown is a “highly competent and highly committed individual,” Ramakrishna said.
“While I acknowledge and accept that if you want to be an ‘action-oriented’ CEO, that you fire a bunch of people, I do not think that is doing justice to either the person or your job because you are really paid to get the most and the best out of the people you have,” he said. “And yes, accountability matters. But just like CEOs get a lot of credit when things go well, and unduly so I would say being a CEO, I do think that some CISOs get undue discredit. And I felt that I should not be doing what is the norm or what is typical in these situations, and went about my own way.”
In February, current and former SolarWinds executives blamed a company intern for a lapse in password security that reportedly went undiagnosed for years.
According to CNN, the password in question, “solarwinds123,” was discovered in 2019 on the public internet by an independent security researcher. The researcher warned SolarWinds that the leak had exposed a SolarWinds file server.
Ramakrishna said, “You want your employees, including interns, to make mistakes and learn from those mistakes, and together we become better.”
“Obviously you don’t want to make the same mistake over and over again,” he said. “You want to improve. So what happened at the congressional hearings where we attributed it to an intern was not appropriate and is not what we are about. We have learned from that and I want to reset it here by saying that we are a very safe environment, and we want to attract and retain the best talent, and … I have been a big fan of university programs and internship programs, and you’ll actually see us amplifying those. And hopefully you’ll hear more and more interns saying how great of an experience it is to work at SolarWinds, as opposed to one incident that may have happened at a hearing.”
Also at RSA, Tim Junio, head of engineering for Palo Alto Networks Cortex, shared its first attack surface management report. It zeros in on how Fortune 500 companies are at risk from attackers who can discover exposed assets all over the internet faster than ever before.
“For the average Fortune 500 company, an exposure that we could consider serious occurs every 12 hours,” he said. “What we mean by a serious exposure is either an asset that should never be available over the public internet or that has a known exploit associated with it.”
The most common category was remote desktop protocol (RDP), Junio said. It allows the user to interact with a Windows workstation as though you’re sitting in front of it, but from anywhere in the world over the public internet.
“If it’s not configured correctly, then anyone in the world would be able to gain access as though they were sitting at that machine,” he said. “The reason that this happens is we tend to see connections that are supposed to occur over corporate VPNs, but then if misconfigured when the VPN drops, which happens on a regular basis because of just internet connectivity, if that device will automatically connect to the next available internet when not on the VPN, a significant portion of the time a Windows workstation will end up on the public internet without a proper firewall configuration such that anyone in the world would be able to test exploits, or test usernames and passwords against that Windows machine.”
This occurs in about a third of everything observed in Fortune 500 serious incidents, Junio said. And it happens in both on premises and the cloud.
“When we look across all of our data … greater than three quarters of all of the serious exposures we see for Fortune 500 organizations are in cloud environments,” he said. “This implies that the rate at which organizations are standing up and standing down environments in public cloud means they are not well monitored from an attack surface management prospective. And we even see that roughly one in five of exposures are still on premises, which is supposed to be the best monitored, and that parts of the organization that IT and security are supposed to know the best about.”
There’s also simple data base server exposures, and misconfigurations associated with operational technology and other types of assets that now have internet protocol in them, Junio said.
“When attackers are monitoring for anything that shows up across targets of interest, they are very likely to see those assets,” he said. “And if those assets happen to be connected to any sensitive systems, not have proper defense in depth or have sensitive corporate information them, they are at high risk of discovery by attackers before they can be found and remediated by defenders.”
This is not an unsolvable problem, Junio said.
“Even though attackers have a strong advantage today in finding weaknesses in attack surfaces, what we see in the top couple of percent of organizations is a high degree of automation in resolving this problem,” he said. “And the rest of the world could actually catch up, and also deploy processes and technology to help solve the attack surface management problem.”
The giant SolarWinds hack and other recent attacks hammered home the need for access to all data for advanced analytics that deliver intelligence to prioritize incidents.
That’s according to Doug Merritt, Splunk‘s president and CEO. His RSA keynote focused on the importance of tracing for answers “across a massive amount of data” while also responding to incidents faster.
“That rapid response requires streamlining existing security operations, particularly through automation and security analytics, of course, all driven by machine learning (ML),” he said. “And finally, you need end-to-end integration to not only centralize your data for analysis on the front end, but to orchestrate a response on the trailing end so your teams can act as quickly as possible.”
All data is security-relevant, Merritt said. Having access to all data and making sufficient use of it is fundamental to prioritizing and solving security challenges.
“You might be cringing at the idea of even more data,” he said. “I get it. I know that every one of your SOCs are overwhelmed and most of your security analysts’ workflows are fragmented.”
Splunk plans to release its first state of security report, and Merritt shared some of the findings.
Among the findings, 76% of security leaders say remote workers are harder to secure. In addition, 78% expect another SolarWinds-style supply chain attack.
“Your team is already seeing the new challenges that are emerging that will only continue from here,” Merritt said. “The only way to navigate this complex threat landscape is to go all-in on your data. Your SOC teams need to collect data from across silos and correlate for true visibility and insight.”
Progress is being made, he said. For example, dwell time has dropped from 78 days in 2018 down to 17 days in 2020.
“That progress is great, of course, but there is no way anyone out there can feel good about 17 days of dwell time,” Merritt said. “That’s more than 24,000 minutes where an adversary sits undetected. And we all know it takes fewer than five of those minutes for an adversary to act. Your organization can do better.”
Whether addressing a global pandemic or attacking the latest cybercrime, data holds the answers to life’s most challenging moments, he said.
“It’s been a long year, but the health care and broader community showed that the more data we have, the better decisions and actions we deliver,” Merritt said.
Additionally at RSA, ThycoticCentrify released new research on privileged access risks and zero trust adoption trends.
Among the top findings:
Sixty-five percent of responding companies saw their IT administrators targeted by cybercriminals most frequently.
More than half of organizations have been grappling with the theft of legitimate, privileged user credentials and insider threat attacks in the last 12 months.
In 85% of the privileged credential theft instances, cybercriminals were able to access critical systems and/or data.
Two-thirds of insider threats led to abuse of administrative privileges to illegitimately access critical systems and/or data.
Forty-two percent listed reducing cyber threats as the top motivator for zero-trust adoption, followed by better compliance (30%).
Tony Goulding is cybersecurity evangelist at ThycoticCentrify.
“Any legitimate user could be compromised,” he said. “But privileged users are a hot target. So a zero-trust approach is essential. Organizations must implement privileged access management (PAM) best practices and solutions to mitigate the risk of an adversary taking hold of privileged credentials.
According to the research, 77% of IT business decision makers use a zero-trust approach in their cybersecurity strategies.
“Clearly, the pros of a zero-trust approach outweigh any potential barriers,” Goulding said. “Identity access management (IAM) and PAM solutions that seamlessly integrate into the security stack with minimal user disruption enable employees to do their jobs without losing productivity.”
Also during RSA, Vectra‘s research team released its latest spotlight report on Microsoft Azure Active Directory (AD) and Office 365. The research details the top 10 threat detections that customers receive by relative frequency when Vectra detects abnormal behavior in a customer environment. The threat detections are then used by customers to help ratify attacks in cloud environments.
The top 10 threat detections seen across Azure AD and Office 365 allow security teams to detect infrequent behavior that is abnormal or unsafe across their environments.
Regardless of company size, Office 365 risky exchange operation detection was at or near the top of the list of detections seen by Vectra customers.
Tim Wade is technical director of Vectra‘s CTO team.
“The most significant finding in our latest spotlight report is how much opportunity attackers have to move into, through or out of Office 365 toward their ultimate objectives,” he said. “Office 365 may be a beachhead used to pivot down into a traditional on-network asset, or house valuable data targeted for theft.”
While all organizations are vulnerable, those that have valuable IP and/or are targets for ransomware are the most attractive targets, Wade said.
“The good news is that there is a way to see these detections,” he said. “Meaningful artificial intelligence (AI) can connect the dots. Step one is educating the market on a recommended approach and then we can enable them.”
Also at RSA, Palo Alto Networks introduced five key innovations for customers to adopt zero trust across their network security stack.
The new innovations are SaaS security, advanced URL filtering, DNS security, cloud identity engine, and new ML-powered firewalls. They offer secure access to the right applications and for the right users. In addition, secure access is universally available.
Karl Soderlund is Palo Alto Networks’ senior vice president of worldwide channels.
“We just launched a very successful NextWave 3.0 program to help our partners build their expertise and businesses in high-value and high-growth security services,” he said. “And the ability to deliver universal and secure access to a dynamic workforce via a zero-trust architecture is something that we and our partners are ideally positioned to deliver. These new capabilities and products fit right into our program.”
Zero trust is something any business large or small needs, Soderlund said.
“A zero-trust architecture is so important because it secures the right users and the right applications with enhanced ML-driven and predictive security capabilities,” he said. “This includes protecting business from known and unknown threats, and gaining visibility into data, apps and users to give hybrid workforces secure access to any application or data from any device, anywhere.”
Palo Alto Networks is making it easy for its partners to differentiate themselves, and bring these zero-trust capabilities and expertise to customers, Soderlund said.
Also at RSA, Palo Alto Networks introduced five key innovations for customers to adopt zero trust across their network security stack.
The new innovations are SaaS security, advanced URL filtering, DNS security, cloud identity engine, and new ML-powered firewalls. They offer secure access to the right applications and for the right users. In addition, secure access is universally available.
Karl Soderlund is Palo Alto Networks’ senior vice president of worldwide channels.
“We just launched a very successful NextWave 3.0 program to help our partners build their expertise and businesses in high-value and high-growth security services,” he said. “And the ability to deliver universal and secure access to a dynamic workforce via a zero-trust architecture is something that we and our partners are ideally positioned to deliver. These new capabilities and products fit right into our program.”
Zero trust is something any business large or small needs, Soderlund said.
“A zero-trust architecture is so important because it secures the right users and the right applications with enhanced ML-driven and predictive security capabilities,” he said. “This includes protecting business from known and unknown threats, and gaining visibility into data, apps and users to give hybrid workforces secure access to any application or data from any device, anywhere.”
Palo Alto Networks is making it easy for its partners to differentiate themselves, and bring these zero-trust capabilities and expertise to customers, Soderlund said.
RSA CONFERENCE — The group that carried out the giant SolarWinds hack were already inside the company’s environment in January 2019. That’s much earlier than previously reported.
That’s according to Sudhakar Ramakrishna, SolarWinds’ president and CEO. He talked about the origins and impact of the SolarWinds hack in a keynote Wednesday at the RSA Conference.
It was originally reported that the SolarWinds hack dated back to December 2019. The attack became public in mid-December 2020.
SolarWinds’ Sudhakar Ramakrishna
Ramakrishna said the attackers’ trade craft was “extremely well done and extremely sophisticated.”
And they did “everything possible to hide in plain sight,” he said.
“We were looking for all the usual clues,” Ramakrishna said. “When you go through an investigation, you have a checklist, a set of hypotheses and you try to map things. And in this case, given the amount of time they spent and given the delicateness that they had in their efforts, they were able to cover their fingerprints and their tracks every step of the way.”
Early Reconnaissance
SolarWinds assessed hundreds of terabytes of data and thousands of virtual build systems across its environment, Ramakrishna said.
“They were doing very early reconnaissance activities in January 2019,” he said. “That explains what they were able to do in September-October of 2019.”
SolarWinds began notifying its customers about the breach in mid-December 2020. Early on, the company reported up to 18,000 customers could have been vulnerable to the malicious code used by the attackers; it now says fewer than 100 SolarWinds customers were hacked.
“The most important questions that customers had at that point were, ‘What does it mean to me? And what do you want us to do?” Ramakrishna said. “The team rallied all around and did the very best to touch every single customer possible.”
SolarWinds Hack Prompts More Work with Partners
Nearly six months after the attack was first reported, SolarWinds continues to help its customers deal with the impact, Ramakrishna said.
“A lot of our software runs on premises as well, so it is not instantaneous that everybody updates at the same point in time,” he said. “So it is one customer at a time, essentially one day at a time. And in some cases I’ve told my team, one step at a time. What started off as a reactive measure, we started learning about the incident. We started addressing issues. And one of the foundations of what we’re trying to do is transparency as we enhance the trust that we have with our customers.”
In the aftermath, SolarWinds has worked with its worldwide partners and created the Orion Assistance Program, Ramakrishna said.
“We recognize that not all of our customers may have the internal resources to upgrade or rebuild, or project into the future,” he said. “So what we decided to do is work with our partners and extend support to our customers to essentially provide a pair of hands, in some cases, and technology commitments in other cases. And in many cases work side by side with them as they completed their upgrades. We did this at our cost. We felt it was our responsibility to help the customers get to a safe and stable environment.”
In hindsight, Ramakrishna said the company’s media response should have been stronger.
Scroll through our slideshow above for more of Ramakrishna’s comments – including why he didn’t fire anyone over the incident – and more news from the RSA conference.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like