IT professionals have become accustomed to dealing with security vulnerabilities and trusting the software vendor will send out the fix. This cycle has become so normal that our calendars are filled with events reminding us about the pending updates, we even have a day, Patch Tuesday. Today, if you read the latest information security news you might start feeling that blindly trusting software vendors is a bad idea.
The recent breach of SolarWinds’s Orion platform, a platform that seems ubiquitous in the IT industry has emphasized the importance of system security engineering. Orion was once claimed as the “Platform is trusted by 425 of the Fortune 500 companies to monitor, visualize, and analyze the…” until this statement was recently removed from SolarWinds’s Orion product page. The statement can still be found in the cache of many search engines. SolarWinds renowned for its ability to monitor almost anything in technology infrastructure, made monitoring, analyzing, and management of complex infrastructure easy. With Orion’s centralize single pane of glass system and its modular and scalable design, one can see the attractions of the product. It makes IT monitoring and management easy. This simplification is what leads to Orion’s pervasive usage. Orion offers its customer an easy way to monitor all their system from a single point. Just simply enter user credentials, put in the username and password of the target system and voila it is being monitored.
CTA: Cyber Threat Actor
Orion’s widespread installation in many high-profile companies, as well as many of the larger government agencies, makes it an attractive target for an aggressive cyber threat actor (CTA). As Orion is built with many modular components a CTA only needs to compromise a single point to establish a beachhead in the product and then to a customer’s infrastructure. This is exactly what happened to SolarWinds Orion. A CTA leveraged a complex focused attack on SolarWinds’s software distribution system. This CTA compromised Orion’s update supply chain and slipstreamed malware into the software updates. This malware has a light footprint and avoids detection. It was able to observe, blend in, and act like normal network activity. The compromised system used stealthy malware and conducted reconnaissance. Several security analysts believe this has been going on since the spring of 2020.
System Security Engineering
As security experts learn more about the extent of the compromise, CIOs and CISOs are asking “How does an organization prevent this type of breach?” The common answer is system security engineering (SSE), but SSE requires a complex view of the systems and processes. SSE requires an organization to look at systems from a very different perspective. Security system engineers look at everything from the visible, what can be seen, side of an organization to the complex system behind the organization including policy, rule, software, hardware, firmware, and components. The SSE endgame strives at reducing the damage from such issues through; what-if analysis, zero trust, least privilege access, and segmentation. The goal is to limit lateral movement and restrict access to the compromised system.
Most organizations are facing a rapidly increasing drive to improve, optimize, and reduce the cost of operations. This pressure leads to favoring solutions that simplify work and integrate together. Anything that inhibits this ability to move forward is seen as a detriment to an organization’s success. This is where business needs and system security engineering often collide. This collision is viewed as a negative impact on the business, but security engineering fears the impact of not understanding the solution. Often the business need wins over the need to securely implement a solution.
How do I protect my infrastructure?
The security expert would answer with security solution engineering, but the scope of SSE is limited by the budget, knowledge and experience. The complex nature of attacks like the SolarWinds Orion compromise might take more than a single solution or single view. A security analyst could read through the NIST special publications: 801-60, Vol. 1 and learn what should be done or they could partner with companies with experts, skills and tools to help.
The Summus Solution
Here at Summus Industries, we can help as well. As a Dell Titanium partner, Summus Industries has access to resources from Dell, VMware, Secure Works, Crowd Strike, and Fortinet. We can be your partner and bring you solutions that meet your needs technically and financially.