The SolarWinds compromise has unleashed a flurry of activity in the cybersecurity industry as of late. Almost all of the activities are related to trying to remediate against the hack that has left untold numbers of organizations vulnerable; and trying to patch holes in their security to ensure that they do not continue to potentially leak confidential information.
After the SolarWinds revelation, both the Canadian Government and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is a part of the U.S. Department of Homeland Security, issued an emergency directive calling on all federal civilian agencies to review their computer networks for signs of compromise and to disconnect from SolarWinds Orion products immediately. Unfortunately, SolarWinds, which has a wide variety of government contracts (including military and intelligence services, according to Reuters), was attacked and the attackers used a “supply chain attack” method to embed malicious code into SolarWinds’ legitimate software updates.
What is now known is that the malicious updates to SolarWinds’ Orion platform was to blame for global hacks, including the one on FireEye, that occurred earlier this month. In the FireEye attack, it was reported that the company’s “Red Team” toolkit was stolen, which are tools that can be used to look for vulnerabilities in systems. This hack of FireEye and data theft puts the toolkit in the hands of hackers, who can then use them for mounting new attacks around the world.
Unfortunately, the SolarWinds compromise is far-reaching; by embedding malware into legitimate software updates via a supply chain attack, this further deteriorates the effectiveness and erodes the trust in the use of endpoint monitoring and detection and response solutions as a viable means of protecting an organization’s network and data from attacks. In this instance, anyone using the affected SolarWinds Orion Platform updates maybe have been open to hacker attack since early Spring of this year.
SolarWinds, through its investor filings, has alerted that as many as 18,000 of its 300,000 customers may have been compromised; which could be just the tip of the iceberg. Going forward and looking to 2021, we feel that there will continue to be massive fall-out and data breaches from this hack that will have a global effect on both governments and enterprises still relying on high touch solutions that are installed on the endpoint. And this is not all. More recently, many tech giants such as Cisco, Intel, Nvidia, Microsoft, Visa, MasterCard, to name some names, were shown to have been targeted and may have already been compromised and so they are rushing to close holes and remediate where needed.
What does this mean going forward? And can a similar attack be prevented?
Now that the SolarWinds compromise has been detected, this should heighten security analysts’ awareness to these types of attacks and should hopefully make it harder for hackers to perpetrate a compromise such as this. However, much of the activity surrounding this attack continues to fall in the Detect and Remediate category, which is both costly from a time and resources viewpoint and is an “after the fact” response; basically having to clean up the network and eradicate the malware from any devices that have been infected.
Unfortunately, the reason why this attack was so severe is because it came from a “trusted” source, targeting the DLL of SolarWinds and moving throughout the network from there. This targeted endpoints, which continue to be the weakest points within a network and which are usually the hardest to secure. For network security to be effective, it needs to be able to stop malicious content before it can hit the endpoint.
It is because of the inherent weakness that endpoints have within networks that calls for the need for a “zero-trust” approach to security where EVERYTHING should be scanned in order to ensure that it is secure. Even if a device within a network has previously been known as being “secure”, one never knows if it has been compromised at some point. And so the “zero-trust” approach would continue scanning the content both going in and out of the device to ensure that any malicious content that might have infiltrated the device does not move further than the device itself.
The SolarWinds attack continues to strengthen Wedge’s position that the Detect and Remediate approach to network security, especially with high security requirements such as those for governments, is not truly viable. We continue to champion Real-time Threat Prevention with our Wedge Absolute Real-time Protection platform, which is a network-based solution that orchestrates a wide variety of industry-best security functions and patented technologies such as Deep Content Inspection, that can scan EVERYTHING for greater visibility of content flowing through the network. This works in combination with SubSonic and GreenStream technologies, providing real-time performance in high throughput networks, and AI / Machine Learning for the ability to detect novel and previously unknown malware. By providing Real-time Threat Prevention, malware such as this, is detected and blocked at the network before they can do any harm. This secures the network as well as all endpoint devices connected to the network by detecting and blocking all malicious content so that there is no “patient zero”. This not only allows organizations to save on remediation costs but also enables them to make better and more efficient use of the resources that have.
A quick analogy that describes the detect and remediate way of doing things would be akin to asking question “ what is the value of living in a gated community when you still have to fight intruders in your bedroom because the gate continues to allow these intruders in?”. Such is the case of solutions that rely on sandboxes to provide a verdict on the safety of content only after having already let it through to the endpoint and causing “patient zero”.
At this point, the compromised SolarWinds update file has been identified and most AM/AV solutions should be able to detect and block the malware going forward. However, any sort of variations of the malware and zero-days would not yet be fingerprinted and could pass through these solutions. That is where WedgeARP’s incorporation of both a patented Deep Content Inspection engine, orchestrating best-in-breed security services with AI / Machine Learning can enable the ability to provide real-time threat PREVENTION; detecting even unknown malware variants and blocking them before they can do any harm.
What about if there are already infected endpoints within the network? What are the benefits of utilizing WedgeARP after the intrusion has already taken place?
With the SolarWinds compromise, the biggest threat appears to be the potential theft of information and data leakage from infected endpoints, as well as hackers being allowed to access the confidential information therein. As in the FireEye case, they had their “Red Team” toolkit stolen. What happens if an organization decides to deploy WedgeARP while there are still infected endpoints in the network? The good thing is that WedgeARP has two-way scanning; looking at both inbound and outbound traffic for malicious content – WedgeARP SCANS EVERYTHING! If there is malware within the network that is trying to “call home”, these communications would be detected and prevented from occurring; effectively cutting off communications between the malware inside the network and the Command and Control server that may be trying to control it. Combine this with the East-West content scanning that can be enabled within the network and WedgeARP, with its WedgeIQ analytics platform, becomes a powerful tool for analysts to more easily detect which endpoints have been compromised and make remediation much easier.
To find out more about WedgeARP and the benefits that Real-time Threat Prevention has over the typical Detect and Remediate methodology , please contact us at: info@wedgenetworks.com. Our team will be happy to answer your questions and provide an introduction to the WedgeARP platform.
