Hundreds of millions, if not billions have been spent on cybersecurity, and yet, the number of hacks, breaches, exfiltrated data, and ransomware attacks keep increasing, not decreasing. Recently, there is the SolarWinds trojan breach which has concurrently affected nearly all of the Fortune 500 and multiple agencies of the US government – the most pervasive compromise yet. Clearly, there needs to be a new strategy.
One of the primary tenets of cybersecurity is to reduce the attack surface and secure the network perimeter. A secondary tenet is to monitor the network for anomalies, and a third tenet is to keep current with all software updates. Organizations of all types, that are cybersecurity aware, and doing the right thing, have followed these three tenets and have fortified their networks with firewalls, implemented Intrusion Protection Systems (IPS), Security Information and Event Management (SIEM) and are updating their software. Yet, with all these precautions and processes in place, and with all the money and resources spent, none of these implementations detected the SolarWinds breach. To make a long story short, in effect, someone left the keys to all of SolarWinds 18,000 private and government customer’s networks under the doormat. The keys were found, trusted digital signatures were obtained, and the bad actors were let right in with a completely trusted SolarWinds Orion update.
Undetected for nearly 9 months, FireEye and Microsoft are to be commended for detecting the SolarWinds Breach and Microsoft for effectively killing it within days after discovery, but the almost incomprehensible damage was done. At this point, we have to assume networks are already breached with hundreds, if not thousands, of dormant backdoors that are totally hidden and undetectable in legitimate files on networks. The bad actors may be only a few keystrokes away from reactivating these backdoors to do who knows what.
Another thing that is of major concern is that not only are these backdoors left on premises systems and networks, but also on organization’s cloud based services as well. The bad actors associated with the SolarWinds attack can use the permissions gained through the on-premises breach to gain access to the organization’s Security Assertion Markup Language (SAML) tokens and forge them, which will then allow them to gain access to the security authentication keys for the organization’s cloud services administrative logins, once again, bypassing all perimeter-based defenses.
What has to be realized in the aftermath of the SolarWinds Trojan Breach, is that it is to be assumed that bad actors have access to networks via backdoors. In addition, with the ever-increasing adoption of public cloud, multi-cloud, and work from home technologies, the concept of a network perimeter to be defended as a complete solution is no longer adequate.
A new cybersecurity paradigm
A new cybersecurity paradigm, where networks and data are inherently secured internally as well as from external threats must be incorporated as part of an overall cybersecurity solution. This can be accomplished by establishing and implementing an Enterprise Information Security Architecture (EISA) based on a next generation Secure Access Service Edge (SASE) suite of cybersecurity technologies. The EISA approach can be defined as to plan your network infrastructure to react in a specific way for the purpose of increased security, with the security team defining and incorporating SASE based security tools and processes. These tools and processes include:
Secure Access Service Edge – Secure Access Service Edge (SASE) is a new term coined by Gartner for a network architecture that at its core combines SD-WAN and NGFW capabilities with a Cloud Access Security Broker (CASB) and Zero-Trust network access. A CASB is a software tool that sits between an organization’s on-premises infrastructure and their public cloud provider’s infrastructure and applications that increases visibility by providing not only audit-level logging, but alerts and reports that up-level those logs into actionable security intelligence.
Zero Trust Architecture – Zero Trust is a security concept that requires all users, even those inside the organization’s enterprise network, to be authenticated, authorized, and continuously validated against a security configuration and posture, before being granted or keeping access to applications and data. All Tier 0 assets (most vital) should be protected with multifactor authentication, reverification and other processes – like step-up authentication and managerial approval before allowing access to critical assets and resources.
Even when organizations must grant temporary access to external vendors or third-party applications, continuous multistep authentication ensures authorized privileged users are on secure devices when accessing their accounts as well as Tier 1 assets like enterprise servers and applications. What this amounts to is a programmatic Two Factor Authentication (2FA) for user to app, app to service, service to service, and service to data.
Micro segmentation – At the VM, Network, and Application Level – create network and application tier segmentation between individual VMs and between application connections such that applications are limited to only needed network communications.
Nano segmentation – At the container level – for enterprise applications that are being built with a containerized microservices architecture, it is vital to integrate security checks into inter-container communication and secure container based microservices with zero trust-based segmentation.
A/I based lateral movement and data movement detection – A/I based and machine learning tools can understand normal patterns of behavior of every user and every device connected to a corporate network. If anything deviates from normal activity, the suspicious action can be automatically flagged and near instantaneous action taken.
In conclusion, a security-driven infrastructure and network strategy based on EISA and SASE makes it orders of magnitude more difficult, even if a backdoor network compromise is achieved, for bad actors to move around the network and read data, exfiltrate data, and do other damage, while greatly increasing visibility and chance of detection. This next generation approach is essential for effectively defending today’s highly dynamic environments – not only by providing consistent enforcement across today’s highly flexible perimeters, but by also weaving security deep into the network itself.