Ever since the early days of networking, we’ve extolled the benefits of best-of-breed networks. We’ve been able to select products with the most features, expanded our purchasing options, and seen prices plunge. But like anything, there are also downsides to building networks from a mix of products and services, downsides that became particularly relevant as we think about this new era of secure access service edge (SASE).
Sunburst: The Risks of Using Best of Breed
A case in point was the recent Sunburst attack on SolarWinds. As Reuters pointed out, “The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties. (You can see SolarWind’s initial description of the attack to the FCC here. Palo Alto has put together an excellent description of SolarStorm, Palo’s term for Sunburst attack, on the Palo Alto Networks blog.)
So extensive was the attack that communications at the U.S. Treasury and Commerce Departments were reportedly compromised, reports Krebs. More than 425 of the Fortune 500 use SolarWinds, and some 18,000 SolarWinds Orion customers have downloaded the software with the trojan. The Sunburst attack allowed attackers to penetrate FireEye and steal tools used by the company’s Red Team, the team simulating the attacker during penetration testing.
But here’s the thing: The only way Sunburst happens is because of the widespread adoption of best-of-breed tools, such as the SolarWinds Orion management platform. With more tools comes an increased attack surface for threat actors to exploit.
What You Can Do
It’s probably impossible for my clients, or any enterprise, to prevent 100 percent of all future attacks. SolarWinds is an excellent company. FireEye gets paid to protect companies against the very attacks that struck its infrastructure. If those two can be hacked, so can your organization.
You can, however, reduce your attack surface. When engaging with our customers, we recommend a multipronged approach:
- Rigorously inspect the security policies of your supplier. Do companies have the right controls in place? How do they restrict physical access to their infrastructure? Are updates digitally signed? What measures have they put into place to prevent the kind of attacks that plagued SolarWinds?
- Favor internal code from third-party appliances. Many services are built by packaging third-party appliances. This expands your attack surface and requires understanding how those vendors protect themselves. Service built from internally written code stacks should provide better protection in this regard.
- Seal known holes in your infrastructure. Most defenses are not very exotic. They come down to applying patches — quickly. Patch management continues to remain a considerable challenge for many organizations.
And here’s where I believe SASE will help. The convergence of security technologies into one platform reduces the number of products operating in your network, shrinking your attack surface. It also means that one vendor manages the entire stack, eliminating the potential holes left exposed by failing to deploy the necessary technology. These benefits are true regardless if your SASE platform is delivered as an appliance or service.
Will that guarantee protection, well, no. It’s why we have the last step — assume you’ll be infected and institute post-infection policies.
If history serves as any example, enterprises will be racing to protect themselves against Sunburst for months to come. Vendors may introduce new signatures, but it will take weeks for companies to test and update their defenses, and then months to find the lingering trojan on their networks.
Ric Longenecker, CISO for Open Systems, said “As with any potential compromise, we took Sunburst quite seriously. Communication with our customers, immediate and evolving deployment of Network Monitoring rules against known IOCs (Indicators of Compromise), as well as stepped-up monitoring efforts with the global raised level of risk is our standard operating procedure.
This not only highlights the need for a full-stack SASE approach, but an approach with security at its core – amplified through active Managed Detection and Response. For these kind of deep compromises the right approach is critical – with visibility into the network, endpoint, cloud, and identity – as well as a steady set of experienced eyes on security monitoring.”
SASE platforms should shrink that security test and update window dramatically, letting SASE providers eliminate the delay between signature creation and deployment. Cato Networks, for example, claimed in a recent blog to have protected all of its customers across the globe against Sunburst within a few minutes, and to have already alerted customers to the presence of Sunburst on their networks.
Now, Cato’s approach is very different and their approach may not be right for all organizations, something we explore in depth in our free, no commitment SASE Jumpstart Kit. But one thing is clear: ultimately the shift to SASE will improve enterprise security, everywhere.