The breach by Orion, a product by SolarWinds
From exploding ATMs (Wall Street Journal 2021) to the breach of SolarWinds, there has been no year like 2020 for financial and private data breaches. The compromised Orion product has left a lot of cyber experts in amazement as we contemplate one of the most challenging threats to modern-day operations for governments and non-governmental organizations (Department of Homeland Security 2020). The SolarWinds breach of the Orion platform applied malware to approximately 18,000 organizations worldwide. How can organizations stay protected when a once-trusted partner like SolarWinds becomes the supply chain of a nation-state organization? SolarWinds is not likely to recover from its role in the worldwide event. The Verizon Data Breach Investigation Report (DBIR) places breaches in nine categories and usually outlines common threads of breaches and compromises of data (Verizon 2020). Like many other breaches, it took almost a year to detect, and the discovery was not by SolarWinds. It was by an outside organization. According to a SolarWinds public report, the Orion Platform compromise happened as early as October 2019. The state actors took six months to organize the attack to turn Orion into a global malware distribution system. Compromising upgrades issued by SolarWinds to most organizations had malware in their systems between March and June 2020. As a significant supplier of cybersecurity services, SolarWinds has questioned the model of upgrades and modifications to software by its users before implementation. The big question for organizations is, can cybersecurity get done without companies like SolarWinds?
It is like in the 1980s movie War Games, in which a teenager accesses a classified military system to play a game. He used a back door to use “War Operations Plan and Response” (WOPR). The back door is put in place by the original owner or programmer of the system. The Orion Platform became a rear door entrance for every company using the SolarWinds platform. In some ways, SolarWinds helped facilitate a backdoor within the Orion product. The most troubling part is the upgrade model used by many companies, including Microsoft and Apple.
Loss of Trust
All partnerships rely on a certain level of trust. SolarWinds has raised the trust of cybersecurity service suppliers, and organizations have a burden to architect a network that assumes compromise and that no one device is trusted. This concept is a Zero Trust model, which is not a new concept but will make significant changes to the way organizations protect their daily operations and intellectual property. Palo Alto refers to developing a “protect surface” for organizations, part of step one of a five-step process to transition to the Zero Trust model (Palo Alto 2021). This Zero Trust model requires an understanding of what data needs to be protected. Some examples of information or data protection could be PII (Personally Identifiable Information), PCI (Payment Card Industries), and HIPAA (Health Insurance Portability and Accountability Act) information. In this Zero Trust model, no single segment can access the entire network and prevents tools such as the array and product from having more access than it needs to monitor the network without having actual access to the data. This approach is segmentation and a vital component of the Zero Trust model.
A Way Ahead
For those members in the cybersecurity industry, the focus on security and compliance of programs is an even bigger question. Can zero trust models work for compliance programs such as the Payment Card Industries Data Security Standards (PCI DSS)? The PCI idea says there’s been a proven model for more than ten years. And with the start of version 4 of the data security standard, there will be an option to have custom controls that allow organizations to find ways to protect information while meeting the intent of this standard. In the current and previous standards for PCI, segmentation has been an optional element to help reduce the scope and assist in better management protection. While we can also expect this will not be a mandate within the version 4 standard for the PCI DSS, segmentation is a critical element of the Zero Trust model. The use of advanced networks can produce segmentation in multiple directions so that data like PCI and other sensitive data like PII may be separate from one another and separate from the administrators and administrative systems like SolarWinds. Over the next few months, we will explore in more detail what it means to implement a Zero Trust network model and use concepts such as blockchain to ensure the protection of a “protect surface.” For those that want to learn more about implementing segmentation, the Zero Trust model, or achieving PCI DSS compliance, visit our website at www.servadus.com.