Solarwinds Breach

Solarwinds Breach
December 25, 2020 Comments Off on Solarwinds Breach News Fred Dickey

Merry Christmas from Fast Assist.

Today I want to talk about the recent cyber breach of Solarwinds that effected many Federal agencies and major corporations across the country.

Solarwinds is an IT Management platform. There are many competing platforms out there and Solarwinds is one of the more common ones. Another is called Connectwise. Both of these systems and all of their alternatives offer a collection of cobbled together software from antivirus software to Remote Management and Monitoring, Patch Management, remote scripting for automating Endpoint management, etc.

They all give the entities using them, “God like access” to the endpoints that are managed through them. Microsoft, Google, Apple, etc already have “God like access” to your devices. They leverage remote scripting through Powershell to remotely perform changes to and check current settings on your endpoints.

Microsoft, Apple and Google accomplish these things with embedded code in their OSes and applications so they don’t need a third party platform to accomplish this. We know for a fact that they do these things because we can see them doing it with our own platform that also gives us “God like access”. Since our security client treats unknown powershell and other types of scripts and batch files as unknowns we see everything going on with the endpoints managed under our monthly support service.

We focused on security as our #1 concern when selecting our technology stack for “God like access” to your systems. Our security solution is multi-layered and leverages three independent but fully integrated software agents to give maximum visibility into your endpoints activity. So in a sense, when we have all three systems in place, there is a trinity at work on your endpoint. This is why neither Solarwinds or Connectwise is part of our technology stack. We chose a platform that we believe offers the best security and the best integration with that security.

Our primary security solution also has zero trust functionality and fully integrates with our ITSM platform since the vendor that developed our management platform also developed our Endpoint Security platform.

We offer 100% effective protection from ransomware and unknown threats to your endpoint because of how our security software virtualizes the API layer of the operating system on your Endpoint, using patented technology, and has a zero trust stance when encountering, identifying and analyzing processes both known and unknown.

This recent breach using the Solarwinds platform is very alarming to say the least. We know that our system is a holy grail target for the same reason that the Solarwinds platform became a target and effected countless organizations and government agencies in that breach.

In this day and age, real-time visibility, monitoring and management in a SIEM style platform is an absolute necessity to maintaining cyber security. There are just simply too many variables at play for anybody to function securely without such a technology stack on their side. We believe that what we offer is the superior platform of choice. Using it with the Fast Assist team working with the vendor’s own team of engineers and cyber security experts leverages the best offering for IT Security and Management.

But even with our confidence in our ability to protect our clients using our technology of choice, we continue to strive for constant improvements in our technology stack and therefore we are continually communicating with the software engineers and security teams that we work with every second of everyday from the software vendor of choice for our platform.

From what I understand so far, the attack that effected Solarwinds was possible because of a trust relationship between Solarwinds and an update server that Solarwinds uses to distribute updates. An update that Solarwinds distributed was compromised, leading to the proliferation of altered malicious code.

One of the features of many of these management platforms such as Solarwinds and Connectwise is integrated credentials management and storage. We have never had warm fuzzies about integrating our credentials management with our other tools into a single sourced swiss army knife for obvious reasons. That is why we utilize a completely separate platform whose sole focus is the storing of credentials that our staff needs when working with our client’s systems.

That platform was the first platform that we began utilizing conditional access for authentication in addition to Multi-factor Authentication. Conditional access means that we have a strict set of policies for anything attempting to login to our credentials storage platform. For example, the session attempting to authenticate must come from a US based IP address, and must come from a device that we can install an agent onto during the authentication process to prove its compliance with all of our other requirements before we will even discuss authentication with that session.

We have been deploying this same level of conditional access to all other systems that we utilize, including Microsoft 365 and our other third party platforms that we utilize.

But even with conditional access in play, the particular breach involving Solarwinds wouldn’t have been stopped. The attack vector didn’t involve authentication with Solarwinds, but involved a trust relationship with an upstream platform. It’s kind of like the type of breach involving malicious script from compromised advertising networks effecting legitimate websites that publish that compromised code in the form of advertising on the legitimate website. The website itself was not compromised, but an upstream server was and there was not a zero trust policy between the two platforms and no scrutiny of code that was assumed to be non malicious.

Now that the Solarwinds breach has been realized, the industry as a whole is likely to identify the Commom Vulnerability and Exposure that was utilized for this breach and address it in the future.

Share this:
Tags
About The Author
Fred Dickey Fred is the owner and founder of Fast Assist. Fred attended college at the University of Tennessee in Knoxville, majoring in Computer Science, after graduating High School in 1990. Being originally from Nashville TN, Fred boasts over 20 years of professional IT experience, having owned his own IT Support company from 1995 to 2006 when he lived in Knoxville TN. Fred has also worked on the IT Corporate Help Desk of a major Federal contractor from 2008 to 2011 and has experience with ITIL and Enterprise level application and infrastructure support. He has worked for several small IT Support companies between then and now before launching Fast Assist on October 2017.