Servadus Logo

The breach by Orion, a product by SolarWinds

 
 
by Ron Tosto
 

Introduction

From exploding ATMs (Wall Street Journal 2021) to the breach of SolarWinds, there has been no year like 2020 for the breach of financial and private data. The compromised Orion product has left a lot of cyber experts in amazement as we contemplate one of the most challenging threats to modern day operations for governments and non-governmental organizations (Department of Homeland Security 2020). The SolarWinds breach of the Orion platform applied malware to approximately 18,000 organizations around the world. How can organizations stay protected when a once trusted partner like SolarWinds becomes the supply chain of a nation state organization? SolarWinds is not likely to recover from its role in the worldwide event. The Verizon Data Breach Investigation Report (DBIR) places breaches in nine categories and usually outlines common threads of breaches and compromises of data (Verizon 2020). Like many other breaches, it took almost a year to detect, and the discovery was not by SolarWinds. It was by an outside organization. According to a SolarWinds public report, the Orion Platform compromise happened as early as October 2019. The state actors took six months to organize the attack to turn Orion into a global malware distribution system. Compromising upgrades issued by SolarWinds to most organizations had malware in their systems between March and June of 2020. SolarWinds as a major supplier of cybersecurity services has brought into question the model of upgrades and modifications to software by its users prior to implementation. The big question for organization is can the job of cybersecurity get done without companies like SolarWinds?

The Backdoor

It like in the 1980s movie War Games in which a teenager accesses a classified military system to play a game. He used a back door to use “War Operations Plan and Response” (WOPR). The back door was created by the original owner or programmer of the system. The Orion Platform became a back door entrance for every company using the SolarWinds platform. In some ways SolarWinds helped facilitate a backdoor within the Orion product. The most troubling part is the upgrade model used by so many companies including Microsoft and Apple.

Loss of Trust

All partnerships rely on a certain level of trust. Now that SolarWinds has called into question the trust of cybersecurity service suppliers, there is a burden on organizations to architect a network that assumes compromise and that no one device is trusted. This concept is a Zero Trust model, which is not a new concept but one that will make significant changes to the way organizations protect their daily operations and intellectual property. Palo Alto refers to developing a “protect surface” for organizations which is part of step one of a five step process to transition any organization to Zero Trust model (Palo Alto 2021). This Zero Trust model requires understanding of what data needs to be protected. Some examples of information or data protection could be PII (Personally Identifiable Information), PCI (Payment Card Industries) and HIPAA (Health Insurance Portability and Accountability Act) information. In this Zero Trust model there is no single segment that can access the entire network and prevents tools such as the array and product from having more access than it needs to monitor the network without having actual access to the data. This is segmentation and a key component of the Zero Trust model.

A Way Ahead

For those members in the cybersecurity organization the focus on security and compliance of programs there is an even bigger question. Can zero trust models work for compliance programs such as the Payment Card Industries Data Security Standards (PCI DSS)? The PCI idea says there's been a proven model for more than 10 years. And with the start of version 4 of the data security standard there will be an option to have custom controls that allow organizations to find ways to protect information while meeting the intent of this standard. In the current and previous standards for PCI, segmentation has been an optional element to help reduce scope and assist in better management updated protection. While we can also expect that this will not be a mandate within the version 4 standard for the PCI DSS, segmentation is a key element in the Zero Trust model. The use of advanced networks can produce segmentation in multiple areas directions so that data like PCI and other sensitive data like PII may be separate from one another and separate from the administrators and administrative systems like SolarWinds. Over the next few months, we will explore in more detail what it means to implement a Zero Trust network model and to make use of concepts such as blockchain to ensure the protection of a “protect surface”. For those that want to learn more about implementing segmentation, the Zero Trust model, or achieving PCI DSS compliance, visit our website at www.servadus.com.