For cybersecurity professionals, the lesson of the coronavirus pandemic and the so-called SolarWinds hack is clear: it’s time to evolve from reactive to proactive. Two interrelated luxuries of barely 18 months ago are now off the table: hope and time. As in, “If our network gets infected, let’s hope our systems – firewalls, antivirus – block any real damage, and we get the problems patched in time to avoid disaster.” That 2019 thinking is dangerous.
As multiple industries have reported, the SARS-CoV2 pandemic spurred a decade of IT evolution in a year. That’s certainly true of cloud adoption, as millions started working outside offices, forcing companies to accelerate their move to the cloud.
Beyond SolarWinds
Cloud vulnerabilities are deeply connected to the co-called SolarWinds hack, one of the most far-reaching intrusions into government and private business by nation-state malware built specifically to evade antivirus systems. I say “so-called” because about a third of the organizations compromised by the hack is not SolarWinds customers. The malware didn’t solely rely on SolarWinds’ rogue Orion updates, as was originally assumed. Nor, as later reporting suggested, did the hackers break the underlying security of Microsoft’s Azure cloud or Office 365.
The attack surfaces that allowed SolarWinds hackers access were cloud infrastructure misconfiguration in some cases and, in others, overly accessible permissions granted by Azure and Office 365 clients that hackers exploited with timing perfectly synchronized to pandemic-driven cloud migration.
Broad Permission Opportunity
When IT systems are forced to make dramatic shifts, such as the pandemic-driven rush to the cloud, the industry-standard has been for developers to allow broad permissions at first, thinking, “We’ll lock it down later.” The cybersecurity danger of this over-relaxed behavior was amplified by the complex permission interrelationships required for doing business in the cloud. Especially when the primary goal is, “Let’s just get this working to avoid business interruption,” multiple trust relationships among clients and companies make the attack surface look like the broad side of a barn to hackers. This is a mistake that must not be repeated as workforces begin to return to offices with their WFH endpoints.
A Gap in Cloud Expertise
Yet another vulnerability is a familiar one: the lack of appropriately trained professionals. When pandemic workforce distribution hit with suddenness, companies didn’t have time to look for cloud security experts. They used the people they had, who might have been experts at running things in their own data centers with premise-based virtualization technology. The cloud, however, requires knowledge of different virtual infrastructures and permission protocols. It requires companies to lock down their endpoints, infrastructure and configuration.
From what we’ve seen, too many companies tried to cut over to the cloud before their cybersecurity people prepared properly for the transition. Again, the return-to-office transition muddies this picture even more.
How to Lock it Down, Proactively
No one’s sure what the SolarWinds hackers will eventually do, if anything, to all the public and private organizations they penetrated. So, we don’t yet know the full downside. If there’s an upside, SolarWinds is the ultimate business case for a forward-thinking, proactive cybersecurity posture. The threat is no longer hypothetical. It has happened.
Now that many companies have migrated to the cloud, it’s time to lock down business networks proactively. Generally speaking, the most important strategic move is to empower IT/cybersecurity professionals to think and act like attackers of cloud-based infrastructure, empowering them to defend their kingdoms accordingly. Here are some specific suggestions:
Maintain a Complete Up-to-Date Asset Inventory: This may seem like Cybersecurity 101, but the starting point for companies is to make a complete inventory of all IT assets. One dirty little IT secret is that most companies don’t know everything they have on their networks. When the SolarWinds hack was first discovered, immediate U.S. government advice was to take certain pieces of possibly vulnerable software off company networks. But complete visibility is rare. The result was a lot of hurried inventory checks, network scans, people asking each other, “Do we run that?,” and frantic emails to various departments: “Do we use that?”
Moral of the story: Cybersecurity pros must proactively inventory assets ASAP. Going a step further, cybersecurity should know who or what has access to all assets, and whether the asset sits in a highly privileged network location or lives in an isolated node where an attacker couldn’t use it as a jumping-off point.
Understand Your Cloud Provider's Shared Responsibility Model: A common misconception is that cloud providers – AWS, Azure, Google – also provide security once a company’s workload arrives. Not true. In the “shared security model” common to the major cloud providers, the providers secure some things, but if a customer is running, say, a database in the cloud, configuring permissions is the responsibility of the customer. Amazon, Microsoft and Google don’t know how open-access each company wants its cloud databases to be, and for which users. Too often, companies don’t assume their share of this “shared responsibility,” and security breaks down.
Prompt Notification of Vulnerabilities by Company and Industry: I started by saying “hope” and “time” is now off the table. This is what I’m talking about: companies need recurring vulnerability assessments to understand threat intelligence and landscape right now, so they know what to fix or patch first. There are cloud-native solutions that use artificial intelligence/machine learning to identify security threats being reported by vertical industries on a global basis and guide security experts in each company to system problems that should be handled first.
Nothing will ever provide ironclad security. But playing offense instead of defense – as the tumultuous events of 2020 force us to do – will give security professionals an edge in the toughest game in town.
About the author: Mike Cotton is the SVP of engineering of HelpSystems company Digital Defense, Inc., a leader in vulnerability management and threat assessment solutions. Follow Mike on LinkedIn.
