1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

2/24/2021

0 Comments

Zero Trust Lesson

 
zero trust lesson

Zero Trust Lesson

Zero Trust is one of the lessons learned as a result of the recent SolarWinds supply chain attack, according to Microsoft – one of the victims of the said supply chain attack.

In the blog post "Microsoft Internal Solorigate Investigation – Final Update” published on February 18, 2021, Microsoft Security Response Center (MSRC) Team admitted that the threat actor behind the SolarWinds supply chain attack was able to download a small subset of Azure components (subsets of service, security, identity), a small subset of Exchange components, and a small subset of Intune components.

SolarWinds Supply Chain Attack Background

In December 2020, SolarWinds reported to the U.S. Securities and Exchange Commission (SEC) that the supply chain attack on its system affected nearly 18,000 customers of SolarWinds Orion – a software used as a monitoring and management platform designed to simplify IT administration.

In a supply chain attack, an attacker accesses the source code of legitimate software and infects it with malicious code. Once this compromised software is distributed to customers, the customers' systems are compromised as well and a series of compromises follow. According to SolarWinds, the attacker inserted a malicious code within Orion which, if present and activated, "could potentially allow an attacker to compromise the server on which the Orion products run." Microsoft named this malicious code "Solorigate."

Last December, Microsoft, through the MSRC Team, admitted that it was one of the victims of the SolarWinds supply chain attack and the threat actor behind it was able to "view source code in a number of source code repositories." The December 2020 admission specified that the threat actor was able to view, while the latest February 2021 admission specified that the threat actor was able to download.

"We have now completed our internal investigation into the activity of the actor and want to share our findings, which confirm that we found no evidence of access to production services or customer data," MSRC Team said, in the latest report dubbed as the final update about Solorigate. "The investigation also found no indications that our systems at Microsoft were used to attack others."

Zero Trust

The MSRC Team said that Solorigate reinforced one key learning: Zero Trust.

The concept of Zero Trust has been around for nearly a decade. The term was first used in 2010 by John Kindervag, then the principal analyst at Forrester Research Inc. In his research and analysis of enterprises, Kindervag found that “trust” had become an essential part of the network. For Kindervag, trust is a major liability for enterprises’ networks that could result in failure over and over again in the years to come.

In the blog post "The Tao Of Zero Trust" Chase Cunningham, VP, Principal Analyst; Jeff Pollard, VP, Principal Analyst; and Stephanie Balaouras, VP, Group Director, all from Forrester Research said that the adoption of Zero Trust is based on these two factors:

"First, the cybersecurity industry has hit an inflection point wherein the massive spend to prove the negative of ‘good security’ is drying up.

"Second, CEOs and board leadership for enterprises are tired of the technical talk and miscommunication around cybersecurity operations. Zero Trust is simple in name, comprehensive in its approach, and realistic in the acceptance of the inherent failures that plague enterprises from the second they start sending electrons."

MSRC Team defined Zero Trust as a "transition from implicit trust –assuming that everything inside a corporate network is safe – to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data."

Verify explicitly, least privileged access, and assume breach are three principles of Zero Trust. Verify explicitly means that it's always important to authenticate and authorize based on all available data points. Least privileged access means that permissions are only granted to the appropriate environment and on appropriate devices to meet specific business goals. Assume breach, meanwhile, means that processes and systems must assume breach has already happened or soon will. 

In the blog post "Using Zero Trust principles to protect against sophisticated attacks like Solorigate," Alex Weinert, Identity Security Director at Microsoft, said that the threat actor behind Solorigate compromised identity environments with these three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. "In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification," Weinertsaid.

Weinert further said that the threat actor behind Solorigate took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all.

Applying the lessons from the Solorigate attack and the principles of Zero Trust, Microsoft recommends enabling multi-factor authentication (MFA) to reduce account compromise probability by more than 99.9%. It's important to note that attackers, however, have their ways of bypassing MFA nowadays.

Microsoft also recommends to configure for Zero Trust using Zero Trust Deployment Guides and to look atIdentity workbook for Solorigate.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit