Microsoft announced they had closed their internal investigation of the SolarWinds attack.
The Microsoft Security Research Center (MSRC), which has shared learnings and guidance throughout the Solorigate incident, confirmed that following the completion of their internal investigation, Microsoft has seen no evidence that Microsoft systems were used to attack others. There was also no evidence of access to Microsoft production services or customer data.
"However, a concerning aspect of this attack is that security companies were a clear target. Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target," says Vasu Jakkal, CVP, Security, Compliance and Identity. "But while this highly-sophisticated nation state actor was able to breach the gate, they were met by a unified team of human and digital defenders. There are several reasons why we were able to limit the scope and impact of this incident for our company, customers, and partners, but ultimately, they all boil down to a few fundamental ways we approach security. "
Jakkal said these approaches represent an opportunity for all IT and security teams as they collectively navigate a rapidly evolving and sophisticated threat landscape.
Kevin Dunne, President at Greenlight, a Flemington, New Jersey-based provider of integrated risk management solutions, says this is the first step in the process of the security community recovering from the Solorigate attack. "This attack highlighted the need to reconsider trust at all levels of the security supply chain - even in terms of trusting updates from long tenured, legitimate suppliers. Microsoft's recommendations are tangible, appropriate actions that all organizations can take to move their infrastructure to the cloud and implement a zero trust security policy. In this model, customers can lean on the expertise and scale of Microsoft's security research team to ensure their critical services are constantly monitored and protected from potential threats. Customers will then be able to shift their focus from their own internal infrastructure and network, towards their identity and access governance initiatives. More time to investigate who is accessing critical infrastructure, applications, and data will result in reduced time to detecting and remediating breaches, which are inevitable in today's zero trust world.”
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, explains, “This does come as a surprise and seems to be conflicting with other messages Microsoft has shared. As the incident response has continued, it seems they were finding more and more areas affected by the SolarWinds issue. The fact that the investigation has concluded rather suddenly is an interesting move. Likewise, interesting is the advice on zero trust. From a certain perspective, it’s not clear that taking a zero trust stance would have prevented this issue. It would have potentially avoided some of the damage, however, it’s not clear that zero trust would have prevented the initial attack vector. Similarly the call to embrace cloud and strengthen community sharing feels a bit short since these are platitudes the security industry has be evangelizing for many years.”
“Microsoft is right in stating that security companies are a clear target for upstream attacks where malicious code embedded into the products deployed across a large number of customers. A clean source approach, validating the steps from development to delivery, covering feeds like those in Antivirus or Threat Intelligence solution, is the way to go for vendors. A ‘zero trust plan’ seems a good idea at first sight, but is misleading here," notes Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software. "The Solorigate incident isn’t about a user who should not be trusted, it is about the sourcing itself. And for this scenario, the user and the IT administration will be overwhelmed at end. At some stage trust needs to be established to be operational, and with thousands of changes incurred to files and settings when rolling out a Microsoft patchday update, the IT administration would certainly not want to check each and every change. Same is valid for the recommended embracing of cloud and IaaS, which again is about trust and perhaps asking some Yandex customer’s about the trust they would put into sysadmins of a service provider. Nevertheless, strengthening the community of defenders is a good thing, and joining Microsoft’s community is one place of many to do so.”
Commenting on Microsoft's recommendation to adopt Zero Trust and to embrace the cloud to help mitigate similar incidents, Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, says, “The adoption of a Zero Trust architecture was something that had already been accelerating in light of the pandemic and the new normal of working from home. Microsoft points out that organizations should go one step further by adopting it as a “mindset” – accept that all of the initial lines of defense can fail and that security controls need to be layered across all systems critical to an organization. The advice to embrace the cloud can appear a bit self-serving is the company giving the advice makes a lot of money delivering cloud services. The better advice would be that if you are using the cloud (say you are an Office 365 customer), you should embrace security tools which understand the attack surface inherent in such a cloud deployment, The advice of moving from on-premise identity to cloud identity (in Microsoft’s case, this move would be to Azure Active Directory) is a good one. Too many organizations have straddled these two worlds with their identity strategy for far too long and it has recently become evident that attackers are taking advantage of such hybrid identity models.”
For recommendations and mitigation strategies from Microsoft, please visit https://www.microsoft.com/security/blog/?p=92881