The SolarWinds supply chain attack rocked governments and businesses alike in late 2020. Help keep your organization safe with these three key steps.
I recently wrote an article for Dark Reading about the massive supply chain attack perpetrated via vulnerabilities in SolarWinds, Microsoft, and other leading vendors. In that piece, I discussed the impact this unprecedented hack will have on cybersecurity, including the shift toward a zero trust approach to information protection.
The most insidious element of the 2020 supply chain attack is that hackers weaponized trusted applications, such as SolarWinds Orion. Last year’s massive supply chain attack leveraged weaknesses within organizations’ cybersecurity controls — such as insecure developer environments and logins — to infiltrate and spy on government and corporate systems via trusted software updates.
In this post, we’ll dig a little deeper into approaches, such as regular vulnerability assessments, that organizations can take to protect against another supply chain attack (because there will undoubtedly be another one), and why these proactive cybersecurity steps matter for organizations.
Three Best Practices to Prevent a Supply Chain Attack
The key to stopping incidents and limiting damage is to build layers of security and a system of checks and balances.
No individual security approach can guarantee an organization’s security, and a true zero trust approach to cybersecurity can be difficult to put into practice. Zero trust requires that you think of every aspect of your information network differently — for example, requiring authentication between components that previously could communicate freely, or password-protecting files that were never locked down before. If zero trust policies are implemented too quickly, important business processes can break in unexpected ways — and then you are left scrambling. Fortunately, organizations can take several immediate steps to move the ball forward and prevent future supply chain attacks like the SolarWinds attack.
1. Ensure You Are Logging and Auditing Everything
If you aren’t already gathering logs, auditing Active Directory (AD) changes, and monitoring all this information via security information and event management (SIEM) technology, now is the time to start. Logs can be the proverbial canary in the coal mine for suspicious activity, and they’re also an important part of compliance; many cybersecurity frameworks require some degree of log collection and management.
By gathering and analyzing logs, organizations can catch risky activity early on. For example, a SIEM can identify if a user is making multiple changes to corporate systems or is downloading or exfiltrating lots of data. With alerts set up to flag anomalies, security teams can take a closer look, which could help detect an intruder or catch unsafe or potentially malicious behavior from an insider, like an employee or a partner.
Organizations should also set limits on who can make changes, and what level of changes they can make using a principle of least privilege access. For example, if someone attempts to change foundational permissions or settings, that request should be flagged to IT decision-makers who can decide to allow or disallow the change — and make sure the request is coming from a legitimate source.
Core Benefit: Your organization knows who your users are, what they’re doing in your systems, and sets limits on the changes they can make without oversight. You can spot possible suspicious or unsafe activity early, and logging and auditing are also important elements of staying in compliance with many cybersecurity frameworks.
2. Keep Tabs on Trusted Software
The SolarWinds hack spread far and wide because no one was looking for it — it was a betrayal from inside an ally’s camp, well within the boundaries of firewalls and other security measures. To protect against a supply chain attack like SolarWinds, organizations will need to monitor the activity of their trusted software, such as antivirus, corporate productivity software, and more.
One of the best tools for keeping tabs on data flow is a data loss prevention (DLP) solution. If your organization already has a DLP, take a look at how you’re using it. DLPs earn a troublesome reputation, because they can be expensive, take a lot of time to manage, and can send many false alerts. However, much of the time, DLPs are configured to cast too wide of a net, or they’re underutilized for the reasons mentioned above.
By focusing your DLP on a specific set of data — your most valuable and sensitive data — your organization can reduce the number of false alerts. The DLP becomes, in effect, an internal watchful eye to make sure trusted programs aren’t the source of data leakage or misuse.
Core Benefit: Your organization keeps a close eye on data at rest and in motion, even within trusted security tools and other software.
3. Conduct Vulnerability Assessments and Penetration Testing Every Quarter
Security is a moving target. Organizations are always trying to stay one step ahead of the bad guys with threat hunting, threat intelligence, and more. One of the best ways to protect your organization against threats is to fully understand (and fix) any vulnerabilities.
Read Complete article at Three Best Practices to Prevent a Supply Chain Attack