Tag Archive for: Mike Lloyd

The List of Known SolarWinds Breach Victims Grows, as Do Attack Vectors

Data Center Knowledge | December 23, 2020


The SolarWinds breach story continues to get worse.

The list of known victims now includes US departments of Commerce, Defense, Energy, Homeland Security, State, the Treasury, and Health.

More worrisome for those responsible for cybersecurity at enterprise data centers, however, are the technology vendors that allowed the compromised SolarWinds Orion software into their environments.

Lessons for All of Us From the SolarWinds Orion Compromise

All cybersecurity news events, like the recent disclosure of compromise involving SolarWinds Orion by APT 29, aka “Cozy Bear,” cause CISOs to ask the same initial questions:

  • Do I have this problem?
  • Where?
  • What are the consequences?

In this instance, the attack is extremely sophisticated, and quite alarming – it’s a supply chain attack, involving compromise of a widely used and trusted monitoring product.  This adds a lot of pressure to these questions.  As organizations are scrambling to respond, we wanted to publish some suggestions here, as a resource.  In discussions with our customers, many of whom have been impacted by this compromise, we find there is a common playbook, as follows:

  • Step 1: Do I have SolarWinds Orion?
  • Step 2: Where is it, in the context of my network?
  • Step 3: What is it capable of accessing or controlling?
  • Step 4: Fix Orion, or take it offline (if subject to the CISA Emergency Directive)
  • Step 5: Block unwanted access to or from SolarWinds Orion, to the extent possible
  • Step 6: For all assets SolarWinds could reach, reset them to known good state

This is an arduous journey. RedSeal can be one of your supporting resources. It is especially helpful in the middle stages – steps 2, 3, and 5 in the above playbook.

Specifically, for Step 2, a RedSeal network map can help you locate the hostnames or addresses of your SolarWinds Orion software.  One large customer of ours had well over 100 distinct addresses with this software installed. Your total is likely to be lower, but still may be more than just a single location.  Mapping out where they all are is a starting point, before heading in to the deeper stages.

Note also, in Step 2, that RedSeal’s L2 mapping capability may be helpful, since you can locate the nearest switch port to any given endpoint.  This may be helpful if you need to abruptly terminate network access, or decide to monitor span traffic closely.  (If you have not previously set up L2 mapping, we would not recommend this as a tactical step in your response, because the data gathering setup would take some time, but if you already have the data in place, this is a good time to use it, as an aid to shutting down any inappropriate activity.)

In Step 3, it’s important to know what a compromised instance of the monitoring product could reach.  Sadly, because this is a widely trusted product, whose whole purpose is to give you wide visibility, in most networks this turns out to be a large space.  We have had customer reports of a “blast radius” of endpoints well into 6 figures.  Figuring this out by hand is absurdly difficult – far better to automate the search.  In RedSeal, this involves an Access Query, from your SolarWinds Orion instances, out to the wider network.  Just be prepared – the query may be so large that RedSeal will prompt you to make sure you want that much data in one go.  If it’s not manageable, you may prefer to break the query into regions – “What can Orion reach in New York?”, or “in my Amazon fabric”, and so on.

For step 5, blocking unwanted access from SolarWinds Orion to the Internet, RedSeal’s capability to define Zones and Policies may be helpful.  As a first step, a Zone containing your SolarWinds Orion endpoints, and another Zone of Internet, can be used to investigate what access is already possible.  Unfortunately, this may be quite wide, since you may actively be using Orion to monitor cloud fabric and you may want to permit access for software updates (even though, ironically, this was the method originally used in the compromise – but subsequently addressed).  Still, before you can lock this down just to the access you feel is necessary, it can help to review what the current state is, and see what blanket restrictions might be possible, without removing any access pathways you need to keep open.

Hopefully this overview is of use, as a playbook of the common steps we are seeing.  If we can be of any assistance as you work through the cleanup of this incident, please don’t hesitate to get in touch.

Download: A step-by-step guide for using RedSeal to respond

RedSeal customers: Take advantage of our complimentary Sunburst Exposure Assessment.

Not a customer yet? Contact us at info@redseal.net to explore how we can help.

Network Middle East: The Next Big Thing in Security

Network Middle East | December 2020 (Page 29)

Dr. Mike Lloyd, CTO at RedSeal, on “the next big thing in security”

We are in unprecedented times and no one can truly predict what lies ahead. What do we know is that threat actors are on the lookout for vulnerabilities and the sudden move to remote operations may have left loopholes that they can leverage. We sat down with security experts to understand how the security landscape may shape up next year.

Tool Sprawl – The Cybersecurity Challenge of 2021

Solutions Review | December 14, 2020

It’s not news that the pace of change in IT is extremely fast. What’s less well-known is the downside — tool sprawl. IT teams innovate at a breakneck pace, picking up whatever innovations suit their immediate needs. Security, in contrast, must protect the old applications that are still around, plus the new ones, plus the different platforms those new applications are built on. It creates a juggling challenge – how many different technologies can your security team juggle at once? If you have too many, how do you decide which are most important and which you must drop?

Top 20 Predictions Of How AI Is Going To Improve Cybersecurity In 2021

Forbes | December 5, 2020

Bottom Line: In 2021, cybersecurity vendors will accelerate AI and machine learning app development to combine human and machine insights so they can out-innovate attackers intent on escalating an AI-based arms race.

Pets vs cattle: How to get cloud and DevOps security right

ITProPortal | September 25, 2020

A look at security, both on-premise and in the cloud.

By Dr. Mike Lloyd

In a world as nebulous as cloud computing and DevOps, analogies can sometimes help us to think more clearly. The idea of “pets versus cattle” was first used nearly a decade ago to help delineate the difference between traditional on-premises IT and the cloud, and has become a firm favorite in the DevOps community ever since. But there are also lessons here for cybersecurity teams, as long as they’re able to see through the limits of the analogy and understand where the main challenges are.

Don’t believe the hype: AI is no silver bullet

Computer Weekly | August 7, 2020

We want to believe AI will revolutionise cyber security, and we’re not necessarily wrong, but it’s time for a reality check

Chief information security officers (CISOs) looking for new security partners must therefore be pragmatic when assessing what’s out there. AI is helpful, in limited use cases, to take the strain off stretched security teams, but its algorithms still have great difficulty recognising unknown attacks. It’s time for a reality check.

3 Ways Social Distancing Can Strengthen your Network

Dark Reading | July 31, 2020

Security teams can learn a lot from the current pandemic to make modern hybrid business networks stronger and more resilient. Here’s how.

We all know the role social distancing plays in combating COVID-19. Most people also understand why this is our primary line of defense; it’s about slowing down the progress of the disease to prevent our healthcare defenders from being overwhelmed. Today’s network security teams live in a similar shifting landscape and need to apply these same ideas to avoid getting overwhelmed. Here are three tactics to help “social distance” your network.

Tactic 1: Focus on Flare-ups

Protect Your Business And Your Remote Staff From Hackers With These 16 Strategies

Forbes Technology Council |  July 7, 2020

9. Double-check remote access.

It’s time to double-check the security of your remote access. The rapid shift to working from home meant fast-paced change with intense pressure to get things working immediately. This is a perfect recipe for new security gaps and oversights. Map your network and make sure you’ve only opened up the access you wanted and nothing more. – Mike Lloyd, RedSeal

13 Things Tech Leaders Need To Do To Prepare For Decentralization

Forbes Technology Council |  June 30, 2020

3. Remain in control with automation.

“Decentralized” should not mean “out of control.” You still need controls between your crown jewels and your users (both wanted and unexpected). The old medieval castle model didn’t work, but this means there are more perimeters everywhere now. You need automation to keep up and verify you’re only allowing the right access. You’re the mayor of a digital city, not the guard of a stone fort. – Mike Lloyd, RedSeal