The SolarWinds breach wasn’t an ordinary attack. It was a highly sophisticated nation-state level attack that employed connected IT supply chains to infect thousands of organizations at once by compromising a service update with malware.
The SolarWinds case should highlight for security and business leaders another critical aspect of security: trust in B2B partners. Sadly, this trust is often overlooked and taken for granted.
Organizations rely on partnerships for almost every aspect of their business, and technology is no exception. When selecting a technology partner, some form of due diligence should be conducted before engaging, depending on the scope of the engagement, the potential exposure, and the organization’s appetite for risk.
In the world of cybersecurity, however, a one-time ‘check at the entrance’ approach to trust and due diligence has its limits.
Take software updates. This type of update requires trust by definition . The client selects the vendor once, and then installs the updates as they come, trusting the vendor. SolarWinds is no exception: the updated code came signed by SolarWinds. In practice, it’s impossible to check every update and wait for it to be declared secure - even more so when many of these updates consist of security patches, which should be installed immediately in order to minimize risks.
Looking forward, digital B2B partner connectivity is intensifying. Moving to cloud environments, product ecosystems and open everything, B2B data exchange is becoming a key business enabler. For many companies, it actually becomes the business. As a result, protecting partner connectivity is becoming a pillar of the security strategy.
It no longer matters if the B2B partner’s software is installed inside your network (as with SolarWinds) or interacts with it from the outside using APIs. The outcome is the same: an authorized and authenticated partner, with privileges, can become a backdoor. That often happens without proper visibility, monitoring, logging, and controls.
Security leaders should work under the assumption that a partner is already compromised.
The key challenge with B2B partners is that they are authorized users with proper credentials. Therefore, many existing security solutions aren’t useful because the attacker is not an outsider trying to gain access, but rather an authorized user with privileges who is creating havoc from the inside.
Moreover, given the nature of their relationship with the organization, the tendency is to trust partners more than plain users. Partners have a reputation and track record, and we tend to confuse their integrity with trust.
When it comes to partners, access controls are not enough, since the partners may have been unwittingly compromised. We must extend our built-in skepticism to continuously monitor their behavior while inside, as well as dedicate protection to limit exposure to data theft.
Establishing a ‘Zero Trust’-like approach with B2B partners can help generate visibility and provide protection against unknown attack scenarios. Effectively identifying subtle anomalies can provide that valuable trigger to investigate deeper, potentially identifying a compromised partner before they even know they have been hacked.
In today's API-enabled applications, detecting and blocking a potential breach is possible by monitoring the normal usage patterns and alerting on anomalies. While the SolarWinds breach wasn’t a dedicated API-specific attack, there were outgoing/incoming API Calls from the malicious software, as the “The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications“ (according to FireEye).
Consider what might have been the outcome if organizations would have been able to identify the abnormal interactions between the compromised software and other services by monitoring the internal APIs.
The first step for enabling such protection is to move from analyzing only the metadata of traffic to analyzing all data. Every transaction needs to be reviewed, learned, and analyzed to form an understanding of what the functionality is and how the partner engages with it over time.
Zero-day attacks have no known signature, only a breadcrumb trail that can be detected through rigorous screening of each transaction. This can generate a valuable level of protection against attackers already inside your network or application.
If there’s one thing we can learn from SolarWinds, it’s that when your partner is compromised, you are compromised. The weakest link in your security chain shifted from the perimeter to your distributed workforce, assets and devices, and move on to your partners.
Ensuring your organization's data is protected in the event a partner is breached is not an option - it is a necessity.
Your partners should be a door to new opportunities, not a backdoor to your network.