In this two-part blog series, we will explore what defense in depth looks like in the modern cybersecurity era by using the impact of the SolarWinds hack as an example, along with the lessons learned about data exfiltration, network security, device monitoring, and log analysis.
We will also talk about what data security really means and explain why a change in thought patterns can make a huge difference in your organization’s security. After all, an organization needs its systems and data to be available so that employees can perform their jobs and the company can operate normally. But if you can’t do that with the necessary level of confidentiality and data integrity, what good is an available system?
What is Defense in Depth
First, a definition: defense in depth is an information security concept in which layers of security controls are placed throughout an IT system to provide redundancy when a vulnerability is exploited, or a security control fails. Think about it like the layers of an onion; once you make it through one layer, there is another layer that is just as robust waiting for you.
Are podcasts your preference? Listen to our podcast on this topic:
Security Moves from On-Prem & Into the Cloud
Not that long ago, people didn’t give a lot of thought to security because everything was on-prem and the office and data center walls constituted the security perimeter. To a lot of companies, VPNs, Firewalls, and Passwords were all the security they’d ever need. Then cloud technology forced a massive, rapid wave of innovation. When the data center perimeter went away and everyone started moving to the cloud, people realized that new prevention tools were necessary. Suddenly, there were a lot more avenues for bad actors to try.
A common misconception is if it’s in the cloud, it’s the cloud-provider’s problem. Nothing could be further from the truth. The shared-responsibility model is tricky. How do you outline and define it? And then how do you make it compatible with your existing cybersecurity program?
Let’s not sugarcoat this: Cybersecurity concepts and the concept of defense in depth have been around for a long time, but the move to the cloud has made them more important than ever. Bad actors have been out there for a while. Over the past few years, their numbers and their sophistication have massively increased. And unfortunately, COVID-19 has made things go from bad to worse.
Components of the CIA Triad in cybersecurity and their importance
Confidentiality, Integrity, and Availability, a.k.a The CIA Triad. These are the bedrock principles that guide security experts when they focus on protecting data.
Of these three concepts, Availability is the easiest one to understand. Put simply, “Can the people who need access to the data, get access to the data right now?” If your information is available, i.e., if your webpage is up, everybody’s happy.
Confidentiality is tougher. In terms of modern security, protecting your data is just as important as making sure it’s available to the right people. Systems need to be designed so that the proper people get access to the data they need. This is doubly critical with sensitive data such as PII or financial data.
Often, the Confidentiality discussion ends up being about privileged users versus standard users. If you’re an executive, are you willing to forego some confidentiality? Probably not. As a matter of fact, you would probably want even more confidentiality. However, what if you are a database administrator? Can you work with data without accessing it? Does a DBA qualify as a privileged user in this case?
Finally, Integrity. This simply means that the data that is stored in a system remains as it was, when it was entered into a system. It is a measure of trustworthiness. Data needs to be measured and monitored, at motion and at rest, to be sure that it remains in a valid state. Human error, system mistakes, and bad actors can all influence data in place. It is the job of the modern cybersecurity expert to make sure that this does not happen.
A lesson to learn from the SolarWinds hack
As we all know, SolarWinds ended up in a situation where some compromised DLL files made it into their Orion remote management software. This compromised version of Orion then got pushed out to very large customers, including global corporations and US federal government agencies, as part of standard upgrade procedures. The software silently updated, bringing malware directly into the data center of hundreds of businesses and allowed the attackers to execute additional hacks from inside the firewall, and in many cases, exfiltrate data.
This brings to light an interesting problem: we’re supposed to be focused on preventing attackers from getting in. But what about the data going back out? That’s what the SolarWinds malware was all about. Attackers were able to establish command and control through bad-acting DLLs they implanted in Orion. This way, they were able to create a back door and view sensitive data, etc. So why aren’t organizations paying more attention to the information leaving their network and quantifying and identifying those things? And continuous attention needs to be allocated to third-party software to ensure its integrity and prevent the attack surface from spreading.
Top priorities for modern cybersecurity
If you look at the general approach to cybersecurity, the priority is keeping the bad guys out and preventing a breach. Many organizations implement tools like firewalls, web proxies, ACLs, and VPNs, to achieve this. But this comes with its own baggage because there are a lot of moving parts in any external security shell.
A secure perimeter is Job #1 securing everything else is Job #2. The success of the SolarWinds hack shows the consequences of a lack of defense in depth. Companies had spent so much time hardening their perimeter that they completely let security of the internal systems (and the communication lanes between those systems) fall to the wayside. We’ve all heard horror stories about massive companies that are secretly running on old Windows 2000 installations. “Well it’s not on the internet,” they might find themselves saying, “What’s the big deal?”
And the servers themselves are just one example. There are usually no firewalls between systems, or system classes once you get beyond the perimeter. Additionally, there are usually no firewall rules that would be triggered by internet activity that is initiated inside of the perimeter..
Finally, let’s talk about Job #3: minimizing the damage in the event of a breach. The key is minimizing dwell time. In short, what is the lag between: a successful attack; that attack being identified; and that attack being mitigated?
Simple logging is no longer enough. There are myriad examples of companies affected by the SolarWinds hack who had plenty of logs showing malicious activity inside their networks, but since it was already past the perimeter, the logs simply weren’t given any attention. This allowed the hack to go on far longer than it needed to. Activity will show up in logs, but unless you’re actively analyzing them, you might not even know it is there.
Data is spread too thin, from on-prem to cloud services which significantly magnifies the attack surface. Cybersecurity needs to be baked-in from the very beginning at every level. As the SolarWinds attack clearly illustrates, there is no safe zone on the company-side of the firewall. Because of this, a defense in depth strategy with intelligent log monitoring and management must be the starting point for organizations addressing cybersecurity—it’s not a ‘nice to have!’
Defense in depth strategies need to be applied to modern networks to provide security. And how defense in depth in terms of preventative breach managers isn’t enough. Because even if they get in, and they can’t take or change anything, they can still establish command and control and take different actions. This gives them a long dwell time so they can communicate back and forth in the system and view data by creating an open line of communication.
Keep an eye out for Part II of our blog where we will review one specific security solution and detail it’s advantages.
Need help getting started? Check out Anexinet’s Cybersecurity solutions to learn how our multi-layered approach can help you detect, prevent, respond, and recover from security threats.
This blog series was co-authored by Dave Mahoney – Enterprise Architect at Anexinet, Chris Hayner – Infrastructure Enterprise Architect at Anexinet, and Bharath Vasudevan – Security Expert and Product VP at Alert Logic.