Critical Infrastructure Security, Threat Intelligence

Yes to patching, but companies need to finally embrace zero-trust

Today’s columnist, Matt Glenn of Illumio, says attacks like the one on Colonial Pipeline combined with the Biden administration’s cybersecurity executive order pushed the industry to accept zero-trust. (Photo by Michael M. Santiago/Getty Images)

We may be two months away from Halloween, but the slew of cyberattacks that we’ve seen over the past six months are as bad as any horror story we’ve ever seen.

Let’s start with the devastating SolarWinds attack. In early 2020, hackers broke into SolarWinds, a Texas-based software provider. They added malicious code into the company's software program Orion, which was widely used by companies to manage IT resources. According to SEC filings, SolarWinds had 33,000 Orion customers – and SolarWinds later told the SEC that up to 18,000 of those customers had installed updates that left them vulnerable to the attack. Thanks to the large-scale supply chain attack that went undetected for months, foreign hackers were able to spy and gain critical intelligence on private companies and the U.S. federal government. We’re still unsure of – and the public will likely never fully know – how much critical information they saw.  

Fast forward to March where Microsoft detected multiple zero-day exploits that were used to attack versions of the Microsoft Exchange Server. It was widely reported that more than 30,000 organizations in the U.S. were attacked as hackers used several Exchange vulnerabilities to gain access to email accounts and install web shell malware, giving the cybercriminals ongoing administrative access to the victims' servers.

Gartner analyst Peter Firstbrook explained that what the hackers were really looking for was a rich attack environment. In other words, their endgame wasn’t necessarily the on-premises servers they put web shells into at the start, but setting themselves up for future attacks on higher value targets those servers may be connected to. Another supply chain attack horror story for the books.

Next, we saw the economic impact of the Colonial Pipeline cyberattack, which temporarily halted operations for the nation’s largest pipeline system for moving gasoline and diesel.

After learning about the incident, Colonial Pipeline proactively took certain systems offline to contain the threat – which temporarily halted all pipeline operations and ultimately left about 45% of the East Coast's fuel supply chain temporarily stunted. And then, another supply chain was attacked through ransomware – our beef supply via JBS, the world’s largest meat supplier.

Patching alone won’t keep companies secure

The industry has long viewed patching as an industry best practice and fundamental to any mature approach to cybersecurity. In fact, it’s the very least that software vendors can (and should) do continuously to protect their customers and supply chains against the world of evolving and maturing threats.

But what incidents like SolarWinds, Exchange, and Colonial Pipeline taught us was that organizations need to supplement their detection-based cybersecurity solutions – endpoint detection and response (EDR) and firewalls – and retroactive patch with a proactive cybersecurity framework that fills the gap in the middle. Remember, a detection solution needs to detect a novel attack every single time, while a bad actor just needs to get in once. The odds are in the bad actor’s favor.

There needs to be a middle ground between focusing on only keeping the bad guys out and reacting once they get in. That middle ground: a zero-trust approach to cybersecurity.

Turn Plan B into Plan A

Forrester publicized the term zero-trust more than a decade ago, although it’s just now starting to see widespread industry and market adoption. A recent blog by Forrester analyst Steve Turner puts it best: “zero-trust is not one product or platform; it’s a security framework built around the concept of ‘never trust, always verify’ and ‘assuming breach.’”

In the post-COVID-19 world, the global zero-trust security market was projected to grow from $19.6 billion in 2020 to $51.6 billion by 2026. Moreover, the federal government took steps to make adopting a zero-trust architecture a private and public sector best practice – most recently underlined by the Biden administration's Executive Order on improving the nation’s cybersecurity.

Ransomware attackers, malware threats, and nation state actors aren’t one size fits all. That’s why both public and private organizations are starting to recognize that they need to bolster detection products with a framework that accounts for the misses, the losses, and the gaps. In other words, it’s no longer enough to say an organization protects against 99% of attacks if that 1% is as catastrophic as SolarWinds. And it’s no longer enough to fill in the gaps retroactively. Companies looking to create cyber resiliency need to assume that the bad guys are already in their systems - because if they haven’t infiltrated the supply chain yet, they soon will.

Get started with zero-trust

Think of zero-trust as a framework, a philosophy, and a strategy that’s only as good as its implementation and upkeep. There are four primary steps to getting started with zero-trust. First, identify all company data: knowing what and where the sensitive data resides will help protect the environment and kick off a successful zero-trust strategy.

Second, discover the traffic patterns and define corporate policy controls. Once the security team sees and understands the traffic, it becomes easier to create a zero- trust architecture policy with a default deny standard rule. Third, enforce the company’s policy. This will look different depending on the zero-trust toolkit and which vendors the company uses.  

Finally, monitor and maintain. It takes a consistent effort to keep and maintain an enterprise security implementation. Remember that a zero-trust architecture is not a technology, but a framework. It’s also a journey – it will take time.

SolarWinds, Exchange and Colonial Pipeline are just a few examples of the dangers posed by a failure of trust – a failure of over-trusting our networks, supply chain, and critical infrastructure, when we know that most federal IT assets are antiquated and vulnerable, and bad actors are only getting more creative.

For companies to stay resilient to the next wave of threats and attacks, we must learn from our past. That begins not just with patching quickly and ramping up on external defenses, but by adopting zero-trust strategies now – within the organization and across the supply chain. In a world where we’re all interconnected, we all need to do our part to keep each other secure – we all need to implement a zero-trust strategy.

Matt Glenn, senior vice president, product development, Illumio

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.