Why is it so difficult for organizations to implement zero-trust practices? As demonstrated by the SolarWinds attack, as well as many other breaches since, security leaders often overlook windows into an organization that can be leveraged for an attack.
As Microsoft’s director of identity security, Alex Weinert had a front-row seat into the investigation and aftermath of the attack, which he called the most sophisticated he or anyone on his team had ever seen up to that point during an interview with SC Media’s Deputy Editor Bradley Barth.
The principles of zero trust are sound, he said, but chief information security officers do not necessarily define the scope properly. SolarWinds was one of numerous attacks that infiltrated the supply chain, providing that a zero trust model must go well beyond the confines of an enterprise network.
“Your vendor is fair game. Your service accounts are fair game. Your legacy applications that you've been running forever are fair game. The contractors that you hire are fair game. All of these things were used as vectors into organizations,” Weinert said.
The lessons? he suggests verification models for vendors and contractors to ensure their products and services are trustworthy.
“We don't want the verification to simply not happen, which is what was happening here,” he said.