A concerning aspect of this attack is that security companies were a clear target.
Some cybersecurity experts are questioning the conclusion and advice from Microsoft regarding the internal impact of the massive SolarWinds hack.
Microsoft said none of its systems was used to attack others during the SolarWinds hack. Furthermore, there’s no evidence of access to its production services or customer data.
Vasu Jakkal is Microsoft’s corporate vice president of security, compliance and identity. She said security companies were a clear target.
“Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target,” she said.
The espionage campaign has heavily impacted the federal government and cybersecurity industry. Russian hackers reportedly carried out the attack.
Limiting the Scope
This highly sophisticated nation-state actor was able to “breach the gate” at Microsoft, Jakkal said. However, a “unified team of human and digital defenders” met the attacker.
“There are several reasons why we were able to limit the scope and impact of this incident for our company, customers and partners,” she said. “But ultimately, they all boil down to a few fundamental ways we approach security. We believe these approaches represent an opportunity for all IT and security teams as we collectively navigate a rapidly evolving and sophisticated threat landscape.”
A key action is adopting a zero-trust architecture, Jakkal said. It’s also important to embrace cloud and “layer up, no matter who your security vendors are.”
Moreover, Microsoft encourages every company, of every size, to work with the community to share information, strengthen defenses and respond to attacks.
Brandon Hoffman, Netenrich‘s CISO, said Microsoft’s conclusion comes as a surprise and seems to conflict with other messages it has shared.
“As the incident response has continued, it seems they were finding more and more areas affected by the SolarWinds issue,” he said. “The fact that the investigation has concluded rather suddenly is an interesting move.”
Earlier, Microsoft reported the hacker group accessed Microsoft source code, the instructions written when developing programs.
“Likewise, interesting is the advice on zero trust,” Hoffman said. “From a certain perspective, it’s not clear that taking a zero-trust stance would have prevented this issue. It would have potentially avoided some of the damage. However, it’s not clear that zero trust would have prevented the initial attack vector.”
The call to embrace cloud and strengthen community sharing feels a bit short, Hoffman said. That’s because these are platitudes the security industry has been evangelizing for many years.
Zero Trust ‘Misleading’
Dirk Schrader is global vice president of New Net Technologies.
“Microsoft is right in stating that security companies are a clear target for upstream attacks where malicious code is embedded into the products deployed across a large number of customers,” he said. “A clean source approach, validating the steps from development to delivery, covering feeds like those in antivirus or threat intelligence solution, is the way to go for vendors.”
A zero-trust plan seems like a good idea at first sight, but is misleading here, Schrader said.
“The Solorigate incident isn’t about a user who should not be trusted; it is about the sourcing itself,” he said. “The same is valid for the recommended embracing of cloud and IaaS, which again is about trust. Nevertheless, strengthening the community of defenders is a good thing. And joining Microsoft’s community is one place of many to do so.”
‘A Bit Self-Serving’
Oliver Tavakoli, Vectra‘s CTO, said Microsoft’s advice to embrace the cloud can appear “a bit self-serving” because it makes a lot of money delivering cloud services.
“The better advice would be that if you are using the cloud, you should embrace security tools which understand the attack surface inherent in such a cloud deployment,” he said.
The advice of moving from on-premises identity to cloud identity is good, Tavakoli said.
“Too many organizations have straddled these two worlds with their identity strategy for far too long,” he said. “And it has recently become evident that attackers are taking advantage of such hybrid identity models.”
Kevin Dunne is president of Greenlight Technologies. He said Microsoft’s conclusion marks the first step in the process of the security community recovering from the SolarWinds hack.
“This attack highlighted the need to reconsider trust at all levels of the security supply chain – even in terms of trusting updates from long-tenured, legitimate suppliers,” he said. “Microsoft’s recommendations are tangible, appropriate actions that all organizations can take to move their infrastructure to the cloud and implement a zero trust security policy.”
More time investigating means reduced time to detecting and remediating breaches, Dunne said.