Tech

Industry urges agencies to accelerate zero trust adoption after SolarWinds hack

Zero-trust security couldn't stop the SolarWinds hack, but it could, and did, mitigate the damage, according to cyber experts.

By Dave Nyczepir

January 9, 2021

(Getty Images)

The SolarWinds hack could prove the spark that gets agency holdouts to adopt zero-trust security and hastens additional guidance from government, cybersecurity experts say.

Pandemic considerations delayed the National Institute of Standards and Technology‘s work on zero-trust reference architectures that will help agencies know what security tools to deploy.

Cyber experts hope that work will accelerate in the wake of one of the most serious incidents of digital espionage in U.S. history and that agencies will consult the special publication on zero trust that NIST finalized in August for the time being.

“We can’t see federal agencies kick this thing down the road anymore,” Stephen Kovac, vice president of global government and compliance at Zscaler, told FedScoop.

Zero trust could not have stopped the SolarWinds hack, which occurred when Russian hacking group APT29, or Cozy Bear, added source code into the tech company’s Orion software build process in a supply-chain attack. SolarWinds’ updating system was then used to push out malware compromising at least eight agencies.

But zero trust could, and did, mitigate that malware’s ability to spread across networks, cyber experts say.

“If SolarWinds would have happened a year ago or two years ago, I think agencies would have had a lot more consternation about it,” said Sean Frazier, federal chief security officer at Okta, in an interview.

Many agencies have started work improving their identity and access management, a component of zero trust, Frazier said.

But zero trust is a collection of solutions including cloud workload protection, micro-segmentation and secure access service edge (SASE) capabilities that provide agencies with full visibility and allow them to enforce consistent security policies across their networks.

Agencies with a zero-trust capability like SASE could’ve prevented malware from sending information out via the internet, but many agencies stop at one or two such capabilities. About 18,000 organizations were infected, though not all of them have seen malicious activity since.

“They’re kind of operating on the fly,” Kovac said. “They’re buying one solution and thinking they’ve got zero trust now.”

Agencies that haven’t already done so need to inventory the things on their network they care about, establish privileged accounts and multi-factor authentication for those things, and move identity and access management technologies to the cloud, Frazier said.

“I always think of the Star Wars movie, when they’re in the channel getting ready to blow up the Death Star, and they’re saying, ‘Stay on target. Stay on target,'” Frazier said. “That’s exactly what the situation is for zero trust: Don’t distract yourself; work on the basics.”

Other steps compromised agencies could have taken that would have mitigated the SolarWinds hack include preventing third-party vendor tools from having unnecessary privileges. SolarWinds “unfortunately” needs visibility across all the servers its software monitors, but compromised agencies could have restricted its access to the internet and limited it to only talking to its update infrastructure, said Deepen Desai, chief information security officer at Zscaler.

Agencies still would have been compromised by the SolarWinds update in that scenario, but their command-and-control infrastructure would’ve been protected.

Cloud workload protection, another zero-trust capability, could have identified anomalous activity faster when a SolarWinds server in a data center began connecting to unknown destinations, Desai said.

The concern now for agencies whose zero-trust architectures remain in their infancy is that the SolarWinds hack could have a ripple effect if another software vendor serving thousands of its own customers, including agencies, was compromised.

“If the nation-state actor has established persistence in their environment — and they’re able to do a similar supply chain attack using their supply chain infrastructure — then the possibilities are endless,” Desai said. “You will discover more and more similar types of scenarios in the coming months, as things get investigated in this Orion case.”