With SolarWinds Breach, ‘The Hackers Aren’t the Problem’
… build their own environments – and their clients’ – with such intricacy and depth that attackers will have to invest extensive time, energy, effort and skill to get the goods.
And most won’t. They will move on to an easier victim. So, Farajun said, outrun the tiger.
“It’s a race between you and your peer,” Farajun said. “It reminds us of the old joke about the safari and the tiger. You’re sitting under a tree and your friend says, ‘We can’t outrun this tiger.’ You say, ‘I don’t need to outrun the tiger; I just need to outrun you.’”
Observing the SolarWinds Attack From A Different Angle
Asigra comes at the SolarWinds breach from a different perspective than some other companies.
“We’re a backup vendor so we have a certain view of the market,” Farajun said. “And it’s that you’ve got to protect your backups.”
Not a lot of IT people do that “because they think [backup’s] just there and not an important application category to protect,” Farajun said.
Shock sets in when hackers take over unprotected backups. The bad guys then delete those files, “and when they know you can’t restore, you have to pay.”
Understand this: In the enterprise and SMB worlds, where most MSSPs specialize, cybercriminals have no regard for the information they steal. (This is not the case when it comes to government espionage.)
“Part of the problem is people think, ‘Why would anybody want my data?’” Farajun said. “They couldn’t care less about your data. All they know is you care. And once you care, you will pay.”
Ways MSSPs Can Outrun the Tiger
The effects of the SolarWinds breach still ripple throughout the industry. MSSPs cannot afford to grow complacent. Now is the time to make environments unappealing to attackers.
Start by not allowing your company or your customers to put all information in one place.
“Keep backup separate from the monitoring and management platform,” Farajun said.
After that, employ step-up multifactor authentication. This really applies to sensitive data, not so much the everyday. In this scenario, the deeper a user goes into files and folders, the more verification he or she has to provide to open the next level.
“It’s like you have locks on your front door, and on specific doors and windows, so [criminals] need different keys and ways to get in,” Farajun said.
The SolarWinds platform lacked those controls.
“Can you imagine how much harder it would have been for the Russians if there was step-up MFA on the RMM tool and they had to figure out approvers?” Farajun said. “That all becomes more expensive.”
Next, with authentication in place, appoint those aforementioned approvers. The MSSP itself should choose someone outside of the company. This could be a cyber insurance broker, for example. Your customers, though, should opt for you and/or their own cyber insurance provider. On that note, ask clients who gives the go-ahead for accesses and processes.
“It’s not good enough that it’s the CIO,” Farajun said. “You want to have multiple people outside the organization, like an MSSP, an auditor, an insurance firm — not just someone within the company.”
Separate Platforms
On top of that, use separate platforms. Do not just rely on one, or all the tools contained in one.
“McDonald’s sells the most food, but not the best food,” Farajun said. “Do you always and only want to be using the market leader? The biggest vendor has the biggest target on them.”
Finally, if the worst happens, despite precautions, consider using a ransomware negotiator.
“Just because you’re an MSSP, don’t think you know how to negotiate correctly,” Farajun cautioned.
Rather, he said, turn to a …