Where were you when you first heard about the SolarWinds breach? It’s not unusual for information security professionals to learn about a breach. Keeping track of the news is part of the job. The SolarWinds attack, however, was different for two primary reasons.
First, it reached the level of mainstream news. The majority of breaches stay mostly in the industry press. Only a few break into the now-mislabeled ‘evening news.’ Prior to this event, the average person would never have heard of SolarWinds. Why would they? SolarWinds’ products were the purview of system administrators and engineers. There were nuts and bolts, not buildings.
The fact that these products were so prevalent in so many corporations is what ultimately made the attack so newsworthy. While the average person was unaware of SolarWinds, most of their activities on any network were subject to the various tools produced by the SolarWinds corporation. In fact, the platform on which you are reading this probably has at least one SolarWinds product in its environment. This attack had a very broad impact.
An attack on the supply chain
The second reason that this incident was so significant is that it was a supply chain attack, which creates a challenge for just about every industry sector. No organization functions without a supply chain, and a successful attack against any supplier, whether “upstream” or “downstream,” threatens every other link in that chain. Many people think of the supply chain as trucks moving products or hardware manufacturers, but the chain spreads across a much larger spectrum. Software is part of a supply chain, and that is exactly what was exploited in this now infamous compromise.
Of course, there are many supply chain attacks that do not appear on the evening news. All organizations need to defend against these compromises. They need ways to detect the tactics, techniques and procedures (TTP) as well as the indicators of compromise (IOC) in their environments.
One way to address supply chain risk is by looking to the guidance offered by the Center for Internet Security (CIS). The CIS Controls have been in existence for over a decade, and they are notable for their depth and detail. Any organization that effectively implements the CIS “20 Controls” is well-positioned to defend against many common attacks.
Tripwire and the CIS Controls
I recently sat down with Kathleen Moriarty, the chief technology officer at CIS, and David Henderson, a federal systems technical sales engineer, to discuss how the CIS controls be used to protect against supply chain attacks and how Tripwire can help in that implementation.
Many organizations use the National Institute of Standards and Technology (NIST) documentation and frameworks such as the International Standards Organization’s (ISO) 27001 series for information security management. These are excellent resources, but to add to those, the CIS controls help towards the implementation of the security recommendations contained in those documents and frameworks.
The CIS controls are categorized to align with the most prominent threats to an organization. (You can learn more about that here.) More recently, the latest version of the Controls adds prioritization to this arrangement. The team that organized the controls takes the time to review them and map them to the MITRE ATT&CK framework and further correlates that data with breach reports such as the Verizon Data Breach Investigations Report (DBIR). According to Moriarty, “What this tells us is essentially a validation on the prioritization.” She adds further that in one implementation group, “Nearly 85% of the risk was reduced from known threats” by using the Controls. These findings are important from the practical security, budgetary and supply chain management perspectives.
From a practical standpoint, an 85% correlation makes it clear that the controls are effective. From a budgetary standpoint, nothing helps more to secure much-needed finances for a security project than hard numbers. In the realm of supply chain management, these numbers also add influence to requiring that every link in your supply chain adheres to a program of implementing the Controls.
One reason why many organizations are deficient in their Controls is because of the difficulty of implementing all of them. To the average person, a mere 20 controls might seem like an easy task, yet anyone who has spent time working through the Controls quickly finds the difficulties. These difficulties are not due to the contents of the Controls themselves but to the complexity of most networks. Fortunately, new products are being created that can help with this daunting task.
David Henderson states it this way: “One of the first challenges for any organization is obtaining a baseline for the current security condition of the environment. Along with that, understanding an organization’s compliance state is a necessity.” With over 900 benchmarks, Tripwire Enterprise can help you achieve these goals. CIS benchmarks are only part of the policy collection that makes up part of the Tripwire product.
Once your baselines are established, you can see your current compliance state. The reporting features in Tripwire Enterprise make it easy to see all things good and bad, allowing you to devise a remediation plan. Once remediation has been achieved, monitoring the environment can be set up on a customizable schedule. What better method to draw your organization closer to achieving the CIS Controls?
When the supply chain concern is in a software product, change management and integrity monitoring are required to guarantee confidence in the product. If you are a software development organization, integrity monitoring can mean the difference between a secure product and a compromised one. If your organization isn’t in the software development business, you can use integrity monitoring to verify that files in your environment aren’t undergoing unauthorized changes. Unlike traditional anti-virus detection, integrity monitoring doesn’t suffer from false positives, as it focuses on detecting a change rather than a predictive, heuristic-based algorithm.
Tripwire Enterprise also gives you the ability to trace attacks not only after the fact but in-progress. Real-time change detection can identify attacker activity, even when it’s not obviously malicious. The change data collected is incredibly useful for forensics during incident response, as well.
We understand the difficulty of implementing the CIS controls. However, thanks to advances in tools and technologies, the task is no longer a manual one. Tripwire can automate some of those tasks, giving you and your team the time to focus on more pressing matters. If you are looking to ease your supply chain concerns, look to Tripwire.