Blog post by Chuck Thibert, Director of Security and Compliance at Tehama.
The news broke on an otherwise uneventful Sunday afternoon in mid December: IT management company SolarWinds’ Orion network monitoring tool had suffered a devastating compromise. A supply-chain based attack had hidden malware in one or more of the tool’s many software updates, which are regularly dispatched to SolarWinds’ hundreds of thousands of clients.
As a result, networks of U.S. government organizations (including the Treasury and Commerce departments) and others were penetrated by malicious actors in what experts called a “highly sophisticated” attack. SolarWinds’ clients include the entire U.S. military, the U.S. State Department, the Office of the President of the United States, and many Fortune 500 companies.
Network access continued for months before the hack, perpetrated on Orion update versions 2019.4 through 2020.2.1 between March and June 2020, was discovered. Observers said the attack was almost certainly sponsored by a “nation state” and was almost certainly connected to the recent FireEye hack. "They operated clandestinely, using methods that counter security tools and forensic examination,” said FireEye CEO Kevin Mandia in a statement last week. “They used a novel combination of techniques not witnessed by us or our partners in the past."
FireEye christened the malware “Sunburst” while also releasing a technical report and a set of detection rules. SolarWinds said it believed the number of customers affected to be “fewer than 18,000” and says it has released a hotfix update to at least partially address the vulnerability.
Disaster recovery and remediation after a breach: Why traditional VDI and DaaS aren’t enough
The twin goals of IT remediation, mitigation, and disaster recovery (DR) following such an incident are 1) To get back up and running as soon as possible; and 2) To ensure a similar compromise never happens again.
The problem for most organizations, however, is that getting back up and running as soon as possible usually means quickly transitioning to employee-owned devices, at least for a few days. Because most of these employees will work from home, they’ll also need to connect their devices to crucial business systems over residential WiFi networks.
That IT security double whammy is a terrifying prospect for any IT leader – especially in the wake of a major security incident. But what other options are there? Virtual desktop infrastructure (VDI) is a possible solution, but isn’t well-suited for DR if it hasn’t already been implemented as part of an organization’s overall desktop strategy.
Desktop-as-a-service (DaaS) options can be easier and faster to deploy than traditional VDI. But this solution can be equally problematic in that traditional DaaS typically uses perimeter-based security, widely regarded as obsolete today given the number of highly sophisticated attacks and insider threats.
How Tehama can help with emergency IT remediation after a security breach
Tehama’s next-generation enterprise DaaS doesn’t have these issues because it was designed as a secure service delivery platform. It allows organizations to:
- Maintain extremely granular control of all remote work environments
- Access corporate systems remotely, while allowing only trusted users to bring your organization’s network and infrastructure back online
- Audit or review all activity that takes place on all virtual desktops, down to the keystroke
- Establish a brand-new perimeter with Tehama’s suite of IT security controls
Tehama enterprise DaaS is flexible enough to allow enterprises to scale up quickly – with most deployments taking less than an hour to set up – and comes with a virtual army of built-in security and compliance features that would take weeks (if not months) to set up and configure individually. These include Zero-Trust network isolation, multi-factor authentication (MFA) and endpoint isolation, least privilege permissions, data protection, as well as deep forensic and regulatory compliance auditing tools.
Tehama’s fully automated monitoring and forensic auditing also protect from supply chain attacks like the above far more effectively than perimeter-based security tools – negating the need for remediation in the first place.
Indeed, traditional approaches built to meet yesterday’s security standards aren’t enough anymore. That’s especially the case as malicious actors become more sophisticated, and organizations become more beholden to compliance and regulatory standards surrounding the safekeeping of sensitive customer and other data. If you’ve been affected by this week’s SolarWinds breach and need a secure, compliant solution for emergency IT remediation, please don’t hesitate to give us a shout. Tehama is here to help: Contact us via email or phone: 1-888-792-5104