The recent SolarWinds Senate hearing and a flurry of subsequent briefings have unearthed new questions around the attack, which acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA) Brandon Wales called “the most complex and challenging hacking incident the agency has come up against.” As impacted agencies and private enterprises work to pick up the pieces, there’s debate over the best ways to tackle systemic weaknesses and improve cyber intelligence sharing across the board. But one thing everyone can agree on is that traditional security approaches – which have failed to change with the digital times – are in dire need of an overhaul.
CISA: “Identity Has Become the Boundary”
The SolarWinds breach, along with nearly every major cyber attack today, involved the compromise of identity and subsequent manipulation of privileged access. While presenting forensic analysis of the attack at NIST’s most recent Information Security and Privacy Advisory Board meeting, CISA technical strategist Jay Gazlay put it bluntly: “Identity is everything now.”
While Gazlay acknowledged that very few could pull off such a highly sophisticated digital supply chain attack without being detected, his message was clear: traditional, perimeter-centric security won’t cut it. “We can talk about our network defenses. We can talk about the importance of firewalls and network segmentation. But really, identity has become the boundary, and we need to start readdressing our infrastructures in that matter,” he said, according to Federal News Network’s report on the briefing.
Of course, SolarWinds is far from the first major attack to prompt action. But Gazlay warned that attackers are constantly innovating and that protections many agencies put in place after the 2015 Office of Personnel Management breach are likely inadequate today since so many resources have shifted to the cloud.
“They’re going after the identities that give them access to all the data holdings – much broader campaigns,” he said, according to Federal News Network. “That makes trust store and identity management compromises much more impactful, and frankly, a much higher target. As we move into a cloud infrastructure where all that matters is the expectation that you are who you say you are, to get access to cloud infrastructures, this becomes even more pernicious.”
NSA: You Better Start Swimmin’ Toward Zero Trust, Or Sink Like a Stone
This focus on identity is accelerating the shift toward Zero Trust, a “never trust, always verify” approach that includes authenticating and authorizing every identity – human or non-human – before granting access. While the concept isn’t new, it’s safe to say Zero Trust is going mainstream as hybrid and multi-cloud environments become the norm.
The U.S. National Security Agency (NSA) recently released guidance for embracing a Zero Trust approach, noting these “principles can better position [cybersecurity professionals] to secure sensitive data, systems, and services.”
As we focus on helping agencies and enterprises secure identities throughout the cycle of accessing critical assets, these recommendations resonated strongly with our CyberArk team. Here’s a look at our top takeaways from the NSA’s Zero Trust directive:
Outsider, Insider – It Doesn’t Matter. Always Assume Breach
NSA authors write, “Contemporary threat actors, from cyber criminals to nation-state actors, have become more persistent, more stealthy, and more subtle; thus, they demonstrate an ability to penetrate network perimeter defenses with regularity.” They urge agencies and organizations to “consciously operate and defend resources with the assumption that an adversary already has presence within the environment.”
In the public sector, we’ve seen the great lengths to which legitimate, authorized users will go to exfiltrate information and accomplish ill-intentioned objectives. An assume breach mindset does not discriminate between outsiders or insiders – instead, every identity and access request is presumed malicious until proven otherwise. And the question shifts from “Have I been breached?” to “Do I have the right alarm systems and motion-sensing lights in place to detect and respond before it’s too late?”
Least Privilege Is Foundational to Zero Trust
Motives vary. Adversaries might try to establish persistence in the environment and hide their activity; the SolarWinds attacker used the sophisticated Golden SAML technique to do this successfully. Or, attackers might aim straight for the domain controller or cloud console in search of sensitive data to steal or hold for ransom, or to cause disruption by shutting down critical systems or deleting files. No matter what they’re after, attackers usually follow the same steps: acquire credentials for an identity, move laterally and vertically to escalate privileges, then use this privileged access to compromise sensitive data and assets.
The most effective way to break this chain and shrink the overall attack surface is to enforce least privilege security controls across all identities, devices, and apps – from the endpoint to the cloud. NSA authors write that “data-centric Zero Trust models allow the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.”
When It Comes to Zero Trust, 1+1=3
There’s no cybersecurity silver bullet, and likewise, Zero Trust cannot be achieved with one vendor or solution – it’s not about a specific technology, it’s an approach and a mindset. Instead, it requires a holistic, layered approach that “integrates disparate but related cybersecurity capabilities into a cohesive engine for cybersecurity decision-making,” write NSA authors.
By placing Privileged Access Management at the core of this defense-in-depth strategy, not only can defenders protect against the leading cause of breaches, they can also minimize the attack’s impact. Consider this scenario: an attacker successfully compromises an agency’s vulnerability management platform, runs an authentication scan and pinpoints every vulnerable and misconfigured identity within the hybrid cloud environment – essentially scoring a step-by-step playbook for the attack. By protecting these powerful tools with Privileged Access Management controls, such as vaulting and rotating privileged credentials and monitoring sessions to detect risky activity, agencies can dramatically limit exposure and keep that playbook out of reach.
It’s Okay to Start Small. But the Time to Start Is Now.
Conceptually, Zero Trust makes perfect sense. But NSA authors warn that putting it into practice will take time. Instead, they encourage a phased, risk-based approach. “Incorporating Zero Trust functionality incrementally as part of a strategic plan can reduce risk accordingly at each step, they write.” Among the NSA’s key Zero Trust design recommendations is to architect from the inside out, first protecting critical data and assets, such as Tier 0 systems, then securing all paths to access them.
The Identity Defined Security Alliance framework can help with scoping and tiering the various technology components that will require protection at the identity level.
The Battle Outside Ragin’ Will Soon Shake Your Windows… For the Times They Are A-Changin’
In SolarWinds’ shadow, many agencies are feeling pressure to address their greatest identity-related vulnerabilities quickly. This NSA directive offers valuable prioritization guidance for achieving “quick wins” to drive down risk, while laying the groundwork for a phased Zero Trust implementation strategy.
In the famous words of Bob Dylan, “The times, they are a-changin.’” Drive resilience in this new threat landscape by embracing a Zero Trust model. And trust CyberArk to help along the way. As the recognized leader in protecting privileged access with multiple Department of Defense customers and 130+ installations across the U.S. federal government, we’re uniquely positioned to help agencies meet today’s modern security and compliance requirements.