In response to this year’s major cybersecurity incidents, including SolarWinds, Microsoft Exchange, and the Colonial Pipeline attack, the Biden Administration recently issued an Executive Order on Improving the Nation’s Cybersecurity, signaling that the administration intends to take a more active role in establishing cybersecurity priorities, improving current infrastructure, and modernizing security technology.
This order is a good first step and emphasizes the urgency of the problems we face protecting essential systems in both the government and private sectors. While it outlines important areas of cybersecurity that need to be addressed, and it is far more actionable that similar orders from past administrations, the devil is always in the details, and meaningfully addressing the current crisis is easier said than done.
The Administration claims that this is the “first of many ambitious steps” it is taking to modernize national cyber defenses. It also freely admits that “federal action alone is not enough,” as much of our critical infrastructure is privately owned and operated.
The Executive Order touches on three important areas that, if taken seriously, require us to fundamentally rethink how we approach and implement cybersecurity. These include removing barriers to information sharing, modernizing outdated systems, and plugging leaks in porous software supply chains. Each of these areas are important, but we need to dig deeper into how we tackle these problems and what technology we need to be successful. Following is a drill-down into these three key areas, identifying gaps, and how Avocado Systems can help fill them.
Removing Barriers and Increasing Visibility
It’s a laudable and difficult goal to break down silos within the government, and with the private sector that prevent timely sharing of threat information. But this also reflects an outdated model of endless threat chasing. The SolarWinds attack went on for over 15 months. Let’s say we could reduce that to 15 days (which would require massive changes in threat sharing), the damage still would have been immense.
The core problem with SolarWinds was that most of the attack techniques used are invisible to conventional security technology. Sophisticated experts from FireEye report that it took them thousands of hours just to detect these indicators of compromise.
Most security solutions try to stop attacks at the perimeter, beforehand, or look for indicators of compromise (IOCs) to detect anomalies after the fact. Both approaches failed completely with SolarWinds.
Rather than endless, and increasingly ineffective threat chasing, we need to shift our focus to detecting real attacks, regardless of the source, and take immediate and automated action to stop them before damage is done. This requires much deeper visibility into the processes, communications, and data exchanges.
Avocado Systems plays an important role here, stopping attacks that go below the radar of existing security technology. Avocado’s unique technology can stop attackers “in the act” by providing deep, real-time visibility into critical applications at the process and OS levels, for servers, containers, databases, microservices, and APIs.
Modernizing Security with Zero Trust Everywhere
This year’s attacks have created renewed interest in the concept of Zero Trust Security. While this term has been around for over a decade, it has reemerged because it is fundamentally the most effective way to ensure security. New guidelines from NIST, the NSA, and the White House all stress the importance of Zero Trust.
The problem it is difficult to achieve, and most people have far too limited a view of how it should be applied. Zero Trust has been associated largely with access controls – which users can access which systems on which devices. While this is important (and difficult to enforce) we need to extend Zero Trust much deeper into our infrastructure, to inter-systems communications.
A fundamental tenet of Zero Trust Security is to assume that our defenses have failed at one point or another, and attackers are already on the inside. Whether it’s through password theft, web vulnerabilities, email servers, or remote access software, we must accept that our attackable surface area is expanding, our existing defenses are porous, and the attackers will always find a way in.
If we can’t keep the back guys out, we need to make sure we can catch them in the act, before they can cause damage. This requires new levels of visibility into applications during runtime, making sure that malware can’t execute, and attackers can’t move laterally across applications and resources.
Avocado detects and stops advanced threats that were previously undetectable. The technology enforces a Zero Trust model down to individual processes within the workload and ensures that only explicitly authorized lateral traffic and data exchanges are allowed. This blocks all rogue connections, lateral movement by the bad guys, and policy violating data exchanges. In the case of SolarWinds, attackers used a complex kill chain with dozens of steps, and lateral movement between servers. Avocado detects and stops this movement in real-time “at the scene of the crime.”
Restoring Trust in the Supply Chain
SolarWinds was unnerving and damaging to thousands of organizations because it exploited an entry point that most IT professionals implicitly trust – properly delivered software updates, from a major enterprise vendor. Now, we must apply Zero Trust to the software supply chain, and never assume that any code, no matter the source, is free from vulnerabilities or dangerous malware.
Even if our vendors deliver perfect code, modern application stacks are built on a wide range of third-party tools, open source code, shared libraries, and share platforms for containers. The Microsoft Exchange attacks demonstrated that the best code, from the top software vendors, will inevitably contain undiscovered vulnerabilities, that can be exploited by advanced attackers.
Once again, Avocado offers a new level of Zero Trust protection that can be applied to any applications – custom code, third-party COTS, legacy apps, and more. By securing at the OS level, and monitoring (e.g. APIs) traffic across applications, the solution ensures that supply chain vulnerabilities don’t get turned into serious breaches.
It’s Time to Rethink Security
At Avocado, we believe the status quo in security is not nearly good enough, and we must fundamentally change how we approach these problems. In fact, the Executive Order acknowledges that “incremental improvements will not give us the security we need.” It’s encouraging to see the Federal Government take a more active role identifying current security gaps, but it’s just as critical that the software security industry step up, change our conventional security thinking, and modernize our approach to protecting increasingly critical applications and infrastructure.