SolarWinds Should Have Been More ‘Vigilant’: Palo Alto Networks CEO
‘I am not going to give them a free pass,’ says Palo Alto Networks CEO Nikesh Arora. ‘They should have been more vigilant and diligent, but I think this is a very sophisticated, very complex attack. The fact they (the Russians) got in there not only did they do sophisticated things, they also got lucky that this is a piece of software which then went unnoticed for six to nine months, and now it’s embedded in the infrastructure of thousands of customers.’
SolarWinds, whose Orion network monitoring software was used by Russian hackers in a widespread breach of the US government, should have been more “vigilant” in securing its software from cyber-terrorists, said Palo Alto Networks CEO Nikesh Arora.
“I am not going to give them a free pass,” said Arora in an interview with CNBC, speaking about SolarWinds’ role in the breach. “They should have been more vigilant and diligent, but I think this is a very sophisticated, very complex attack. The fact they (the Russians) got in there not only did they do sophisticated things, they also got lucky that this is a piece of software which then went unnoticed for six to nine months, and now it’s embedded in the infrastructure of thousands of customers.”
CRN reached out to SolarWinds but had not heard back at press time.
[Related: 10 Things To Know About The SolarWinds Breach And Its U.S. Government Impact]
Arora said the landmark breach “highlights” the need to “be extremely vigilant in making sure our systems and processes” are secure. “ If you are not, you are going to get attacked one day, you are going to get hacked, you are going to have someone take control,” he said. “It’s unfortunate that the control that was taken in the case of the SolarWinds server is a server used by 18,000 customers.”
Palo Alto Networks itself spent 2,500 hours in the last few weeks making sure that none of its infrastructure was impacted when it saw one of its own SolarWinds servers “trying to communicate with Malware,” he said. “We blocked it with our Coretex XDR engine. We put out that indicator to all of our customers to try to protect them.”
Specifically, adversaries attempted to download CobaltStrike onto a Palo Alto Networks SolarWinds server, Arora wrote in a blog post Thursday. The company’s behavioral threat prevention capability and Security Operations Center (SOC) were able to isolate the server, investigate the incident and secure the company’s infrastructure, according to Arora.
It is “incumbent on every organization which deploys a SolarWinds server” to take critical steps to see if they were “impacted” by the breach, said Arora on CNBC Friday. All those customers need to ensure they are “safe” and then make sure they are prepared to prevent another such attack, he said.
“It’s imperative that we all protect ourselves and make sure that this doesn’t happen to us (again),” he said. “The effects of this are far-reaching.”
The SolarWinds software used as part of the attack is “an important piece of software used by network managers around the world,” said Arora. He credited SolarWinds with coming up with an “innovative piece of software” which supersedes current day software which is “more complex and more expensive.”
The big issue with SolarWinds is that the Orion software used in the breach had “privileged access” to the network with the ability to “be able to reconfigure things, to be able to move things around,” said Arora.
Microsoft has confirmed that more than 40 of its customers were precisely targeted and compromised through trojanized updates to SolarWinds’ Orion network monitoring platform.
The first priority in the wake of the breach is to ensure that “every organization, every agency (in the federal government)” is not impacted, he said. If they have been impacted they need to “scrub their entire network,” said Arora.
Palo Alto Networks is making available a complimentary assessment that quickly determines if customers have been compromised by this threat actor by leveraging Expanse’s attack surface management capabilities as well as the Crypsis incident response team, both of which the company acquired in recent months, Arora said in the blog Thursday.
In addition, customers who believe they’ve been impacted can engage directly in a short-term retainer with the Crypsis incident response team, who Arora said will help organizations contain and recover from the attack.
Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech, a Palo Alto Networks partner, credited Arora for speaking up on the SolarWinds attack and the need for all parties to ensure systems and process are secure.
“Palo Alto Networks has done a good job thinking about how to protect customers,” said Venero. “They have pivoted from a hardware provider to a software company with some of the best security tools available to protect organizations.”
Future Tech’s Palo Alto Network business has doubled over the last year and continues to play an important part in helping customers stop attacks, said Venero.
Future Tech has a deep security consulting practice that is focused on on best practices and limiting outside access to corporate networks.
“Security controls to the network in my opinion have gotten very lax with the assumption that it is okay to have pipes open from your service providers into your network that are not controlled by your teams,” he said. “This SolarWinds breach is a perfect example of how and why that is risky. Organizations need to limit pipes and protocols from outside. If there are things that need to be turned on they have to be turned on from the inside not from the outside. Port access and remote connectivity need to be initiated from inside the network.”
Future Tech is in the process of creating a portfolio of edge technologies that are aimed at stopping breaches of all kinds, said Venero. “We need to change the philosophical approach around access and change the game so there is no access unless the business signs off on it,” he said. “If you shut the pipe or the connectivity then you are not at risk.”