Those of us on the cyber threat frontlines at Keyavi Data view the entire FireEye-SolarWinds catastrophe through a very different lens. It’s a mile-high view that proves our entire thesis: why data must be smart and able to protect itself from cybercriminals – no matter where it goes, where it’s stored or who has it.
The painful reality is that no one can trust a majority of network monitoring and security technologies on the market today. Yet, the knee-jerk reaction of many organizations will be to keep piling on more tools, fearful that, if they slip up even once, a hacker will penetrate their system. Their one assumed premise – that data can’t protect itself – never enters into the equation.
But data should be able to protect itself, and it now can.
The vast majority of technologies for protecting data or managing networks on which data reside are equipped to deal with one of two scenarios.
The first set of technology focuses on keeping data from leaking, from being accessed or shared improperly, or from being stolen. The second set encompasses technologies for monitoring and chasing data “in the wild” that already leaked or was stolen, or for finding bad actors after they’ve penetrated the defenses.
FireEye and SolarWinds fall squarely into the second category. They presume a customer’s network has already been penetrated by bad actors – and, in today’s world, that’s a fair assumption – so their technologies are designed to help catch the criminals, keep them at bay, and contain them away from a customer’s intellectual property.
One of these technologies is meant to be preventive, to keep bad actors out of a customer’s network by monitoring and logging the goings-on in that network – what’s being accessed, how, where, when and by whom.
The other technology is reactive, using cyber traps called “honeypots” to attract criminals lurking within a compromised network along with a set of tools to identify and neutralize the intruders.
Neither of these technologies proved infallible, however.
FireEye disclosed in an SEC filing and two blog posts in December that it had been breached by a “highly sophisticated cyber threat actor,” resulting in the theft of its “red team” tools used to test their customers’ cyber defenses. What was supposedly the best weapon in the cybercrime fight suddenly became a potential detriment for every FireEye customer. Even now, no one knows who stole FireEye’s toolsets, or even if or how they’re being used. So, there’s no reliable way to know if FireEye’s solution will work for any customer trying to track down and remove bad actors from their environment.
SolarWinds’ lax internal security reportedly allowed criminals to plug malware into the company’s network management software, then leave without anyone at SolarWinds noticing. The company then pushed out a routine software update laced with this infected code to approximately 18,000 of their clients, including Fortune 500 companies, the military and government agencies.
Ironically, the SolarWinds malware was discovered by FireEye while investigating its own breach.
The federal government immediately ordered every agency running SolarWinds’ Orion software to disconnect it, leaving networks unprotected. Other SolarWinds customers did the same. U.S. intelligence officials, meanwhile, are still struggling to assess the extent of the damage on public and private systems and whether the Russians or other culprits were behind the intrusion.
Many customers now have no idea how badly their system was compromised or how many back doors there may be that criminals could penetrate. Because this contagion is so pervasive, the only surefire way to know a system is safe is to go scorched earth – to tear out every IT tool and rebuild from the bottom up.
If no one can rely on security tools anymore, it’s high time for data to protect itself anywhere it goes, no matter how it’s stored or for how long. It's time to shift focus to technology that provides total control of data in a way that prevents leaks and makes data breaches irrelevant, in perpetuity.
I challenge you to think differently about protecting your data from every type of cyberattack – whether it’s embracing a security model that infuses data with intelligence and self-protection at the data level, a Zero Trust “always verify” authentication approach, or deploying a combination of innovative security techniques and technologies that stop opportunistic attackers in their tracks.
Whatever the new IT model, it should adapt to the complexities and rigors of managing security in a COVID-19 world as well as securely enable a global remote workforce facing an increasingly porous attack surface from cybercriminals.