You can’t stop the ‘next SolarWinds’ — but you can slow it down

It’s one of the biggest questions in cybersecurity of 2021, and it’s sure to remain on the minds of countless businesses into the next year, too: How do you prevent a software supply chain attack?

Such attacks have soared by 650% since mid-2020, due in large part to infiltration of open source software, according to a recent study by Sonatype.

But an even bigger driver of the question, of course, has been the unprecedented attack on SolarWinds and customers of its Orion network monitoring platform. In the attack, threat actors compromised the platform with malicious code that was then distributed as an update to thousands of customers, including numerous federal agencies.

Addressing supply chain attacks

The one-year anniversary of the attack’s discovery is on Monday, but the answer for how to stop the “next SolarWinds” attack doesn’t seem much clearer now than it did in the wake of the breach.

Perhaps because it’s the wrong question.

Peter Firstbrook, a research vice president and analyst at Gartner, has experience trying to answer this question because he’s been asked it a lot. However, in terms of preventing the impacts from a software supply chain attack, “the reality is, you can’t,” he said last month during Gartner’s Security & Risk Management Summit — Americas virtual conference.

While companies should perform their due diligence about what software to use, the chances of spotting a malicious implant in another vendor’s software are “extremely low,” Firstbrook said.

But that doesn’t mean there’s nothing to be done.

Zero-trust segmentation

While technology that offers guaranteed protection against the impacts of software supply chain breaches may never exist, solutions for zero-trust segmentation may be the next best thing, said James Turgal, a vice president at cybersecurity consulting firm Optiv.

Prior to Optiv, Turgal spent 22 years serving in the FBI, including as executive assistant director for the bureau’s Information and Technology Branch. There, he saw first-hand the types of cyber strategies that are most effective at disrupting attackers.

One of the biggest takeaways, Turgal said, is that the more difficult you can make it for attackers to transit through environments, the safer you’ll be. “I’ve interviewed these guys. Most of them are lazy as hell,” he said. “Making it more difficult for them to move across networks is really helpful.”

That’s where zero-trust segmentation comes in. The idea is to divide a company’s cloud and datacenter environments into different segments — all the way down to the level of workload — which can each be locked down with their own security controls. For a business, segmenting their architecture in this way — while also using zero-trust authentication that repeatedly verifies a user’s identity — can make it “more difficult for the bad guys to move through networks and move laterally,” Turgal said.

Reducing the blast radius

One fast-growing vendor that is entirely focused on solutions for zero-trust segmentation is Illumio, which achieved a $2.75 billion valuation in June in connection with its $225 million series F funding round.

Founded in 2013, Illumio offers segmentation solutions for both datacenter and cloud environments, with the addition of its cloud-native solution in October. The Sunnyvale, California-based company expects to reach “well north” of $100 million in annual recurring revenue this year, according to Illumio cofounder and CEO Andrew Rubin.

When it comes to segmentation, Illumio’s solutions were in fact successfully used by customers that were impacted by the SolarWinds compromise to protect against further damage from the attackers, Rubin said.

During the attack campaign, “we had customers that were running that [SolarWinds] infrastructure and used us to segment that problem off from the rest of their environment,” Rubin said in an interview with VentureBeat. “I can tell you that segmentation was an effective security control for reducing the blast radius of that problem.”

What Illumio offers with zero-trust segmentation is actually very similar in principle to the approach that’s been taken to stop the spread of COVID-19, he noted. “The fact is that if we can stop it from spreading, that is an unbelievably effective way to control the damage,” Rubin said. “We knew we couldn’t prevent the initial problem, because we already missed that. But we knew that we did have the ability to change how quickly and how pervasively it spread.”

In many ways, he said, the cybersecurity industry “is now appreciating the value of that storyline by saying, ‘We’re going to stop a lot of things — but we can’t stop everything. So let’s try and do a really good job of controlling the blast radius when they occur.'”