You survived the SolarWinds hack. Now what?

Worth a full read of this article. To add to the main thrust, which is about implementing Zero Trust PLUS active monitoring, I would add some form of active defence. If all traffic flows are encrypted then sitting in the middle won’t tell you the full story. You also need to have monitoring at the endpoints (that’s where XDR comes in) and some way of capturing suspicious activity. I usually propose the use of next generation deception technology to direct attackers to a decoy so you can get early warning of what they’re up to….


[…] Even with the adoption of more stringent security protocols, the next supply chain cyber-attack is inevitable. The question remains: How do you know if the hacker has accomplished their goals? If a bad actor can enter the network via trojanized software updates, there will be clues in the network history. Evidence-based risk management strategies apply information gleaned from the network itself to determine the scope and impact of the breach, in order to facilitate remediation.

According to the Cybersecurity and Infrastructure Security Agency (CISA), the first step in threat remediation is to forensically image system memory and/or host operating systems. Network operations (NetOps) teams should then look for new user or service accounts, privileged or otherwise, and analyze stored network traffic for indications of compromise. However, the ability to take those steps is dependent on the network monitoring and forensics tools in place in the network. And, of course, the time to implement those tools is before a breach in order to have historical data that chronicles the malicious activity.

In addition, it’s important to consider the type of network monitoring being used. Even if an organization implements Zero Trust security, real-time monitoring is key to being able to detect, investigate and remediate intrusions. If monitoring tools are merely ‘sampling’ traffic, rather than capturing real-time packet and flow data, it’s very easy to miss the telltale signs of abnormal network activity until it’s too late.


Original article