The SolarWinds supply chain attacks continue to play out, with new impacts and technical considerations coming to light in the headlines seemingly every day.
Amidst all the helpful research into the vulnerabilities and tactics being utilized by the involved hackers, who many experts now believe to be sponsored by some form of nation-state, one particular element stands out from a cloud security and remote collaboration standpoint.
Last week, multiple stories were published that further detailed the extent to which Office 365 was leveraged in the SolarWinds campaign. The Wall Street Journal disclosed that the involved attackers had subverted Office 365 security controls, along with other defenses, to linger in SolarWinds’ environment for as long as nine months prior to being discovered.
This was followed by a piece in CRN that quoted SolarWinds CEO Sudhakar Ramakrishna in great detail regarding his conclusion that it was in fact a compromise of Office 365 that enabled the attackers to “gain access to and exploit the SolarWinds Orion development environment”, and not vice versa, as some earlier reports had implied [and we had reported in our earlier assessments of the situation].
While Microsoft has for its part denied that this is an Office 365 issue, the WSJ piece concisely defined what the scenario looks like from a cloud security and connected cloud applications standpoint. This is of course the angle that we have been observing with great interest from a technical perspective – specifically “that the hackers may have compromised [SolarWinds’] Office 365 accounts even earlier and then used that as the initial point of entry into the company.”
That “the hackers had accessed at least one of the company’s Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts” and subsequently discovered, then exploited, vulnerabilities in SolarWinds’ products is precisely the type of security challenges that we speak to practitioners about on a daily basis.
So, we’ll continue to look at this type of threat from a holistic perspective. Microsoft has a formidable security strategy and has been assertive in building capabilities into Office 365. The real issue here is that attackers can increasingly utilize these types of techniques in today’s distributed cloud-connected environment. Organizations need to extend their abilities to identify and thwart campaigns that seek to compromise privileged user accounts and take advantage of trust relationships between cloud applications to carry out their nefarious activities.
To me, one of the best pieces written on all of this to date is the story authored by former Microsoft Security Response Center contributor Christopher Budd for GeekWire. His article clearly outlines the bigger picture cloud security implications in a detailed and straightforward manner.
If you’re interested in the CipherCloud perspective on advancing best practices to address these challenges and employing CASB and ZTNA capabilities to do so, check out our latest whitepaper, or join us for our related webcast. We of course maintain that there is a lot that can be done from a process and solutions standpoint – more details on this follow below.
What are the security considerations introduced by cross-cloud collaboration?
Cloud collaboration and remote productivity tools have emerged as key enablers of distributed workforce as well as business continuity over the last year. However, while tools such as Microsoft Teams, Office 365, One Drive, G Suite, Slack have boosted employee productivity and supported the human perimeter, they have also increased cloud and data security considerations.
Collaboration platforms support a lot of sensitive data exchange between internal teams, external teams, and other relevant third parties. In the new normal, collaboration is fundamental to business continuity and the growing adoption of platforms such as Office 365, Salesforce, ServiceNow, SAP, Slack, and Box, among many others, is at an all-time high. Amidst this growth, perhaps more than any other platform, Microsoft’s Office 365 cloud productivity suite has emerged as a leading enabler of the remote workforce, based on its wide range of communications and collaboration capabilities.
We’ve witnessed Microsoft’s official collaboration platform “Teams” explosive growth from 20 million DAU to 115 million DAU over the last year. This growth intensifies security issues as Microsoft Teams relies heavily on other apps from the Office 365 suite to facilitate real-time collaboration. For example, Teams uses SharePoint Online to store files that are shared in conversations, OneDrive to store files in private chats, and Azure AD to manage and authenticate team members. Moreover, these are the security considerations for just one cloud service. Employees need to access multiple clouds and private applications in the course of daily business operations.
With the use of Office 365 and other similar applications to interact and share information with internal colleagues and external business partners, security practitioners are experiencing a variety of security issues, including:
As organizations further advance their cloud adoption and collaboration practices with newer tools, inevitably, new threats and risks will also appear. Be it the ignorance of the user or a loophole in security policies or tooling, a single vector can be exploited by an attacker to breach the entire cloud ecosystem. These core best practices enable security practitioners to implement an integrated security approach that supports continuous assessments of the cloud ecosystem for risks and triggers remediation measures across a human-centric perimeter.
To know more about securing Office 365 and other connected cloud applications, join us for this best practices webinar that highlights an integrated cloud security approach with CipherCloud CASB+ and references principles from MITRE ATT&CK Cloud Matri
OR CALL 1-855-524-7437