THE ROOT GROUP NEWSLETTER

What is now being called the Pearl Harbor of American IT, the suspected Russian hack of SolarWinds Orion is massive and potentially devastating to a large number of enterprises and government entities. This Orion vulnerability was exploited to install the Supernova and ComicGale malware code within the Orion user base. The security hole is an authentication bypass that allows attackers to execute remote code on Orion installs and is an open door to steal data, credentials, modify source code and potentially wreak havoc in an almost endless range of nefarious scenarios.

A top conversation among IT shops using SolarWinds is whether to dump it or keep it. This is not an easy decision as despite its dubious security, SolarWinds’ comprehensive breadth and depth for infrastructure management is hard to beat. Below are some thoughts about the options, from the Root Group engineering staff:

1. Move off SolarWinds to a new ITIM platform. This will be difficult and time consuming, and almost impossible to duplicate the functionality in a single platform in the commercial arena. Open-source platforms have their own issues and are not exactly free from security breaches themselves, although they may be less likely due to a perceived “less bang for the buck” from a hacker’s perspective. You also need to weigh the time and cost required to do the research, buy the software, install, configure, support and retrain vs following the SolarWinds remediation guidelines. All of this said, it may be worth running a pilot of a different ITIM tool for key areas to see if you can migrate to a new platform and perhaps live with lesser functionality. 2. Keep SolarWinds. This is a tough one: how do you keep faith in a technology that has had a massive breach and may contain unknown vulnerabilities going forward for months? If you stay the course, you should upgrade to the latest versions of SolarWinds. Religiously stay up to date on SolarWinds security announcements and patches. If you are not able to upgrade or update in a timely manner, run the Supernova mitigation script that SolarWinds has provided. The CEO of SolarWinds, Sudhakar Ramakrishna, has issued a statement regarding their immediate and long-term remediation actions which may give you some insight. Let us know if you would like us to forward that statement. 3. Isolate SolarWinds. Another potential option would be to look at isolating SolarWinds into its own DMZ with strict ingress and egress rules and IPS protection, especially if you are a SNMP shop and have limited WMI deployment. If you have broad WMI deployment, SolarWinds has extensive access privileges and this may be a more urgent and difficult process, but worth consideration.

Suffice it to say that this won’t be the last large-scale breach IT will see and we have yet to determine the extent of the damage it will or can cause over time. The Root Group engineering staff has significant experience in security architectures and we can help you decide on the best course of prevention, mitigation or remediation for your enterprise.