Mitigating Third-Party Supply Chain Breaches

The recent SolarWinds data breach was so pervasive it sent shivers through the industry. Who exactly was affected? How deep were the incursions? What are the long-term implications? How will this impact critical areas of the global supply chain?

The unfortunate reality is that while the SolarWinds hack was shocking, it shouldn’t have come as a surprise. We know attackers will use any means available to steal data, expose company secrets and compromise critical assets.

It’s becoming increasingly attractive for such breaches to exploit trusted conduits into the enterprise established through third-party supply chain relationships. That’s why supply chain compromises are at the top of many security conversations today. These types of attacks provide under-the-radar access to key infrastructure and resources at the heart of any enterprise – including applications and software tools. And they’re so pervasive and effective that they pose a risk to the economy on a macro global scale.

Today’s businesses must assume that they’re already affected, and that no hardware system or software – even software built in-house – can be trusted. Every business that uses networking products, computing devices, security systems or software applications is likely already compromised via the multiple software supply chain delivery vectors that include software development tools and commercial software packages. Even proprietary, developed-in-house software – built using third-party tools and libraries – is not immune.

The SolarWinds event ignited a debate about both prevention and protection against such foundational breaches. Clearly, doing nothing is untenable for security organizations. But how do you deal with the inevitable when it could involve nearly any aspect of a network or an application? The possible implications are too vast, overwhelming and mind-boggling to even consider. Attempting to track down malicious code that’s out of your control, undetectable and potentially pervasive seems an impossible task.

Not anymore. The first proactive step is neutralizing the fundamental flaw at the heart of all breaches. In the SolarWinds breach, for example, attackers connected several links in the kill chain by taking advantage of weaknesses present in every computer system: unencrypted data residing in unprotected memory.

In one instance, a hijacked application process gained access to host memory in email and build systems. Once there, it proceeded to hijack SolarWinds’ software build processes, inserting malicious code into the commercial software which was then distributed to customers. Once that trusted software was distributed, the same technique could be leveraged to compromise other processes on customer hosts or virtual machines to pull unencrypted keys, passwords, certificates or other data residing, fully exposed, in host memory. This long-existing gap is the least-common denominator for attacks, and has been far too easy to exploit for too long.

Consider this same scenario, but with a security organization that has the ability to cryptographically and physically isolate each application – including processes, memory, storage and communication into its own trusted execution environment. Data exposure would be eliminated by definition and the kill chain broken – limiting the impact of any attack. Otherwise, left unimpeded, the hacker could easily execute horizontal attacks on other networked hosts discovered in memory.

Until recently, this process of isolation was not possible. Virtually all hosts – even those that are physically hardened – required that all data in memory remain unencrypted in order for the CPU to operate on that data. Memory isolation was also impossible, creating a critical link in both the SolarWinds’ breach and future compromises.

Fortunately, the latest generation of CPUs in servers and cloud infrastructure is built with lesser-known, memory isolation technology and with encryption features that mitigate this fundamental flaw. These features allocate memory segments in such a way that they can’t be accessed, or even seen, by other processes or by human insiders – even at the machine or root access level. The data in these isolated memory segments is protected with hardware-grade encryption and only decrypted deep inside the CPU hardware, when needed. Combined, these and other memory-centric security features enable the creation of what are commonly referred to as secure enclaves.

Within the isolated confines of a secure enclave, an application and its data can neither be seen nor accessed by any host process – except by explicit policy. Most importantly, the application cannot access memory outside the enclave, breaking the kill chain. Even if memory could be reached and data exfiltrated, it would remain encrypted and rendered useless outside the context of the enclave. Enclaving software not only creates an enclave in memory, but it can also be extended to protect data and applications in storage or while in transit across networks or the internet as well.

Isolating every application and its data within an enclave is key to minimizing the impact of a software-based supply chain attack. It’s not feasible to know which of the hundreds of applications that make up your business or run your infrastructure are malicious. Isolating all of them from valuable assets ensures that, while applications can still operate unimpeded, the potential to horizontally attack other applications is mitigated until IT (or the software vendor) can attest to the software’s safety.

Enclave technologies are being adopted by all industry players throughout the industry, including major cloud providers. With the threat of the next SolarWinds-type attack on the horizon, enclaves are becoming a practical way to help mitigate future supply chain breaches.

Avatar photo

Ayal Yogev

Ayal Yogev is the CEO and co-founder of Anjuna, with 20 years of experience building enterprise security products. Ayal has held multiple senior product management positions including VP of product management at SafeBreach, a Sequoia-backed enterprise security startup; managing the OpenDNS Umbrella product management team that was acquired by Cisco, and managing a product line at Imperva for the three years leading to its IPO. Ayal holds an MBA with honors from UC Berkeley, and Electrical Engineering and Computer Science degrees from Tel Aviv University.

ayal-yogev has 4 posts and counting.See all posts by ayal-yogev