Defensive Security Podcast Episode 268
Description
Stories:
https://www.computerweekly.com/news/252522789/Log4Shell-on-its-way-to-becoming-endemic
https://www.cybersecuritydive.com/news/microsoft-rollback-macro-blocking-office/627004/
jerry: [00:00:00 ] All right, here we go today. Sunday, July 17th. 2022. And this is episode 268. Of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is Mr. Andrew Kellett.
Andy: Hello, Jerry. How are you, sir?
jerry: great. How are you doing?
Andy: I’m doing good. I see nobody else can see it, but I see this amazing background that you’ve done with your studio and all sorts of cool pictures. Did you take those.
jerry: I It did not take those. They are straight off Amazon actually. It’s.
jerry: I’ll have to post the picture at some [00:01:00 ] point, but the pictures are actually sound absorbing panels.
Andy: Wow. I there’s jokes. I’m not going to make them, but anyway, I’m doing great. Good to see ya..
jerry: Awesome. Just a reminder that the thoughts and opinions we express on the show are ours and do not represent those of our employers. But as you are apt to point out, they could be for the right price.
Andy: That’s true. That’s true. And that, and by the way, what that really means is you’re not going to change our opinions. You’re just going to to hire them.
jerry: Correct. right. Sponsor our existing opinions.
Andy: Someday that’ll work.
jerry: All right. So we have some interesting stories today. The first one comes from SC magazine dot com. The title is why solar winds just might be one of the most secure software companies. In the tech universe.
Andy: It’s a pretty interesting one. I went into this a little.
Andy: Cynical. But there’s a lot of [00:02:00 ] really interesting stuff in here.
jerry: Yeah there, there is, I think
jerry: What I found interesting. A couple of things. One is very obvious. That this is a. Planted attempt to get back into the good graces of the it world. But at the same time, It is very clear that they have made some pretty significant improvements in their security posture. And I think for that, it deserves a.
jerry: A discussion.
Andy: Yeah, not only improvements, but they’re also.
Andy: Having these strong appearance of transparency and sharing lessons learned. Which we appreciate.
jerry: Correct. The one thing that I so we’ll get into it a little bit, but they still don’t really tell you. How. The thing happened.
Andy: Aliens.
jerry: Obviously it was aliens. They did tell you what happened. And so in the. Article here they describe this the [00:03:00 ] CISO of solar winds describes that the attack didn’t actually. Change their code base. So the attack wasn’t against their code repository. It was actually against one of their build systems.
jerry: And so they were the adversary here. Was injecting code. At build time, basically. So it wasn’t something that they could detect through code reviews. It was actually being added as part of the build process. And by inference the head. Pretty good control. At least they assert they had good control over their
jerry: source code, but they did not have good control. Over the build process and in the article they go through. The security uplifts they’ve made to their build process, which are quite interesting. Like they I would describe it as they have three parallel. Build channels that are run by three different teams.
jerry: And at the end of, at the [00:04:00 ] end of each of those, there’s a comparison. And if they don’t. They don’t match, if the. They call it a deterministic build. So there are like their security team does one, a dev ops team does another and the QA team does a third. And all building.
jerry: The same set of code. They should end up with the same final. Final product. All of the systems are are central to themselves. They don’t commingle. They don’t have access to each others. So there should be a very low opportunity for for an adversary to have access to all three.
jerry: Environments and do the same thing they did without being able to detect at the end, when they do the comparison between the three builds, whether it’s a novel approach. I hadn’t thought about it. It seems.
jerry: My first blush was, it seemed excessive, but as the more I think about it, It’s probably not a huge amount of [00:05:00 ] resources to do so maybe it makes sense.
Andy: Yeah.
Andy: And also, they mentioned that three different people are in charge of it. And so to corrupt it. Or somehow injected. Into all three would take. Somehow corrupting three different individuals, somehow some way.
jerry: Yeah, they would have to clue the three teams would have to collude.
Andy: Yeah.
Andy: Which. Is difficult.
jerry: Yeah.
jerry: Yep. Absolutely.
jerry: So they actually I haven’t looked into it, but they actually say that they’ve open sourced their their approach to this the multi kind of multi what I’ll just call multi-channel build. I thought that was. Interesting.
jerry: So There’s a, it’s a good read that they talk about how they changed from their prior model of having one centralized SOC under the. The company CISO to three different SOCs that monitor different. Different aspects of the environment. They went from having a kind of a part-time.
jerry: Red team to a [00:06:00 ] dedicated red team who’s focused on the build environment. I will say the one. Reservation I have is this kind of feels maybe a little bit like they’re fighting the. The last war. And so all the stuff that they’re describing is very focused on. Addressing the thing that failed last time.
jerry: And, are they making equal improvements in other areas?
Andy: Could be, I would say that.
Andy: They’re stuck in a bit of a pickle here where they need to address. The common question is how do you stop this from happening again? That is. That is what most people are going to ask them. It’s what the government’s asking them. That’s what customers asking them. And so there. There’s somewhat forced, whether that’s the most.
Andy: Efficient use of resources, not to deal with that problem right there. They have no choice. But I also feel like a lot of the changes they met, build change to their build process. I would catch. A great many other supply chain type. [00:07:00 ] Attack outcomes.
Andy: It seems to me.
jerry: Fair. Fair enough.
Andy: It’s also interesting because a lot of these things are easy to somewhat. Explain. I bet there’s a lot of devil’s in the details if they had to figure out, they mentioned that they did. They halted all new development of any new features for seven months and turned all attention to security.
jerry: Yeah, so it sounded like they moved from I think an on-prem. Dev and build environment to one that was up in AWS so that they could dynamically. Create and destroy them as needed.
Andy: Yeah, it’s. It’s an interesting, the fundamental concept that this article is saying is, Hey, once you’ve been breached, And you secure yourself.
Andy: Do you have a lower likelihood of being breached in the future. Are you like Dell? You have the board’s attention. Now you have the budget. Now you have the people now have the mandate to secure the company.
Andy: And is that true?
jerry: think it is situational. that there are some, [00:08:00 ] I’m drawing a blank. I think that’s one of the hotel change. don’t want to say the wrong name, but I I believe that there are. There are also instances. We’re readily available. Where the contrast true. Like they just keep getting hacked over and over.
Andy: And I sometimes wonder if that has to do with the complexity of their environment and the legacy stuff in their environment. If you look at a company like, I don’t know anything about solar winds, but I’m guessing. You know that there is somewhat of a. Fairly modern it footprint that. Maybe somewhat easy to retrofit as opposed to, hotel chain.
Andy: Probably some huge data centers that are incredibly archaic in their potential architecture and design and.
United States
