Anexinet Exec: Lack Of Monitoring In SolarWinds Hack Is ‘Scary’

Dave Mahoney, enterprise services architect at the solution provider powerhouse, tells CRN that a cybersecurity strategy ‘actually needs to be used and implemented’ to prevent attacks such as this.

Most companies talk a good game about how much monitoring and auditing they do for cyberattacks--but flagrant incidents such as the SolarWinds breach and subsequent spread of malware to thousands of customers suggest many companies still have a lot of work to do.

That’s the message from Dave Mahoney, enterprise services architect at Blue Bell, Pa.-based Anexinet, No. 212 on CRN’s Solution Provider 500. Mahoney spoke with CRN as the fallout from the SolarWinds hack continued to grow and Microsoft disclosed that a second group may have also breached SolarWinds Orion, separately from the suspected Russian hackers behind the initial breach of the network monitoring platform.

[Related: Kevin Mandia: 50 Firms ‘Genuinely Impacted’ By SolarWinds Attack]

Mahoney pointed out that hackers not only successfully inserted malicious code into SolarWinds software, but were then able to have the malware “phone home” to their command-and-control server. As a result, the hackers gained even greater access to take further actions within the system.

“How were you not monitoring network traffic that is calling out to an unknown destination?” Mahoney said. “What are you doing if you are not monitoring your network in an automated fashion?”

A message to SolarWinds seeking a response was not immediately returned on Tuesday.

Automated monitoring solutions would alert a company when information is being sent out from its systems to an unknown location and when data is being sent back, Mahoney said.

“If they’re not even doing that at a minimum, that’s scary. That’s really scary,” he said. “And obviously they’re not, because none of them caught it.”

There also appears to have been a striking lack of DNS protection that should have blocked the hackers from gaining deeper access after the initial malware communicated back to their server, Mahoney said.

“If any one of these customers had had a really good DNS security system in place, all of this command and control stuff--that allowed the second stage of this attack to occur, where they were actually able to get to a terminal session--never would have occurred,” he said.

An estimated 18,000 organizations have been hit with malware via SolarWinds. Those include FireEye—which first disclosed the breach on Dec. 13—as well as Microsoft, Cisco Systems and VMware. The attack has also led to breaches at U.S. government agencies including the Treasury and Commerce Departments as well as the Departments of Defense, State, Energy and Homeland Security.

Still, spotting sophisticated cyber attacks is about more than just having the right tools, Mahoney said. And in many cases, companies already have plenty of cybersecurity solutions--they’re just not being used correctly, he said.

“I think that people are investing in tools. I think that they’re not investing in a well thought out cybersecurity strategy--which actually needs to be used and implemented, in order to put those tools in place to do what they need to do,” he said. “People are making investments. They’re spending money. But I can go buy all the wrenches in the world, to fit every possible task--and if I don’t use those wrenches properly, it’s never going to matter. And I think that’s the situation that we’re in.”

At solution provider powerhouse Anexinet, Mahoney said he spends a lot of his time helping customers to craft a cybersecurity program that has “as few gaps as possible.”

“We help build defense in depth strategies, and we help build preventative strategies as well as proactive strategies,” he said. “We spend a great deal of our time trying to educate customers about what [cybersecurity] really means: Don’t just buy tools.”