Navigating The SolarWinds Orion Code Compromise: How GlideFast and ServiceNow Can Help
Updated: Feb 1, 2021
Keeping one step ahead of security vulnerabilities and exposure is a constant challenge in today's IT environment. For many administrators and security personnel, hearing that the widely-adopted tool, SolarWinds Orion, had been compromised certainly raised the alarm. On December 13th, 2020 the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01 in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors.
“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation,” said Brandon Wales, CISA Acting Director.
Immediate assessment from SolarWinds said that Orion versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been tainted with malware. If you have any of these versions installed, Emergency Directive 21-01 includes required actions that can be followed to mitigate the risk.
We are all aware of how entwined SolarWinds’ footprint can be within an enterprise. The first step is to identify if your organization’s SolarWinds instances are a part of the vulnerable releases. Our team at GlideFast Consulting can leverage the ServiceNow platform to assist your organization with this.
For customers who have deployed Exposure Assessment and Vulnerability Response, you can determine your total installed software count for the specific software package, versions 2019.4 through 2020.2.1, on your servers. From there, you can evaluate your exposure, create vulnerable items, and manage remediation for the vulnerable software through change management.
For organizations without the Exposure Assessment and Vulnerability Response, we can leverage a report from our CMDB to get an understanding. The CMDB Query builder is suitable for this use case. We can simply drag and drop our hardware class and software installation table and apply the appropriate query. This provides us the results of installed instances of the software product, and we are able to see if the software version is within the 2019.4 through 2020.2.1 release.
Microsoft issued Customer Guidance on Recent Nation-State Cyber Attacks, discussing how to handle this threat as well as long-term effects of exposure. In actions observed in the Microsoft Cloud, attackers have gained administrative access by either using compromised privileged account credentials, forging SAML tokens, or using compromised SAML token signing certificates. The actor may use their administrator privileges to grant additional permissions to the target Application or Service Principal (e.g. Mail.Read, Mail.ReadWrite).
Having visibility into and control of your Service Principles can significantly reduce your exposure to such attacks. Using ServiceNow, we can leverage Requests and Change management for appropriate creation of Service Principles and access. The capabilities of ITOM Visibility allow us to see each of the Service Principles associated with our environment and through automated workflows, identify a newly-created Service Principle that had bypassed our change control and could represent malicious activity.
ServiceNow offers excellent time-to-value for ServiceNow customers who have ITOM Health entitlements and are looking for a monitoring solution stop gap, as they assess their SolarWinds position and the capabilities of the Agent Client Collector. The Agent Client Collector for monitoring is built on a Sensu framework and comes installed with monitoring capabilities for servers, databases, application servers, and middleware. It enables you to adopt and extend monitoring with additional checks from the Sensu community, as well as with any Nagios-compatible plugins. Checks and policies run in the agent to retrieve the relevant data, which is transformed into events or metrics and sent to the ServiceNow instance. Our team can now help you effectively monitor the health of your systems without the need to rely on third-party monitoring agents such as SolarWinds.
Interested in learning about how ServiceNow can protect your systems from external threats? Reach out to us here. We would love to learn more about your ServiceNow challenges and help your organization build better solutions.