Stopping Sunburst: The Second-Best Argument for a SASE Platform

Dave Greenfield
December 21, 2020

It’s likely been the most sophisticated publicized attack in the past decade. For more than nine months, Sunburst, the trojan designed for SolarWinds Orion, lurked undetected in enterprise networks. Some 18,000 SolarWinds customers may have downloaded the trojanized Orion software, and not one reported the threat. (To better understand why this threat went undetected, check out this blog from Shay Siksik, Cato’s Security Analyst Manager. )

And these weren’t small, unprofessional organizations. More than 425 of the US Fortune 500 companies use SolarWinds products. These are enterprises who likely invested in all manners of preventive security measures. They’ve made heavy investments in NGFW appliances, antimalware, endpoint detection and response (EDR), and more. And still, it didn’t matter. If you ever needed a lesson that security prevention isn’t enough, Sunburst was it.

But there was a second, equally important lesson to consider from this outbreak: What do you do post-infection? For appliance-studded enterprises, post-infection looks like a race against time. They need to update infrastructure against the trojan, and hunt for the trojan on their networks before any further damage can be done.

In this, the real-world, security appliance vendors priding themselves on how quickly they released a Sunburst signature is only half the story. Enterprises must still download, test, and deploy those signatures across all appliances for all vendors — an enormous headache. They must then hunt for Sunburst lurking in their organization — an impossible task without months of traffic already logged for analysis. No security appliance vendor is going to help on that score.

Contrast that with the experience of Cato SASE customers. Within a few minutes of identifying Sunburst’s IoCs, our security team updated all Cato detection and prevention engines. Instantly, all Cato customers were protected against the trojan. No patches needed to be downloaded; no updates applied. Customers or partners —no further action was needed. Period.

But that was only a start. Cato’s security team mined months of data stored in our massive data warehouse built from all customers’ traffic flows. Through this process, the security team could identify network flows from those enterprises exhibiting Sunburst IoCs. The team alerted the relevant customers and helped them with remediation. The team will continue monitoring all Cato customer traffic for Sunburst moving forward.

And how long did this entire process take the Cato team? Few hours. In just a few hours, Cato was able to protect all customers against this threat, and identify and alert those already infected by Sunburst.

Let’s be clear. There’s no substitute for stopping threats before they penetrate defenses. We all know that. But the reality is that given the complexity of today’s networks, the first-mover advantage of attackers, and the enormous resources available to threat actors, perfect prevention is impossible. Enterprises must prepare themselves for what happens after learning about a threat.

How do you discover and hunt for threats in your organizations? In legacy enterprises, such an effort would have required enormous expenditures. Aggregation tools deployed to gather the data and storage purchased and maintained to store months of traffic. Data mining and analysis tools are needed to investigate the data. And, most of all, hiring of specialized talent for hunting threats.

More likely, companies would rely on an MSSP. Even then, the MSSP would still have to race against time, manually updating appliances and struggling to look for threats. But for customers of a true SASE platform, like Cato Cloud, automatic updates to all components and threat hunting are already part of the service.

Sunburst: Yet Another Argument for SASE

2020 has been an auspicious year for security and networking teams. We began by learning about the fundamental shift in networking and network security called secure access service edge (SASE).

Quickly, we saw the biggest argument for SASE — the need to shift to large-scale, work-from-home. Whereas legacy enterprise spent weeks and months deploying large scale, work-from-home solutions, Cato SASE customers converted to remote access in minutes and hours. How appropriate then that we should close the year with another case for SASE — quick and instant response to Sunburst.

To learn more about how Cato’s SASE platform can help you ready your network for whatever comes next, contact us here.

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.