Dive Brief:
- Mimecast has decommissioned its use of SolarWinds Orion after completing a forensic investigation into an attack by the threat actor involved in the original SolarWinds supply chain attack, the company said Tuesday. Mimecast, a specialist in email security for Microsoft Office 365 users, has switched from using SolarWinds Orion to NetFlow, a monitoring system developed by Cisco.
-
The threat actor accessed and downloaded a limited number of source code repositories, however Mimecast said the download was insufficient to build or run any aspect of its service. There is no evidence that the source code was modified, according to the report. Mimecast worked with FireEye's Mandiant on the investigation.
-
Mimecast is implementing a new OAuth-based authentication and communication system between Mimecast and Microsoft, which will provide enhanced security. As part of the attack, the threat actor leveraged the Windows environment to query and possibly extract some encrypted service account credentials that were created by customers hosted in the U.S. and U.K.
Dive Insight:
Mimecast disclosed in January the threat actor behind the original SolarWinds attack gained access and possibly exfiltrated some encrypted service account credentials, which established credentials between Mimecast tenants and a number of on-premise and cloud services.
Mimecast specializes in protecting customers that use Microsoft Office 365, which represents about half of the company's overall business, or more than 20,000 customers.
The decision to move away from SolarWinds Orion marks one of the highest profile splits with SolarWinds over the supply chain attack, however SolarWinds warned it was actively discussing the impact of the attack with multiple customers both in the private sector and the government.
"We are solely focused on helping the industry and our customers understand and mitigate this broad and highly sophisticated attack that targeted SolarWinds and other technology companies," a SolarWinds spokesman said in a statement released Tuesday. "The vast majority of our customers continue to operate the Orion platform and we are taking all the appropriate steps to protect them."
The steps include enhancing security protocols and procedures with the goal of making SolarWinds a security leader in the enterprise software industry.
For some customers of SolarWinds Orion, decommissioning and replacing the software was the first reaction, according to Peter Firstbrook, research vice president at Gartner. However, he has not seen a huge wave so far in that direction.
"There is no way to guarantee that whatever you replace SolarWinds with won't be the next victim of a supply chain attack," he said. "However for customers like Mimecast and other high profile victims, replacing SolarWinds will be seen as a logical confidence building step."
Despite this move, changing a vendor alone is not going to restore trust in the supplier relationship, according to Alla Valente, senior analyst, security & risk at Forrester.
"In reality, it's going to take more than just purchasing new security technology to protect the organization," she said. "They're going to need to rethink their strategy around third-party risks, the trust they grant these third parties, the access they provide inside of their environments, plus how they continue to monitor existing vendors."
