Zscaler, office 365 and solarwinds

I’ve read a number of different accounts of the variety of ways the solarwinds breach occurred. Once tidbit that jumped out to me is that Microsoft resellers were breached, and through that breach the hackers were able to read office 365 emails of the resellers customers. Microsoft offers the following explanation.

Microsoft told CRN that if a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant. This abuse of access would not be a compromise of Microsoft’s services themselves, according to the company.

IMHO allowing resellers administrative access seems like a giant security no no. I can’t believe that any security minded company would allow such a thing but I have zero experience to know how widespread that sort of practice is in the real world.

I read through zscaler’s security bulletin here, https://www.zscaler.com/blogs/security-research/zscaler-cove… . My interpretation is that zscaler provided partial coverage but they had to do some late night tweaking to cover it all. CRWD’s technical blog post read much more like, “this wouldn’t have been a problem if people had been using crwd”.

Anyways, to finally get to my question. Does anyone know if the resellers customers had been using Zscaler if that would have limited the reading of office 365 emails? My limited understanding suggests no…but as I said…limited.

thanks,
Ethan

https://www.crn.com/news/security/microsoft-s-role-in-solarw…
https://www.crn.com/news/security/crowdstrike-fends-off-atta…

15 Likes

IMHO allowing resellers administrative access seems like a giant security no no. I can’t believe that any security minded company would allow such a thing but I have zero experience to know how widespread that sort of practice is in the real world.

Unless the reseller had a part in setting up Office 365 or transitioning from on-site Office to 365-online. In the past we used a hosted phone system and the telecom provider left the systems default admin password and username in place. It was “hosted” offsite and we did not know they did this. Needless to say the default user/pw was used to access our system and make a kinds of calls. It happens.

Anyways, to finally get to my question. Does anyone know if the resellers customers had been using Zscaler if that would have limited the reading of office 365 emails? My limited understanding suggests no…but as I said…limited.

Correct it would not have stopped them.

What I see going on here is companies taking advantage of the mishap. Press releases stating “if” they had this, or our product could have defended against XYZ to make themselves look good. There are lots of companies that do all kinds of wonderful protection against this or that. None of them guarantee their product will stop a hack, virus, ransomware, malware the list goes on and on, nor are they actually responsible if their product fails to deliver.

A personal example is a company I help that runs Cylance for their end point protection and it failed on some machines but worked on others to thwart an attack. When we contacted Cylance to give them information so they could help harden their product and hopefully stop other customers from suffering the same fate, they had no interest. Instead they offered to help find out how the attack happened at $450 an hour with an estimated time of 60-80 hours.

7 Likes

Canonian

“Instead they offered to help find out how the attack happened at $450 an hour with an estimated time of 60-80 hours.”

Great example of an extremely poor response to a bad situation. I’d be looking for a new company to fulfill that service.

IMHO allowing resellers administrative access seems like a giant security no no. I can’t believe that any security minded company would allow such a thing

Thousands of companies have almost no idea of the security technical layers of defense required to provide good protection. Many of them pay lip service to the “need” and “commitment” to security, but are not completely capable of implementing the knowledge skills required and/or balk at the growing necessary expense. Some leaders of such organizations may judge the details as beneath them if not “holding those people accountable”.

The capabilities of these software tools need to be explained in simple business risk & exposure terms.

The capabilities of these software tools need to be explained in simple business risk & exposure terms.

It’s like an alarm system for your house, if you think they actually help. You get door and window switches, motion, glass break, cameras, IR or laser perimeter beams, at some point you have to stop and say this is enough or all I can afford or perhaps you feel comfortable at some point. The sad fact is none of that will stop someone who is determined or simply does not care. In some instances a camera outside is deterrent enough, others a siren going off, some will not even approach the house if they hear your Doberman barking. I could go on and on. The point is each tool is unintelligent and can only do so much or takes care of certain facets of security. You layer the these programs to do different things outside, on the border and insider your network of computers. Sometimes you double up and use two products that overlap with the same feature set but take a different approach, and have some features that compliment each other. None of them can stop a determined Hacker, with the exception of unplugging stuff from the internet.

It has reached a point that the very tools, cost savings and conveniences the internet brings are offset by the expense and pain of security. It will be a never ending battle.

8 Likes