Over the last several months there has been a significant increase in attacks on the critical infrastructure of the United States. These attacks include, but are not limited to, attacks on the Solarwinds and Kaseya products. Some attacks have been linked to “State-level” actors and others are still under investigation. The attacks we are addressing today are specifically “supply chain attacks”. Other recent examples of supply chain attacks include the Colonial Pipeline cyber attack and the attack on JBS S.A., a meat processing company. The Solarwinds and Kaseya events were both very serious; however, it is worth noting these are not new. Virtually no vendor, whether commercial or open-source, is immune to attack. As an example, Microsoft recently suffered an attack on their supply chain as well.
As a trusted partner, we at CIT wanted to take a few minutes to outline a broad scope of how we protect our company and work to secure our customers.
CIT has built its security program around the NIST 800-171 security framework. This framework was used to help us define our risks and build out a governance program designed to mitigate those risks.
The NIST framework includes five functions: Identify, Protect, Detect, Response, and Recover. A few high-level examples of what that includes are as follows:
This is the core of our security program. Our security governance program includes assessments, gap analyses, security policies and procedures, change management processes, vendor management processes, and so on.
This includes building both administrative and technical controls to protect data, identifiable information, and all company assets. Some tools that assist with this function include using multifactor authentication (MFA), limiting access to management interfaces, continuously reviewing and remediating vulnerabilities, and building out a cybersecurity training program.
CIT uses several tools to help detect threats and anomalous behavior, including a SIEM solution, as well as an advanced detection and response toolset from Darktrace.
As mentioned above, CIT uses Darktrace as part of our autonomous response systems, as well as a Security Operations Center to review alerts and correlate data against known and unknown threats.
CIT uses a robust backup and restoration toolset to ensure we can continue to provide service to customers, as well as ensure our operations are minimally impacted.
Last but not least, CIT uses a third party to audit our security program to the SOC 2 Type II compliance standard.
CIT also partners with several great resources, including CISA and the FBI, in addition to our vendors. While we do not use the Solarwinds or Kaseya products that were affected by the attacks, we do still use the lessons learned to improve our posture and response capabilities.
While we covered a good deal of CIT’s security program above, CIT has also been helping secure our customers by using these same core principles. For example, we include yearly security reviews, security training, vulnerability scans, and so on in our offerings. This is by design as we are purposely building a strong, secure core infrastructure and the foundation of a security program for our customers. While that is a great start, our customers are strongly encouraged to have detection and recovery processes and tools in place, such as Darktrace or endpoint detection and response (EDR) capabilities, as well as a secure, validated recovery solution, such as a Datto.
As mentioned, CIT uses Connectwise as our core toolset. Connectwise has put significant effort into improving its security posture. Most recently it has rolled out a security page to help be more transparent about its program and roadmaps.
Todd Sorg, CISO