Companies and public organizations are routinely targeted by cybercriminals and state-sponsored organizations alike, with attacks spanning ransomware, espionage-motivated intrusions, and sabotage.
Beyond targeting these companies directly, cyberattackers also pursue their suppliers and subcontractors, a.k.a. their software supply-chains.
For example, the Lazarus Group’s phishing campaign in the Defense sector is a case in point; furthermore, a hearing of the French Ministry of the Armed Forces by the French Senate in 2023 revealed that 80% of French strategic companies targeted by attacks are done so via subcontractors.
Relying on trusted suppliers is crucial, particularly when it comes to data storage and processing.
Let’s take a look at the challenges that companies face, and the solutions ready to meet data security imperatives.
Big Players ≠ Blind Trust
Microsoft hearing
Recent events have shown that even solutions provided by major players do not eliminate data security risks. In fact, despite their size and the business and security stakes involved, these structures don’t always apply the best practices expected of them.
For example, the report by the Cybersecurity Review Board (CSRB) and the Congressional hearing of Microsoft’s chairman highlighted the substantial errors and poor security practices of Microsoft, which fell victim to attacks between 2023 and 2024. The report states that the cyberattack against Microsoft in 2023, which ultimately affected organizations around the world, was “preventable” and that “Microsoft’s security culture was inadequate and in need of an overhaul”.
This is the first time that a major cybersecurity incident has been described publicly with this level of transparency and directly by the US administration.
Subsequently, Microsoft had to deal with another potentially state-sponsored attack at the end of 2023, which it disclosed in January 2024. Yet the way in which the Redmond firm handled and communicated about this new incident does not reveal the implementation of best practices, even though protecting against cybersecurity incidents that affect customers should always be a priority, especially given customers’ dependence on these suppliers.
This case illustrates the fact that organizations in sensitive sectors cannot place blind trust in suppliers just because they are large companies who have conquered the market with their products.
The Snowflake affair
Snowflake (Inc.) offers companies data storage, processing, and analysis services as a “Data-as-a-Service” provider. The American firm has almost 10,000 customers.
In June 2024, the media reported that hundreds of Snowflake customers had been affected by cyberattacks resulting in the loss of private data – victims included TicketMaster, AT&T, and Santander Bank.
In reality, this was neither an attack nor a hack. Snowflake’s network and assets had not been directly compromised.
Here’s what happened: an attacker obtained valid Snowflake Cloud instance credentials on the black market, previously stolen using infostealers such as Racoon, Redline, or Vidar, from the personal computers of contractors, customers, or employees.
These credentials were then used to access customer-managed instances hosted by Snowflake.
This incident could have been avoided if essential security best practices had been applied: activation of two-factor authentication (MFA), changing passwords, whitelists to accept only trusted connections, and so forth.
It’s important to remember that the security effort must always be proportional to the value of the asset being protected. In this case, data platforms are often fed by an organization’s entire data pool. So the stakes are high!
The “Uber breach” case
The Uber attack is one such case that illustrates the impact of security flaws linked to third-party services.
In 2022, the company was the victim of a social engineering attack that enabled access to the Privileged Access Management system (PAM).
What happened next is unfortunately easy to imagine: the attackers then gained access to numerous services critical to Uber, such as AWS, VMware, Google Drive, Slack… and even the console of their SentinelOne security solution.
“Your partners’ security flaws = your security flaws”
Even when outsourcing some of the workload and security considerations to third-party suppliers, it’s imperative to keep a close eye on cybersecurity best practices, vulnerabilities, and the configuration of all the assets that make up the IT fleet. After all, your partners’ security flaws are your security flaws.
In fact, in one of the editions of his newsletter “Venture in Cybersecurity”, Ross Haleliuk believes that there are only two sources of problems in security: bugs and misconfigurations!
In addition, it should be noted that zero-day vulnerabilities remain a widely exploited vector, as highlighted by a Sophos report documenting over 5 years of battles against Chinese threat actors targeting network device worldwide.
In short, the cases we saw earlier illustrate the fact that providers aren’t necessarily making the required security efforts. This is also a reality for Cloud service providers in general, who don’t provide the expected level of security, leading to a false sense of security.
It’s up to each individual organization to put the necessary security measures in place – and verify their supply chain’s own.
To help organizations take the necessary security measures, ANSSI and CISA report known vulnerabilities and solutions to remedy them, as well as threats, alerts, and incidents targeting all types of sectors, including critical ones.
While national and European regulations can set a framework for cybersecurity, they have little effect on digital giants outside the territory they target.
In the following section, we’ll look at other data security risk vectors: non-European legislation with extraterritorial reach.
Non-European legislation: a clear danger for companies’ data
We mentioned earlier the risks associated with industrial espionage, data theft, and advanced persistent threats (APTs), but it’s important to remember that governments don’t necessarily need to carry out attacks to capture the data they want: they can collect it directly using intelligence techniques.
Geopolitical conflicts can make some companies, particularly those in sensitive sectors, a prime target for state-sponsored espionage. (Look no further than the WikiLeaks incident in 2012).
At the time, the USA ordered its technical intelligence agency, the NSA, to “collect information on all French sales and financing of major projects related to telecommunications, power generation, gas, oil, nuclear and renewable energy, and environmental and health technologies”, and also provided for the “interception and reporting of all negotiations and contracts of French companies worth more than $200M”. The results of the spying were then to be communicated to various American commercial, political, and intelligence agencies.
Also, through legal devices such as the Foreign Intelligence Surveillance Act (FISA) or the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), the US State can retrieve data via major digital players, and the NSA can requisition software used by players involved in a market of interest to them.
On the other side of the globe, China has similar legislation, notably with the 2017 Intelligence Law, which obliges any company, organization, or individual linked to China to collaborate with its intelligence services.
As a result, outside its own territory, an organization can see its data exposed to foreign competitors.
With this in mind, digital solutions that collect critical data must be able to be deployed in a private environment without any data being shared externally.
In other words, while it’s not always possible to protect your data via the legal framework alone, it is possible to do so technically with On-Premises solutions!
On-Premises solutions for total control & data protection
While EDR and EPP represent a first barrier against the threats posed by cybercriminals’ advanced attacks, EDR is also an essential tool for investigations. However, for some highly sensitive sectors, especially Critical National Infrastructure (CNI), SaaS solutions are not always an option, despite the data security guarantees on offer (including SecNumCloud qualification in France, for example).
On-Premises solutions are essential to ensure total data control in the face of industrial and strategic espionage.
With this in mind, HarfangLab offers an On-prem solution with features on par with its SaaS solution, to meet the needs of organizations that need to both:
- benefit from one of the most effective EDR and EPP solutions on the market in terms of detection and blocking, as confirmed by MITRE Evaluations
- comply with the technical and legal requirements of their business sector, particularly in terms of data control and security
- enable SOC analysts to work under optimum conditions in any environment, even in private Clouds.
HarfangLab On-Premises guarantees total data control via a complete installation and storage of telemetry data directly on the customer’s servers. Updates can be carried out remotely or on-site.
The benefits of HarfangLab On-Premises in 3 key points
HarfangLab protects several hundred thousand endpoints in closed environments and can be deployed across complex information systems.
- HarfangLab can operate in totally disconnected mode to protect air-gapped environments, without any data processing in the Cloud.
- Agents are embedded on endpoints, including 100% of detection engines for complete protection.
- Users have full control over the data generated by the EDR and keep ownership of it.
They attest
“EDRs are critical tools, for both sides: attackers can leverage them to take control of workstations and servers. For example, it’s possible to isolate a workstation, blacklist a critical element on a server (e.g. svchost.exe), thereby blocking the entire information system, or dump the memory of certain processes like lsass.exe. It can then become an attack platform. It is essential for a critical sector to adopt an On-Premises EDR infrastructure. HarfangLab enables us to control and secure our security stack.”
SOC Manager – Defense Industry
Want to know more about our On-Prem platform?
More articles
Cyber 2024 challenges
What’s the biggest challenge for 2024, and how can it be met? We put the question to a dozen cybersecurity…
Cybersecurity: why choose a Best-of-Breed approach?
When it comes to protecting the workstations and servers in an IT infrastructure, an “All-in-One” cybersecurity solution may seem tempting.…
The role of human support between software editors and users
The relationship between a software editor and end-users plays an essential role, yet one that is sometimes underestimated. A close…
Is gamification a key tool to build awareness?
To raise employee awareness, many companies are offering new types of online training, like “gamification” or “serious games”. But what…