Would SDP have stopped the OPM breach? Absolutely!

by | Aug 3, 2015 | Blog Posts

Reprinted with permission

By Junaid Islam – blog posted on Basecamp on 7/27/15
President & CTO
Vidder, Inc.

Over the past month I’ve been asked if SDP would have stopped the OPM breach? My answer “Absolutely”. For those of you who may remember the last SDP Hackathon specifically modeled credential theft.

The OPM breach started with a stolen credential which enabled network access which led to . . . well you know. What is really disturbing is how similar the OPM breach was to the Target and Sony attacks. The fact is that large organizations utilize human inputed or certificate based credentials as their primary authentication method. Once the attacker gets the credential they can freely roam the interior of enterprise networks to find high value servers.

Isolating servers and then using MFA based access is the only solution to protecting large organizations against credential theft – which is what SDP does. SDP works by only allowing users to sign-in from pre-registered devices. Connecting from an unknown device simply doesn’t work (as the Hackathon proved). Moreover SDP only grants application access (never network) – which limits lateral movement.

The next question I get is that if SDP had been deployed, wouldn’t the hackers be able to relay thru a pre-registered device to get network access? Yes SDP doesn’t stop relaying from a pre-registered device (we’d need to install some type of process isolation software). And while SDP does limit lateral movement we want to probably add some type of server protection to make sure attackers don’t relay thru that.

To create a comprehensive perimeter solution we’d want to start with SDP which would stop the credential theft and lateral movement attacks. Next, we’d add process isolation to user devices to stop relaying. Then we’d deploy a combination of application protection (to stop server re-programming) and behavior profiling (to stop data exfiltration) . This model would stop external cyber attacks. Would this stop the next Snowden (an insider who spent years preparing)? No! But if our risk is reduced to the insider who spends years preparing we’re better off then the situation we have today.