The BigFix Response to the SolarWinds-based Attack

 

PUBLISHED DATE: December 21, 2020

 

HCL Software today announced that IT and security teams using HCL BigFix can quickly determine which systems have SolarWinds Orion software installed, detect if compromised versions of Orion are present,detect indicators of compromise (IOCs), patch related software, and help isolate infected systems. One week ago, SolarWinds announced that its Orion software served as the unwitting conduit for an internal cyberespionage operation effecting nearly 18,000 customers. The full extent of the damage is still unknown.

HCL BigFix is the only endpoint management platform that enables IT Operations and Security teams to fully automate discovery, management, and remediation. It runs on over a dozen operating systems, whether they are on–prem or cloud, regardless of location or connectivity. The global BigFix community is working together to continuously refine the approach to this threat. Follow the latest at https://forum.bigfix.com/t/dhs-emergency-directive-21-01-solarwinds-thread/36420. Working with security professionals across industries, the community has rapidly identified and validated methods for using BigFix to report on vulnerable versions of SolarWinds installations and detect malicious indicators of compromise (IoC). New insights and approaches are being included as the situation unfolds.

“Our clients can rest assured that HCL Software does not have the compromised versions of SolarWinds Orion in its environment, nor do we know of any HCL contractors or vendors who use SolarWinds Orion,” said Kristin Hazlewood, Vice President and GM, HCL BigFix. “None of the tools used by HCL BigFix have been impacted by the reported breach at SolarWinds or FireEye. As a result, our ability to deliver products and services to our valued customers have not been impacted. We remain vigilant in maintaining data security and securing our systems.”

BigFix is regularly used to provide deeper insights into vulnerabilities and threats as well as implementing remediations in near real time, with capabilities to:

  • Provide methods to immediately identify and detect systems that may be vulnerable
  • Continually analyze systems to identify any newly affected systems
  • Show historical reporting on software installations and removals to help determine the window of exposure
  • Validate security policies that identify whether and when specific security controls were modified or disabled by an attacker
  • Deploy operating systems or image systems to rapidly recover your systems.

If infected systems are found, The Department of Homeland Security (DHS) is recommending that systems be turned offuntil forensics are completed including determining if a breach has occurred. Once completed, DHS is recommending that systems be rebuilt from ISO images. Organizations can prepare for this effort or begin provisioning new systems using established tools such as BigFix Lifecycle. Refer to the DHS Emergency Directive to understand the actions required by government agencies and departments. Commercial customers may also refer to Microsoft’s Customer Guidance on Recent Nation-State Cyber Attacks.

For more information about BigFix capabilities, visit www.BigFix.com or https://www.hcltechsw.com/wps/portal/products/bigfix. For more information on customer success with BigFix, please visit: https://www.hcltechsw.com/products/bigfix/customer-reference