CEO Update: SolarWinds and Microsoft Security Breaches

A message from Avatara’s Founder & CEO, Rob McCormick

You have probably taken note of the press reports over the last few days related to major cyber-attacks and breaches at a wide range of enterprises and government entities. These attacks are sometimes known collectively as the “SolarWinds” breach. The scale of the exposure is large and has been growing as new information is released.

Rest assured, the CompleteCloud system and the data that it holds are not in any way affected by these events. CompleteCloud is specifically designed to avoid the commonly used generic system tools and public cloud repositories that have been exploited in these attacks.

Breach Background

SolarWinds is a software company that produces, among other things, enterprise system management platforms. These platforms use software agents installed on all computer systems to allow the management platform to gather statistics and perform management functions. One of the functions that is performed is “patch management” which allows for the central distribution of patches for both the operating systems and other software such as ERP/MRP systems. The attackers used a vulnerability in the patch management system to cause their malware to be viewed as a trusted patch and caused it to be distributed by the management platform. This method allowed broad distribution across all systems in affected enterprises.

Recently, it has also come to light that Microsoft 365 was compromised by this attack as well. There are conflicting reports, but Microsoft has confirmed that they were breached by the SolarWinds platform hack. The NSA and CISA have both released security advisories indicating that Microsoft 365 and Azure have vulnerabilities. The links below have more background on these issues.

SolarWinds Hack Could Affect 18K Customers — Krebs on Security

Microsoft says it found malicious software in its systems | Reuters

NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources > National Security Agency Central Security Service > Article View

How CompleteCloud Stays Secure

CompleteCloud is a proprietary private cloud platform engineered from the ground up with security as a core design principle. As a private instance, all data resides only in Avatara’s CompleteCloud systems. CompleteCloud does not use any third party or public cloud data repositories or any technology components where customer data resides on third party systems. This includes our security, FileCloud, archiving, backup, and other component systems. This design approach allows Avatara to be able to completely control the location and security of all critical data.

The CompleteCloud platform uses sophisticated automation, monitoring, and provisioning systems to ensure consistency and compliance. These systems are all internally developed and linked into our private infrastructure. There are no “off the shelf” management platforms employed, and any third-party product components are engaged via secure API and not incorporated into the core system.

CompleteCloud uses Microsoft 365 ONLY for Office licensing. There is no customer data resident in Microsoft 365 and no administrative control of any systems entitled through that path. OneDrive and other data services are disabled by default policy.

CompleteCloud is the only completely private and secure by design platform in the industry. We leverage proprietary technology and years of high security operations experience. We avoid, by policy, commonly used generic components and public cloud repositories. These core principles enable CompleteCloud customers to comply with a wide range of security frameworks and remain assured that their data is secure in a rapidly changing threat environment.

How Can Your Organization Stay Secure?

Contact Avatara today to find out how you can acquire peace of mind with the CompleteCloud Platform, delivered and supported in an all-inclusive per user per month pricing model. In addition, we continue to assert that the end user is the most likely vector for attack given the secure base platform. If you are not using multi-factor access, strong passwords, and our Knowbe4 security awareness training for your staff, you should do so immediately.