Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Tony Cole
Tony Cole
Connect Directly
E-Mail vvv

Stopping the Next SolarWinds Requires Doing Something Different

Will the SolarWinds breach finally prompt the right legislative and regulatory actions on a broader, more effective scale?

The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. Both governments and businesses remain focused on things like cyber hygiene and information sharing, which — while critical — are not enough to stop the next major breach. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.

IT leaders have been talking about cyber hygiene and information sharing since the late 1990s, and they will continue to be ineffective until better detection capabilities are implemented. Simply put, all three pieces of the puzzle need to fall into place before real, positive change can happen. Luckily, the SolarWinds breach came at a time when data security is receiving increased attention: a new federal Internet of Things cybersecurity bill recently became law, and Virginia passed a privacy law inspired by the European Union's General Data Protection Regulation (GDPR) and California's California Consumer Privacy Act (CCPA). This increased focus gives hope that the SolarWinds breach might finally prompt the right legislative or regulatory action on a broader, more effective scale for the entire nation.

Related Content:

How the Biden Administration Can Make Digital Identity a Reality

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Tell Us the Truth: Why Do You LOVE Passwords?

Information Sharing Is Critical but Not Enough
For information sharing to be truly effective, several things need to happen. First, the current methods for information sharing must be improved. The SolarWinds breach provides the perfect justification to devote resources to this, and there has been some recent movement in the right direction via the Cybersecurity and Infrastructure Security Agency's information-sharing plan that organizations can opt into. Unfortunately, even well-coordinated information sharing won't be useful without more effective detection and instrumentation to go along with it. Ultimately, organizations cannot share information on something they have not detected.

Today, information sharing is too often just indicators of compromise (IoCs), which might include hashes of files, IPs, domains of command-and-control systems, and other things. While there is some value there, defenders need data on tactics, techniques, and procedures (TTPs) that can better help defenders respond to attacks as they occur. Some advisory bodies like MITRE provide helpful guidance in this area, but more timely data is needed. Without better detection, information sharing will continue to be limited to sharing the aftereffects of an attack, rather than its causes. 

Better Detection Is the Final Piece of the Puzzle
If legislative action does come out of the SolarWinds breach, it should focus on prompting enterprises to adopt the recommendations of bodies like NIST and MITRE. These organizations are increasingly seeing the value of in-network detection tools. Recent NIST recommendations have focused on building long-term resilience to attacks and continuously looking for lateral movement and privilege escalation activity.

MITRE recently released MITRE Shield, a complement to its highly regarded MITRE ATT&CK matrix. These two frameworks are the yin and yang of network security: ATT&CK looks at TTPs and shows how attackers break in, what they do, and what tools they use, while Shield looks at those TTPs and focuses on how to build an active defense structure to combat them. By adopting the recommendations in these guidelines, organizations can dramatically enhance their ability to quickly detect lateral movement and other attack activity within their network.

SolarWinds demonstrated why organizations can no longer inherently trust software providers or third-party tools. Organizations need to adopt an "assumption of breach" security posture enabled by more effective detection tools. Patching vulnerabilities as they arise is great, but recommendations like those provided by MITRE and NIST can help enterprises stay on top of network security in a more proactive way by cleaning up the network environment, locating exposed credentials, identifying potential attack paths, identifying lateral movement, and more — thereby minimizing breach impact.

Without improved detection capabilities, attackers will simply find another way into the network. Even the most effective firewalls and perimeter tools will never stop 100% of attacks, which makes detection tools at all levels of the network more critical than ever. Detection enables better information sharing, including the ability to share TTPs in near-real time, helping organizations stop attacks more quickly and effectively. This will ensure that information sharing becomes an incredibly valuable tool for organizations, rather than something that is only useful after the fact.

Putting It All Together
There is no silver bullet that will stop the next SolarWinds, but the government has an opportunity to prompt change at a national level. Current implementations and discussions about expanding information sharing have gotten us nowhere, but tools exist to fully realize information sharing's enormous potential. Enterprises should embrace the guidelines put forth by advisory bodies like NIST and MITRE, and the government can step in with well-thought-out and meaningful regulations incentivizing organizations to institute more effective detection capabilities.

With better detection and reliable information sharing, enterprises can finally shift their focus from attack response and recovery to attack detection and faster mitigation. With these measures in place, there is reason to hope that the impact of the next SolarWinds might be mitigated — or even possibly prevented.

Tony Cole has more than 35 years' experience in cybersecurity and today is the Chief Technology Officer at Attivo Networks, responsible for strategy and vision. Prior to joining Attivo Networks, he served in executive roles at FireEye, McAfee, Symantec, and is a retired cyber ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
5/3/2021 | 12:47:38 PM
Re: Good read!
Thank you, I'm glad you enjoyed it.


User Rank: Author
5/3/2021 | 10:56:01 AM
Good read!
Good read
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-28
A vulnerability, which was classified as critical, has been found in SourceCodester Online Tours & Travels Management System 1.0. This issue affects some unknown processing of the file admin/practice_pdf.php. The manipulation of the argument id leads to sql injection. The attack may be initiated...
PUBLISHED: 2023-01-28
A vulnerability, which was classified as critical, was found in SourceCodester Online Tours & Travels Management System 1.0. Affected is an unknown function of the file /user/s.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The expl...
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the sett...
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard...
PUBLISHED: 2023-01-28
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to...