The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. Both governments and businesses remain focused on things like cyber hygiene and information sharing, which — while critical — are not enough to stop the next major breach. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.
IT leaders have been talking about cyber hygiene and information sharing since the late 1990s, and they will continue to be ineffective until better detection capabilities are implemented. Simply put, all three pieces of the puzzle need to fall into place before real, positive change can happen. Luckily, the SolarWinds breach came at a time when data security is receiving increased attention: a new federal Internet of Things cybersecurity bill recently became law, and Virginia passed a privacy law inspired by the European Union's General Data Protection Regulation (GDPR) and California's California Consumer Privacy Act (CCPA). This increased focus gives hope that the SolarWinds breach might finally prompt the right legislative or regulatory action on a broader, more effective scale for the entire nation.
Information Sharing Is Critical but Not Enough
For information sharing to be truly effective, several things need to happen. First, the current methods for information sharing must be improved. The SolarWinds breach provides the perfect justification to devote resources to this, and there has been some recent movement in the right direction via the Cybersecurity and Infrastructure Security Agency's information-sharing plan that organizations can opt into. Unfortunately, even well-coordinated information sharing won't be useful without more effective detection and instrumentation to go along with it. Ultimately, organizations cannot share information on something they have not detected.
Today, information sharing is too often just indicators of compromise (IoCs), which might include hashes of files, IPs, domains of command-and-control systems, and other things. While there is some value there, defenders need data on tactics, techniques, and procedures (TTPs) that can better help defenders respond to attacks as they occur. Some advisory bodies like MITRE provide helpful guidance in this area, but more timely data is needed. Without better detection, information sharing will continue to be limited to sharing the aftereffects of an attack, rather than its causes.
Better Detection Is the Final Piece of the Puzzle
If legislative action does come out of the SolarWinds breach, it should focus on prompting enterprises to adopt the recommendations of bodies like NIST and MITRE. These organizations are increasingly seeing the value of in-network detection tools. Recent NIST recommendations have focused on building long-term resilience to attacks and continuously looking for lateral movement and privilege escalation activity.
MITRE recently released MITRE Shield, a complement to its highly regarded MITRE ATT&CK matrix. These two frameworks are the yin and yang of network security: ATT&CK looks at TTPs and shows how attackers break in, what they do, and what tools they use, while Shield looks at those TTPs and focuses on how to build an active defense structure to combat them. By adopting the recommendations in these guidelines, organizations can dramatically enhance their ability to quickly detect lateral movement and other attack activity within their network.
SolarWinds demonstrated why organizations can no longer inherently trust software providers or third-party tools. Organizations need to adopt an "assumption of breach" security posture enabled by more effective detection tools. Patching vulnerabilities as they arise is great, but recommendations like those provided by MITRE and NIST can help enterprises stay on top of network security in a more proactive way by cleaning up the network environment, locating exposed credentials, identifying potential attack paths, identifying lateral movement, and more — thereby minimizing breach impact.
Without improved detection capabilities, attackers will simply find another way into the network. Even the most effective firewalls and perimeter tools will never stop 100% of attacks, which makes detection tools at all levels of the network more critical than ever. Detection enables better information sharing, including the ability to share TTPs in near-real time, helping organizations stop attacks more quickly and effectively. This will ensure that information sharing becomes an incredibly valuable tool for organizations, rather than something that is only useful after the fact.
Putting It All Together
There is no silver bullet that will stop the next SolarWinds, but the government has an opportunity to prompt change at a national level. Current implementations and discussions about expanding information sharing have gotten us nowhere, but tools exist to fully realize information sharing's enormous potential. Enterprises should embrace the guidelines put forth by advisory bodies like NIST and MITRE, and the government can step in with well-thought-out and meaningful regulations incentivizing organizations to institute more effective detection capabilities.
With better detection and reliable information sharing, enterprises can finally shift their focus from attack response and recovery to attack detection and faster mitigation. With these measures in place, there is reason to hope that the impact of the next SolarWinds might be mitigated — or even possibly prevented.Tony Cole has more than 35 years' experience in cybersecurity and today is the Chief Technology Officer at Attivo Networks, responsible for strategy and vision. Prior to joining Attivo Networks, he served in executive roles at FireEye, McAfee, Symantec, and is a retired cyber ... View Full Bio