Stopping the Next SolarWinds Requires Doing Something Different

Will the SolarWinds breach finally prompt the right legislative and regulatory actions on a broader, more effective scale?

Tony Cole, CTO at Attivo Networks

May 3, 2021

4 Min Read

The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. Both governments and businesses remain focused on things like cyber hygiene and information sharing, which — while critical — are not enough to stop the next major breach. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.

IT leaders have been talking about cyber hygiene and information sharing since the late 1990s, and they will continue to be ineffective until better detection capabilities are implemented. Simply put, all three pieces of the puzzle need to fall into place before real, positive change can happen. Luckily, the SolarWinds breach came at a time when data security is receiving increased attention: a new federal Internet of Things cybersecurity bill recently became law, and Virginia passed a privacy law inspired by the European Union's General Data Protection Regulation (GDPR) and California's California Consumer Privacy Act (CCPA). This increased focus gives hope that the SolarWinds breach might finally prompt the right legislative or regulatory action on a broader, more effective scale for the entire nation.

Information Sharing Is Critical but Not Enough
For information sharing to be truly effective, several things need to happen. First, the current methods for information sharing must be improved. The SolarWinds breach provides the perfect justification to devote resources to this, and there has been some recent movement in the right direction via the Cybersecurity and Infrastructure Security Agency's information-sharing plan that organizations can opt into. Unfortunately, even well-coordinated information sharing won't be useful without more effective detection and instrumentation to go along with it. Ultimately, organizations cannot share information on something they have not detected.

Today, information sharing is too often just indicators of compromise (IoCs), which might include hashes of files, IPs, domains of command-and-control systems, and other things. While there is some value there, defenders need data on tactics, techniques, and procedures (TTPs) that can better help defenders respond to attacks as they occur. Some advisory bodies like MITRE provide helpful guidance in this area, but more timely data is needed. Without better detection, information sharing will continue to be limited to sharing the aftereffects of an attack, rather than its causes.

Better Detection Is the Final Piece of the Puzzle
If legislative action does come out of the SolarWinds breach, it should focus on prompting enterprises to adopt the recommendations of bodies like NIST and MITRE. These organizations are increasingly seeing the value of in-network detection tools. Recent NIST recommendations have focused on building long-term resilience to attacks and continuously looking for lateral movement and privilege escalation activity.

MITRE recently released MITRE Shield, a complement to its highly regarded MITRE ATT&CK matrix. These two frameworks are the yin and yang of network security: ATT&CK looks at TTPs and shows how attackers break in, what they do, and what tools they use, while Shield looks at those TTPs and focuses on how to build an active defense structure to combat them. By adopting the recommendations in these guidelines, organizations can dramatically enhance their ability to quickly detect lateral movement and other attack activity within their network.

SolarWinds demonstrated why organizations can no longer inherently trust software providers or third-party tools. Organizations need to adopt an "assumption of breach" security posture enabled by more effective detection tools. Patching vulnerabilities as they arise is great, but recommendations like those provided by MITRE and NIST can help enterprises stay on top of network security in a more proactive way by cleaning up the network environment, locating exposed credentials, identifying potential attack paths, identifying lateral movement, and more — thereby minimizing breach impact.

Without improved detection capabilities, attackers will simply find another way into the network. Even the most effective firewalls and perimeter tools will never stop 100% of attacks, which makes detection tools at all levels of the network more critical than ever. Detection enables better information sharing, including the ability to share TTPs in near-real time, helping organizations stop attacks more quickly and effectively. This will ensure that information sharing becomes an incredibly valuable tool for organizations, rather than something that is only useful after the fact.

Putting It All Together
There is no silver bullet that will stop the next SolarWinds, but the government has an opportunity to prompt change at a national level. Current implementations and discussions about expanding information sharing have gotten us nowhere, but tools exist to fully realize information sharing's enormous potential. Enterprises should embrace the guidelines put forth by advisory bodies like NIST and MITRE, and the government can step in with well-thought-out and meaningful regulations incentivizing organizations to institute more effective detection capabilities.

With better detection and reliable information sharing, enterprises can finally shift their focus from attack response and recovery to attack detection and faster mitigation. With these measures in place, there is reason to hope that the impact of the next SolarWinds might be mitigated — or even possibly prevented.

About the Author(s)

Tony Cole

CTO at Attivo Networks

Tony Cole has more than 35 years' experience in cybersecurity and today is the Chief Technology Officer at Attivo Networks, responsible for strategy and vision. Prior to joining Attivo Networks, he served in executive roles at FireEye, McAfee, Symantec, and is a retired cyber operator from the U.S. Army. Mr. Cole previously served on the NASA Advisory Council and the (ISC) Board of Directors as Treasurer and Chair of Audit and Risk. Today, he serves on the Gula Tech Foundation Grant Advisory Board helping the Foundation give back to the community to drive a more diverse cyber workforce. In 2014, he received the Government Computer News Industry IT Executive of the Year award, and in 2015 he was inducted into the Wash 100 by Executive Mosaic as one of the most influential executives impacting government. In 2018, he was awarded the Reboot Leadership Influencer Award by SC Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights