On Dec. 8, 2020, FireEye announced the discovery of a breach in the SolarWinds Orion software while it investigated a nation-state attack on its Red Team toolkit. Five days later, on Dec. 13, 2020, SolarWinds posted on Twitter, asking "all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability." It was clear: SolarWinds — the Texas-based company that builds software for managing and protecting networks, systems, and IT infrastructure — had been hacked.
More worrisome was the fact that the attackers, which US authorities have now linked to Russian intelligence, had found the backdoor through which they infiltrated the company's system about 14 months before the hack was announced. The SolarWinds hack is now almost 3 years old, but its aftereffects continue to reverberate across the security world.
Let's face it: The enterprise is constantly under threat — either from malicious actors who attack for financial gains or hardened cybercriminals who extract and weaponize data crown jewels in nation-state attacks. However, supply chain attacks are becoming more common today, as threat actors continue to exploit third-party systems and agents to target organizations and break through their security guardrails. Gartner predicts that by 2025, "45% of organizations worldwide will have experienced attacks on their software supply chains," a prediction that has created a ripple across the cybersecurity world and led more companies to start prioritizing digital supply chain risk management.
While this is the right direction for enterprises, the question still lingers: What lessons have organizations learned from a cyberattack that went across the aisle to take out large corporations and key government agencies with far-reaching consequences even in countries beyond the United States?
To better understand what happened with the attack and how organizations can prepare for eventualities like the SolarWinds hack, Dark Reading connected with SolarWinds CISO Tim Brown for a deeper dive into the incident and lessons learned three years on.
1. Collaboration Is Critical to Cybersecurity
Brown admits that the very name SolarWinds serves as a reminder for others to do better, fix vulnerabilities, and strengthen their entire security architecture. Knowing that all systems are vulnerable, collaboration is an integral part of the cybersecurity effort.
"If you look at the supply chain conversations that have come up, they're now focusing on the regulations we should be putting in place and how public and private actors can better collaborate to stall adversaries," he says. "Our incident shows the research community could come together because there's so much going on there."
After standing at the frontlines of perhaps the biggest security breach in recent years, Brown understands that collaboration is critical to all cybersecurity efforts.
"A lot of conversations have been ongoing around trust between individuals, government, and others," he says. "Our adversaries share information — and we need to do the same."
2. Measure Risk and Invest in Controls
No organization is 100% secure 100% of the time, as the SolarWinds incident demonstrated. To bolster security and defend their perimeters, Brown advises organizations to adopt a new approach that sees the CISO role move beyond being a business partner to becoming a risk officer. The CISO must measure risk in a way that's "honest, trustworthy, and open" and be able to talk about the risks they face and how they are compensating for them.
Organizations can become more proactive and defeat traps before they are sprung by using artificial intelligence (AI), machine learning (ML), and data mining, Brown explains. However, while organizations can leverage AI to automate detection, Brown warns there's a need to properly contextualize AI.
"Some of the projects out there are failing because they are trying to be too big," he says. "They're trying to go without context and aren't asking the right questions: What are we doing manually and how can we do it better? Rather, they're saying, 'Oh, we could do all of that with the data' — and it's not what you necessarily need."
Leaders must understand the details of the problem, what outcome they are hoping for, and see if they can prove it right, according to Brown.
"We just have to get to that point where we can utilize the models on the right day to get us somewhere we haven't been before," he says.
3. Remain Battle-Ready
IT leaders must stay a step ahead of adversaries. However, it's not all doom and gloom. The SolarWinds hack was a catalyst for so much great work happening across the cybersecurity board, Brown says.
"There are many applications being built in the supply chain right now that can keep a catalog of all your assets so that if a vulnerability occurs in a part of the building block, you will know, enabling you to assess if you were impacted or not," he says.
This awareness, Brown adds, can help in building a system that tends toward perfection, where organizations can identify vulnerabilities faster and deal with them decisively before malicious actors can exploit them. It's also an important metric as enterprises edge closer to the zero-trust maturity model prescribed by the Cybersecurity and Infrastructure Security Agency (CISA).
Brown says he is hopeful these lessons from the SolarWinds hack will aid enterprise leaders in their quest to secure their pipelines and remain battle-ready in the ever-evolving cybersecurity war.