We need to pay attention to the SolarWinds supply chain compromise not because it was an attack on several federal agencies and possibly 18,000 organizations, but because it represents what can happen to any organization that follows status quo IT cybersecurity and business procedures.
More than a few IT leaders I’ve spoken with in recent weeks have whispered, “Wow, this could just as easily have happened to us.” They can breathe a sigh of relief that they don’t use SolarWinds Orion. But pure luck in choosing – or not choosing – a particular vendor has never really been recognized as cutting-edge security practice.
I’m not suggesting that mature IT and security best practices are inadequate. But most organizations continue to pursue traditional measures based on a firewall-first, signature-based, trusted-partner mindset. This mindset creates toxic IT solutions: the time-honored practice of making IT and cybersecurity workers continually clean up after bad code, hastily implemented platforms and poor business procedures. This dynamic threatens the cyber health of organizations and the mental health of cybersecurity workers.
In my mind, the business-as-usual approach amounts to “Cowboy IT,” which I characterize by the underutilization of modern tools, over-reliance on old ones and a lack of proper monitoring. Each of these practices causes companies to skip vital steps as they run and secure their infrastructure.
If a company chooses a limited solution or skips a step instead of choosing a more thorough or time-consuming (but essential) step, they incur technical debt. If organizations fail to pay back technical debt, hackers “repossess” that organization in one way or another. With SolarWinds, repossession took the form of an advanced persistent threat that stealthily stole data and infiltrated trusted partners.
Here are the major causes of this supply-chain attack:
- The creation of a suspect platform and code.
- Lack of monitoring and analytics.
- Lack of proper governance.
First, suspect code has become a major issue. Quite a few comments via social media and in the press have pointed out that SolarWinds’ Orion platform used an FTP server with SolarWinds123. This particular issue isn’t directly related to the actual attack. Still, it‘s evidence of the “lift and shift” practices that led to this issue. In other words, it’s evidence of older code created for use in one environment but moved to another.
Second, it’s clear there was a lack of monitoring and use of cybersecurity threat intelligence by SolarWinds’ partners. Neither SolarWinds nor its partners could properly monitor the actions of code, either at rest or in transit.
Finally, governance was an issue. SolarWinds only decided to create and hire a CISO a few weeks before the attack was discovered. Without a CISO function at such a large company, it’s very difficult for an organization to systematically plan for security and ensure compliance. Unfortunately, many other organizations are in the same boat.
What can organizations do? SolarWinds and its partners can start by implementing adequate data stream monitoring. If security analysts had been empowered to monitor for unusual tactics, techniques and procedures in software updates, this attack could have been detected much earlier. The security industry has talked about “Zero Trust” for years. Yet organizations continue to behave as if they can trust data from certain partners, especially if it’s convenient to do so. Proper governance would have led to a more effective response.
Looking from the outside in it appears that the federal government sees the need for security analytics job roles, along with us at CompTIA. The recent National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE) discusses analytics. We desperately need to upskill individuals to implement monitoring. Here’s hoping that organizations worldwide catch on to the leadership we’ve provided.
We also need more rigor in the security industry – more laws won’t change what companies actually do. We can’t afford to continue cleaning up after “lifted and shifted” platforms that use old, unaudited and unpatched code. Nor can we afford to avoid effective monitoring and analytics practices; monitoring job roles are essential.
Furthermore, proper governance and policy-based approaches to compliance will help avoid future problems against state-sponsored entities that have the ability and the funding to tweak weaponized code in new and dangerous ways. When compliance measures work properly, they also let workers go beyond “face value” statements and investigate potentially serious issues with true authority. Understanding these issues, and more importantly, embracing solutions for them, offers a far more constructive way to move forward than simply blaming the many victims in this attack.
James Stanger, chief technology evangelist, CompTIA