Learn how to adapt to the continuously changing risk environment with an efficient, continuous risk monitoring strategy.
In the six months since the SolarWinds supply chain attack there has been increased action in the cybersecurity breach world – and the bad actors aren’t letting up. This means that cybersecurity protection is more critical than ever.
But what lessons can be learned and what measures can organizations take to reduce risk? Earlier this year, BitSight hosted a panel discussion on the future of supply chain cyber risk management in the wake of the SolarWinds attack. Below are key reflections and takeaways on ways forward.
The SolarWinds incident: The knowns and unknowns
Although the SolarWinds hack – considered one of the most significant attacks against a critical supply chain partner – is ongoing and will take years to comprehend, there are known indicators from which to draw some salient implications.
Early reports indicate that up to 18,000 customer networks were affected, although current data suggests that infected customers are fewer in number than initial reports. However, several security vendors have since disclosed SolarWinds-related incidents – an alarming development that the industry continues to watch.
“SolarWinds appears to have owned the ‘keys to the kingdom’ for many organizations, possessing the ability to update software, patch systems, manage virtualization systems, monitor networks, and more,” said Stephen Boyer, Chief Technology Officer and Co-Founder of BitSight. Despite these capabilities, according to BitSight data, very few organizations classified SolarWinds as a critical vendor – making it an ideal target for disseminating an attack.
Learning from failures
Understanding the failures that contributed to the SolarWinds hack is the first step to putting cybersecurity protection measures in place to prevent history from repeating itself.
In the months leading up to the incident the public and private sector failed to follow through on warnings that trusted supply chains presented grave risk. That was a key failure, and a significant contributing factor to the attack.
“Despite increasing awareness about supply chain security and the origins of code, organizations did not adequately assess the cybersecurity of companies from whom they accept software updates,” said Richard A. Clarke, Chairman of Good Harbor Security Risk Management.
“Signs that SolarWinds … was not taking cybersecurity seriously enough were everywhere. They appear to have had no Chief Information Security Officer and to have had a low security score from a reliable external evaluation product … Anyone doing serious supply chain risk assessments would have flagged the company as a risk.”
Tiering critical vendors is a must
The panel noted that organizations are already taking steps to better understand supply chain risk, but stressed the imperative of tiering critical vendors for greater scrutiny.
“In some of these cases, better protections around outbound connections from software could have mitigated the risks,” said Boyer. “Unfortunately, the majority of companies did not have SolarWinds as a critical vendor, even though they had critical access to company networks. Going forward, reassessing and re-prioritizing criticality of vendors will be important,” said Boyer.
Clarke also warned against a false sense of security among organizations that aren’t SolarWinds customers. “Other major vendors like Cisco, Microsoft, FireEye suffered from the attack. Companies who have those vendors on their network may still face lingering risks.”
Traditional cybersecurity risk assessments aren't cutting it
Organizations are also sharing data across the technology stack and across multiple vendors. These actions have created a vast attack surface that is hard to assess using traditional methods.
Said Clarke. “Organizations give questionnaires to their suppliers. The suppliers ‘self-attest’ that security is in order. Frankly, that seems worthless … Companies work hard to visit vendor sites to conduct auditing and testing, but it is unrealistic to expect all vendors to be reached or the level of testing will be detailed and effective enough to make a difference”
Raising the bar: Steps organizations can take to improve cybersecurity protection
With so many unknowns remaining, the public and private sector must keep their eyes on the problem. “Visibility throughout the organization should be modernized,” said Boyer. But he also warned against being fatalistic about the challenge.
“There are steps companies can take to improve their posture. Had more companies performed baseline security around SolarWinds Orion, the malware would likely not have moved past stage one. Doing the basics well is easy to understand, but it is hard to do. However, that is a better option than doing nothing.”
The panel also agreed that current assessment models are insufficient.
To ensure optimum cybersecurity protection – even as events escalate – organizations should take this opportunity to examine the effectiveness of their third-party cyber risk management programs. Critical steps include properly tiering vendors or suppliers, conducting continuous security monitoring of third parties to assess risk, and collaborating with partners to reduce risk and exposure.
For instance, BitSight allows organizations to freely share critical cybersecurity information with their vendors in an automated fashion. This creates a strong collaboration among business partners and encourages them to work together to reduce exposure and improve security performance. Efforts like these will be crucial in preventing the next SolarWinds-like incident
For more insights and takeaways, download the white paper: Good Harbor Salon: The Future of Supply Chain Cyber Risk Management After SolarWinds.