Lessons from the SolarWinds Breach

2020 was an extraordinary year for cybersecurity professionals and just as we were getting ready to ring in 2021, we were hit with what will potentially be known as the largest attack in the history of cybersecurity.

Of course, we are referring to the breach of the Solar Winds Orion platform.  The extent of this breach isn’t fully known yet. It will be a long time until we get a full grasp of it, if we ever do, but we already know the scope is massive.  It includes IT infrastructure at the highest levels of the US government, as well as large IT providers such as Microsoft.  As a result, the potential impact of compromised infrastructure could reach tens of thousands to hundreds of thousands of users.

We simply do not know the extent of the breach and can only begin to speculate on its final toll on infrastructure and resources. 

Third-Party Risk Management (TPRM)

Though the breach is among the most complex of cybersecurity breaches ever recorded, a general summary of the breach states that malicious actors were able to spread malware by compromising one of Solar Wind’s most popular products, the Orion platform.  With access to the Orion platform, the attackers were able to gain access to almost every customer who uses the platform.

It’s important to emphasize this description is a very high-level summary of how the attackers were able to spread their intrusion, but from this early analysis one could speculate the Solar Winds attack should serve as a case study to the dangers of sub-standard Third-Party Risk Management (TPRM).  However, that would be too simplistic of a response.

Any cybersecurity professional will tell you having good TPRM is important.   This means knowing how your company interacts with its vendors and where the vendor’s vulnerabilities could potentially expose you to harm.

Typically, there are two ways to accomplish this.  The first is working directly with the vendor and completing your own due diligence.  However, this can be costly in terms of time and manpower as you’ll need dedicated experts to pour over various technical and physical aspects of the vendor’s environment to determine if they meet the cybersecurity threshold your firm may require.

Instead, many firms are opting for the second method, whereby they ask the vendor in question to provide an accreditation of their cybersecurity posture and resiliency via a third-party certificate.  Many of these certificates are currently on the market, but an example of two of the more popular ones are ISO 27001 and SOC 2 Type II.

While we will not get into the details of the actual process a firm must go through to acquire these certifications, we can state that certification allows firms to go through the costly processes of certifying the security of their technology infrastructure once. Then they can provide an industry accepted certification to other potential customers as a means of showing the certificate holder has met a certain level of cybersecurity resilience.

The problem is, while these certifications provide an effective means of allowing you to evaluate the third-party risk a vendor may pose to your firm; they are not foolproof.  This can be seen by the fact that Solar Winds received certification for both ISO 27001 and SOC 2 Type II at least as far back as mid-2019 and were in the process of renewing their certificates for 2020.  In fact, one could even argue Solar Winds had to go further with their certification programs, given their involvement with various US government agencies.

A state-sponsored attack

At this point, one might ask what is the point of certification if firms such as Solar Winds, having reached a level of compliance almost everyone in the industry would consider safe, could still be breached so severely?  This is very much a defeatist attitude and is exactly what threat actors want you to think.  They want you to think that since you can’t reach 100% security you should not try, and thus make their lives easier.  The truth is they are half right; almost all cyber experts will tell you it is indeed impossible to reach 100 percent security, but that does not mean you should not try.

First and foremost, it must be acknowledged the breach of Solar Winds was executed with sophisticated techniques and resources not available to most threat actors.  Though not confirmed, most cybersecurity professionals agree the Solar Winds breach was a state sponsored attack with the direct aim of gaining access to the IT infrastructure of both the US government and large private US enterprises who conduct business with the government.

While the compromise of infrastructure can be devastating for a company, most entities will not face this level of attack.  This is why compliance certification initiatives such as ISO 27001 and SOC 2 Type II are still a critical part of the industry landscape.

Why compliance certification does matter

As stated earlier, the best-case scenario for a cyber threat actor is for you to take no preventative action at all.  Any action is better than none and building upon that, the more focused action you can take, the better off your firm will be.  This is where compliance certification comes in.

While it is true that an ISO or SOC certification will not make your infrastructure 100% unbreachable, you will be a lot more secure for having acquired the ISO or SOC than you would have been without it.  The certifications on their own do not make a firm more secure, but the actions behind the certifications are what will secure your infrastructure from attack, as well as allow you to recover from any breaches that may occur. 

At a high level, ISO and SOC focus on four key areas of cybersecurity protection: prevention, detection, mitigation, and recovery.  All four are needed to form a coherent and strong cyber security strategy.  If any one of those four pillars falter, an attacker will be able to use that vulnerability to navigate around the three remaining defenses.

In the case of Solar Winds, the attackers were able to operate for as long as they did primarily by focusing their efforts on avoiding detection via embedding their attack in the Solar Winds Orion software.  This allowed them to operate without having to worry about bypassing the primary defenses of their targets.

Prepare on many fronts

If there is a lesson to be taken from the Solar Winds attack, it should not be that breaches are inevitable.  Rather, the lesson should be there is no single true way to execute cybersecurity strategy so you should try to be prepared on as many fronts as possible.

As we’ve seen from Solar Winds, even if you have the most complex defenses and availability of resources, it may still not be enough to prevent a vulnerability from being exploited in the smallest corner of your infrastructure.  This is why it’s important to focus not just on detection and prevention, but also on mitigation and recovery.

The mindset of your organization should not focus exclusively on ‘how do I prevent a breach from happening?’, but also on ‘what do I do once I know a breach has occurred?’.  Breaches will happen; this is just the reality of the environment we live in.  How your firm reacts to a breach may be just as important to your company’s reputation as what has been done to prevent the breach in the first place.

Let 2020 be a lesson in preparation and, in turn, let’s make our cybersecurity resolution for 2021 be for a renewed effort on cyber-hygiene.  The road maps are already out there.  All you have to do is open one up to get started.

Discover your system’s vulnerabilities before cyber criminals do

Infoaxis has long operated with a security first mindset. Discovery is the first step in our Cybersecurity Roadmap to your organization becoming more secure. Take our no-cost Discovery assessment and get a comprehensive view of your current vulnerabilities – not just in your organization’s network but across your entire business. Learn more>>>