This post is also available in: 日本語 (Japanese)
Instead of winding down at the end of the year, already strapped security teams were scrambling over the last week to ensure their organizations are safe in the wake of the SolarWinds disclosure. Attackers got in via a compromise of the Orion software build system – up to 18,000 customers of SolarWinds then unknowingly let them in.
As the world focuses on the growing list of organizations that have been compromised, there's also a growing list of those that believe they’re ok. Many have taken the approach that if they are not running SolarWinds, or a particular version of it, then they can go back to business as usual. I saw a security researcher post a picture of a whisky glass with ice and a cigar recommending other security folks to take a break, because he was fearful this could be a long winter.
There is something wrong with this picture. Cyber activity is going to go up, not down. If we all thought cybersecurity was important before, 2020 made it more so. Your brick and mortar store is closed, your employees are all connecting from home – your entire business just went digital.
Against this backdrop, SolarWinds has exposed infrastructure weaknesses in organizations. It’s amazing how many were struggling this week to figure out where they were running related products, and how many, and which were affected. Next time it shouldn’t take us so long.
My message isn’t for the companies that confirmed they were breached – it’s for those who are celebrating they dodged this bullet. This is a wake up call to modernize cybersecurity. There are immediate areas that organizations need to focus on to prepare.
It’s critical that organizations understand their environments with a complete, accurate, up-to-date baseline. This means moving beyond simply checking if they run SolarWinds. Too many organizations don’t know all that they have, and not all they have is updated to the most recent versions (ironically, saving thousands of SolarWinds customers who were slow to download the tainted update). You don’t want to be spending days of your critical incident response time just figuring out what your inventory is. Organizations need to immediately complete a detailed analysis of their entire systems, infrastructure, software, supply chains and external attack surface. Nimble organizations will not only detect and prevent these attacks in the future, but with this baseline, be able to conduct forensic investigations rapidly.
Fix our infrastructure for real. Enterprise IT architectures need to have all logging, network, and security data talking to each other, with software smart enough to identify useful things within those data. This campaign could have been stopped sooner if products were more integrated. Organizations need to pivot to a cybersecurity platform that can detect and correlate millions of events across hosts, networks, firewalls and clouds in realtime, then implement comprehensive detection and response. Hackers use highly efficient tools and methodologies; organizations need to embrace the efficiency of a cybersecurity platform powered by machine learning to keep up.
Government must allow innovation to be deployed. Far too often, government agencies get mired in red tape that inhibits the adoption and deployment of new defensive capabilities where they are needed most. Governments must be more nimble in removing barriers that run counter to their own interest, and be faster to protect their own agencies from being attacked by sophisticated threats.
Here’s why it matters. Technology is about all that went right in 2020. When the pandemic moved in, remote access kept businesses and governments moving. Retailers went digital as it was the only way to survive. But that means we are protecting an ever-expanding perimeter, against attacks that get more and more sophisticated.
The attack by the group we call SolarStorm joins the list of cybersecurity watersheds: massive DDoS attacks and cyber heists affecting our financial services infrastructure, wiper attacks that crippled corporations and energy production, the theft of classified secrets from governments and the NotPetya attack that shut down ports, pharmaceutical factories and manufacturing and cost corporations billions of dollars of losses.
100% prevention, 100% of the time is impossible. At some point you have to trust vendors and the security updates they provide. But against bad guys who are always attempting to out-innovate us, security has to be more proactive and future-proof: If you were not able to prevent an attack in realtime, you need to detect and investigate near realtime. The days of fragmented security and lengthy investigation cycles are behind us, we need good data and real world AI to get ahead.
Now is not the time to breathe a sigh of relief that you’re not impacted. Sophisticated hackers spend years planning campaigns – we must devote similar resources to our defenses. Let’s prepare to prevent the one that’s inevitably unfolding now, so we’re not scrambling to retrace what happened.
Read about the Palo Alto Networks response to the SolarStorm attack.