SolarWinds: Why Companies Must Shift to a Risk-Based Cybersecurity Approach

Nearly four months after the disclosure of the SolarWinds attack, we are continuing to learn more about the nature of the incident. Corporate leaders have testified at government hearings as lawmakers try to understand the full breadth and impact of the attack, as well as what cybersecurity shortfalls may have contributed to the situation. The hack is already considered the most substantial and widest-reaching cyber espionage operation against the United States government to date. As such, it’s worth taking a closer look to understand key takeaways to prevent a similar attack of this scale in the future.

First, SolarWinds demonstrated how critical it is for companies and organizations to have a full understanding of their supply chains and the potential vulnerabilities at each step of the process. In today’s security landscape, it is no longer enough to only have insight into your own organization’s cybersecurity posture. Of concern, a recent survey by Gartner found that in the past five years, nearly 90 percent of companies had experienced a supplier risk event but did not have enough awareness across the company or the level of maturity needed to mitigate the risk.

Editor’s note: As of publication, details of the SolarWinds breach are still coming to light. Beginning possibly as early as the spring of 2020, hackers believed to be connected to the Russian government gained access to IT management software known as Orion, developed by SolarWinds. This software is used by a range of companies and organizations around the world. Through the breach, hackers hid backdoor access capabilities inside Orion software updates. They were able to view a huge body of sensitive information at numerous government agencies and global corporations as a result. The breach was first detected by the cybersecurity firm FireEye last December. While it is known that hackers accessed information, their full motives and actions have yet to be determined.

SolarWinds Unveiled the True Scope of Supply Chain Vulnerabilities

Another key problem with supply chains is a lack of oversight. Robert Bigman, the former chief information security officer (CISO) at the Central Intelligence Agency, flagged on a recent podcast that there are currently no rules and regulations surrounding secure supply chains.

“When you go and buy a car, you have a thing called a Lemon Law. If something goes wrong, you can turn it in and get it adjusted and get a change, or even get a new car. We don’t have that type of law for cyber,” Bigman said. “We have no rules, no regulations for companies to build secure supply chains. We have no rules and regulations that require them to build secure code. It’s a free-for-all. And you’re really potentially the victim of companies who don’t act responsibly. And I’ll be honest with you, I think it’s the majority of them.”

This puts the onus on companies and organizations themselves to be proactive about protecting and managing their supply chains. To this end, security leaders at all entities need to be aware of security processes and protocols across their entire supply chain. It only takes one weak password or link in the chain to compromise all parties. This was evidenced by “solarwinds123,” a password that was leaked on the public internet that played a part in the cyberattack. Vendors or partners in your company’s supply chain could end up being an entrance into the dozens of other entities within their networks, regardless of the strength of your own organization’s cyber posture.

The Value of Risk-Based Cybersecurity

Importantly, when looking at the SolarWinds incident at a higher level, the attack showed why companies and organizations should shift toward a risk-based, intelligence-driven approach to cybersecurity. This is a departure from the reliance on intrusion detection systems that is evident throughout the industry. Both the number of cyberattacks and the level of sophistication of each attack are increasing, and a risk-based approach to cybersecurity can aid organizations in keeping up with today’s threats against them. Even the best vulnerability management program isn’t really addressing cyber risk. Did you know that more than 13 percent of all common vulnerabilities and exposures (CVEs) have a severity score between 9.0 and 10.0 (the highest possible value)? Of those 13 percent, 7,628 (or about 47 percent) are scored at 10.0. The question becomes: how can a security team tell one 10.0 from another? And how do businesses know they are focusing on the right ones?

Cyber risk quantification facilitates the prioritization of risks. We all know that cyberattacks will not be ceasing any time soon. In fact, they are likely to increase in frequency. So it is beneficial to have a process that helps in assessing which of the risks are most critical to an organization by ranking them in terms of their potential cost and operational implications.

The Security Community Is Realigning

The sentiment of shifting to a risk-based approach for cybersecurity has been echoed by leaders in the cyber industry, including Michael Daniel, a former White House cybersecurity policy advisor and CEO of the Cyber Threat Alliance. During a recent interview, he underlined the importance of evolving the way cybersecurity is viewed and discussed. “Cybersecurity is now a critical enabler for most businesses to continue operating,” Daniel said. “And it needs to be framed in that way. And I think that’s very much the place that we need to move … putting it in those business terms, framing it in those risk terms.”

If there is one positive takeaway from the SolarWinds attack, it is the encouraging response of the security community. As individual entities seek to strengthen their security postures and shore up their own defenses, moving to an environment of collaboration and information-sharing will be key. In this instance, we saw this collaboration from FireEye, as it stepped up and offered to share findings and information from its investigation. Additionally, players like Microsoft spoke up and advocated for a coordinated response among government and technology players. Moving forward, we will need to see this type of response to all large-scale attacks. We will need to ensure we are using all possible information at our disposal to prevent and mitigate the effects of future incidents.

As we look ahead, the organizations and companies that will be best positioned against future cyber threats will be those that take the time to proactively understand and secure all pieces of their supply chain and shift to a risk-based view of cybersecurity. After all, we know it is no longer a question of if cybercriminals attack a business, but rather when and what they choose to attack.