SolarWinds, a network management software company, found itself the direct victim of an insidious malware breach last week that had been in the works for months. The hack involved the installation of malware onto an updated version of their software, which was downloaded by over 18,000 customers, including approximately 421 Fortune 500 companies–and large swaths of the US federal government. Several reliable sources, including the US government, have pointed to Russian hackers as perpetrators.
The consequences have been arguably unprecedented. Since SolarWinds’ software has full access to customers’ network traffic and systems, the hackers do too, creating an endless chain reaction of potential victims. This means that the damage doesn’t end with the 18,000 customers who downloaded the software–Microsoft, for example, found that its products were used to further the attack on clients. It is likely that many of the victims’ networks are still being actively infiltrated, including many who don’t even know about it.
How did SolarWinds let this happen? What could the company–and its customers–have done differently to avoid falling victim? Although there’s still a lot to learn, here’s what we can take from the incident.
Demand More from Third-Party Vendors
An obvious outcome of this breach is the increased scrutiny of third-party providers. The software supply chain is so long and convoluted that no entity can shrug off this attack, even if it does not use SolarWinds’ software.
An organization may have the most diligent approach to security, but that can all be undermined with a lapse by your vendors–or a lapse by their vendors…and so on. When entering any relationship with a software provider, demand oversight over the vendors they use, ensuring their security standards align with yours (and the relevant regulations).
This vetting process includes getting all the details on vendors’ compliance protocols and incident response plans, as well as what they do to ensure compliance from their third-party vendors. It isn’t enough to confirm that they are broadly compliant; the information should be enough to form a full picture of a vendor’s vulnerabilities from an attacker’s perspective.
That being said, it can be daunting for humans to mitigate the threats deep within the chain. Artificial intelligence tools that allow for “forward looking operational resilience” can be the best way to map out and monitor the third party supply chain in real time. Consider hiring a seasoned data security contractor (with a proven track record) to handle your audits. Read more about managing third party risk here.
Do Not Compromise on Antivirus
One of the biggest mistakes SolarWinds made was telling its customers that the software wouldn’t work properly unless it was exempt from antivirus and security restrictions. Of course, this opened the door for a malware-infected update to go undetected.
SolarWinds’ motives in this were clear–installing multiple antivirus softwares onto one network may result in them trying to shut each other down. But this immunity to anti-virus created a major vulnerability in the software that hackers were able to exploit.
Be wary of any B2B software you use that requires exemption from anti-virus. Cite this incident when inquiring about a workaround.
Carefully Monitor Your Own Data Troves
Of course, the solution isn’t to pile blame onto vendors. Your organization is fully responsible for identifying the locations of sensitive data, the access controls in place and the robustness of the auditing, and anomaly detection processes. Enabling multi-factor authentication on all devices and protecting sensitive data from third-party access are great places to start.
If you were looking for a reason to embrace a “zero trust” security strategy, this is it. This breach underlines the flaws of a traditional castle-and-moat approach where security strategy is centered around keeping external threats out. Once a hacker infiltrates an organization’s firewall, the possibilities are endless. Under zero trust, no IP address or machine should be granted access to data until its operator’s identity is verified. Read our guide on zero trust here.
The Threat Doesn’t Just Go Away
President Trump claiming the attack is “under control” sends mixed signals. Identifying a breach and mitigating the damage from it are two completely different beasts. In this case the hack remains ongoing, with the attackers installing backdoors to gain “persistent” access to targeted systems.
Likewise, the breach has been happening since the spring, meaning that even if victims weed out unauthorized access, sensitive data still has been exposed for months. In other words, the damage is done. All we can do is prepare for the future, taking the extra effort to heighten data security measures.