You likely know the story. In December of 2020, perhaps the most devastating cybersecurity breach to date took place. It was discovered that a highly sophisticated, advanced persistent threat (APT) infiltrated SolarWinds, a popular network management solution to several federal government agencies. Now, months after the attack was first discovered, we’re starting to gain a full understanding of its scope, the long-term impact, and what needs to be done to help prevent an attack of this magnitude from happening again.
One of the most significant impacts of the SolarWinds attack has been that cybersecurity is finally getting the attention it deserves at the highest levels of the U.S. government. President Biden issued an executive order in May 2021, outlining steps the federal government will be taking to modernize its cybersecurity defenses, facilitate the sharing of threat intelligence with private sector partners and improve the country’s ability to respond to incidents when they occur. The executive order also lays out a series of more stringent cybersecurity requirements for any organization wanting to do business with the government, including standards for software development and plans for more systematic investigation of cyber incidents.
In addition to changes to national policy, the SolarWinds attack has had a significant impact on the actions and practices of both public and private sector organizations. The sophistication of the attack and the fact that it leveraged a widely used and trusted IT software provider, caused organizations around the world to scrutinize their supply chains and examine their own networks with a thoroughness that had not been done before. In doing so, many found other vulnerabilities and breaches in their networks that they weren’t even looking for and hadn’t previously been aware of. As a result of the massive house cleaning spurred by the SolarWinds attack, more organizations have learned the value of proactive threat hunting, asset identification, continuous monitoring and penetration testing.
More than anything, the attack seems to have inspired both the public and private sectors to become more proactive with their cybersecurity. It also accelerated the need for greater and deeper partnerships between the public and private sectors. Government agencies are taking a hard look at their cybersecurity practices and capabilities, identifying where there are holes and where they might need to turn to private sector partners to help shore up their defenses and strengthen resiliency in their networks.
Though the SolarWinds attack has already spurred changes in policy and action throughout the public and private sectors, more needs to be done to better prevent such attacks from happening again.
Public and private sector organizations alike need to increase their focus on database security. For too long, organizations have focused on perimeter security but have neglected to adequately protect the databases where their most valuable assets live. Organizations should invest in technology solutions that are purpose-built for data protection and continuous database monitoring.
Everyone should take an approach of assumed breach. Assume that adversaries are already in your network and determine what you can do to lessen the negative impact – such as implementing air gaps in the network or extra layers of authentication. Invest in proactive (rather than reactive) security measures including proactive threat hunting and managed threat detection and response (MDR) services. Adopt technologies that automate vulnerability testing and then supplement them with manual testing by skilled security analysts to create layers of protection and resiliency.
Public sector agencies and cybersecurity vendors must work together to create more public/private collaborations. These types of partnerships have grown in recent years, as government agencies are realizing that they cannot go it alone, but more must be done to build greater trust within them. President Biden’s executive order will help with this, as it removes barriers to threat information sharing between the public and private sectors. By working together to deepen their relationships, government agencies and their managed security service providers (MSSPs) can improve threat detection and ensure that the government’s cybersecurity technologies are being used to their fullest capabilities.
Organizations must invest in continuous monitoring and testing. Today’s advanced persistent threats are designed to remain hidden as they spread throughout the network. At the same time, organizations’ environments are constantly changing. New devices are added to the network all the time. Technologies are moved from pre-production to production, which can cause new vulnerabilities to emerge, access rights need to be constantly changed as employees’ roles change, etc. For these reasons, periodic vulnerability testing and threat hunting are no longer effective. Organizations need continuous monitoring, regular threat hunting and ongoing access rights reviews. With the help of managed security services, they can enable continuous monitoring for greater protection from covert threats.
Both the public and private sectors are in desperate need of more skilled cybersecurity professionals. Currently, there is a global shortfall of nearly 4 million cybersecurity workers. Hopefully, high-profile incidents like SolarWinds and the Colonial Pipeline attack that directly impacted many peoples’ lives through fuel shortages will spur a wave of young people to enter the cybersecurity profession. In the meantime, government agencies and private companies will need to work together in public/private partnerships and lean on the staffing and expertise provided by MSSPs to complement their internal cybersecurity teams.
The SolarWinds attack was a moment of reckoning for the U.S. federal government and the private sector alike. It is spurring real changes in policy and actions among the public and private sectors. Organizations must take the lessons learned from this attack seriously and quickly move to improve resiliency and strengthen their own cybersecurity practices.