SolarWinds breach reminds companies to be proactive in managing trust, disclosure

Following the revelations of a sophisticated cyberattack on the SolarWinds Orion platform last week, a panel of cybersecurity experts warned on Monday that companies must do a better job of protecting critical systems and data. Companies are called to maintain solid relationships with vendors before the next major breach takes place.

During the virtual forum, "Solarwinds and Navigating Uncertain and Evolving Threats," the panel of lawyers and security experts said the attack caught a number of companies flat-footed and highlighted the need for a more transparent approach to cyber before the crisis point approaches.

"The reality is we've all got to get better at being able to deploy in a defensive matter," Doug Howard, CEO of security services company Pondurance, said.

He argued the market has over-rotated a bit on the assumption that enterprises are going to be breached and only look for monitoring, when other defensive measures are also necessary.

"I guarantee you if you don't, and you spend less on monitoring and hygiene, you will have a higher probability of being breached," he said.

Here are three of the panel's tips:

Deploy good monitoring tools and ask tough questions ahead of time to avoid surprise when something goes wrong.
CISOs should be proactive when communicating with key stakeholders, ranging from upper management, board members, employees and customers.
Limit administrative privileges to reduce potential exposure to sensitive data and critical systems.

The SolarWinds hack brings up important considerations for companies in terms of managing the supply chain.

Companies should not increase the use of paper-based vendor security assessments. Increasing the length of questionnaires will do little to incentivize companies to disclose more information, Ross McKerchar, CISO at Sophos, said.

Companies should engage in what he calls "attack surface reduction," where companies lower the number of suppliers within their network and secondly, "blast radius reduction," which involves reducing the amount of privileges the supplier has across your network.

SolarWinds is a perfect example of the latter. SolarWinds provided monitoring software, whose main job was to retrieve telemetry and availability metrics from running servers across a company network.

"In the vast majority of cases SolarWinds was configured to have full administrative privileges across the entire system," McKerchar said. "So we're going to be focusing very closely on our monitoring providers and seeing how we can adopt that kind of least privileged model to reduce that blast radius."

Forum moderator Evan Wolff, a partner at Crowell & Moring, disagreed with that argument, saying that companies need to ask detailed questions.

Howard took a more nuanced approach saying companies can balance the way they manage the trust relationships with vendors. "If I'm a CISO, and I'm asking a vendor a question and they lie to me, that puts me in a better position than not having any reply whatsoever," he said.

Companies need to trust but verify the truthfulness of their vendors, he said. Assume that vendors are a potential vector of compromise. Since March when companies went remote, the amount of remote desktop protocol traffic on the networks increased 40%, he said.

Another important consideration will be when a company has to notify various stakeholders, ranging from internal stakeholders like the CISO to upper management, the board of directors and employees, according to Wolff. Along those same lines, reporting to government agencies will be an increasingly important issue, particularly if a company is a defense contractor.

Part of the Cybersecurity Maturity Model Certification process involves making sure defense contractors properly disclose and correct security vulnerabilities that are often targeted by nation-state threat actors looking to steal sensitive data.