How did the security ecosystem allow for the kind of attack we have seen with SolarWinds?

The SolarWinds component is just yet another aspect of a soft supply-chain piece. I would actually bet, probably almost any amount of money, that if you went to and grabbed any random Fortune 1000 CISO and said, "Hey, tell me who your top 40 suppliers are," they would literally have no clue. They'd be like, "Well..." There's big tech companies they might be able to name but actual software, data flow components, we've just never paid attention and we've continued to not pay attention.

Anonymous Author
The SolarWinds component is just yet another aspect of a soft supply-chain piece. I would actually bet, probably almost any amount of money, that if you went to and grabbed any random Fortune 1000 CISO and said, "Hey, tell me who your top 40 suppliers are," they would literally have no clue. They'd be like, "Well..." There's big tech companies they might be able to name but actual software, data flow components, we've just never paid attention and we've continued to not pay attention.
0 upvotes
Anonymous Author
I was talking to a peer in the financial industry, the Monday after this all broke on Saturday, Sunday and then it went well beyond just FireEye and started spreading. He'd been up almost 40 hours in a row because he didn't know if SolarWinds was in their infrastructure. And they were trying to determine the first order of magnitude, "Is it anywhere in the infrastructure we manage?" And then the second order was, "Anybody that's a critical supplier?" Luckily, they didn't find it in their direct environment, but they didn't know. And this is a multi-billion dollar financial institution. They just, they didn't have that asset management or inventory knowledge. We've seen the growth of the third-party risk management stuff and all the money spent and all the business process stuff. I believe that ~95% of that has added no value to actually reduce risk in third parties, because it was a bunch of solutions for check-the-box compliance. Feel-good things rather than getting to the heart of the issues. When I arrived at Cylance, I was the first internal security guy in the security company. I didn't have those compliance things and I didn’t care. I went and wrote, with a few people, a multi-page white paper on why you should trust us, and then I had one-on-one conversations with people. And it was like, "Here's the preeminent risk that I have that could affect you and here's how I'm managing it." If you'd sent me a 500 questionnaire thing, I could have answered all of that stuff but it's not going to tell you what I'm telling you right now. Because it's surface-level things, not at the heart of what the real risk issues are for my company that could affect yours. And I think it's because we've approached that third-party risk in the same peanut butter spread that we do everything else, that these breaches can happen.
0 upvotes
Anonymous Author
What the SolarWinds breach highlighted was the need for basic asset management. And just going one step further, it's not just the assets you have but what do the assets actually talk to? What are they dependent on? It highlighted the need. The SANS top 10, right? They tell you to do that and nobody ever does that. Who wants to do the basic stuff? It's the boring stuff. You definitely want to do all the nation-state stuff that you want to go after.
0 upvotes