How has the Solar Winds breach impacted how your organization thinks about IOT security?

We have been using SolarWinds since before I got to campus, so we're on the hook to think about this type of impact. The reality is until somebody is breached, until somebody is personally affected, no one pays attention. At UCLA, we know our leadership is definitely concerned about ransomware and security issues in general. Those are the things that get people's attention, and then once you've got their attention, you can actually try and move forward with a solution, or multiple solutions. The difficulty there lies in needing more people. There just aren't enough people with that skill set already in place to be able to do that. Even though you want to rush to fix the problem, it's still months away until you can get that group of people together that can actually start to move forward, get it resourced, get it funded, get it organized in a way that you can actually implement something and do it. You can't knee-jerk react to Orion and say, "Oh, let me fix the problem." No, too late. Beforehand we had FireEye. FireEye was what picked it up for us. FireEye is relatively new to us and if we didn't have FireEye, we'd have no idea. And I'm one of the lucky ones, at least for now, it doesn't look like it phoned home. I don't have ADFS. This goes back to technology, right? When I walked in the door, we didn't even have a SIEM, right? It's been on my list. We implemented Splunk in June. I can go back now and look at Splunk and see what happened... yay, right? Again, it seems like these little moral victories, that you would think would be normal blocking and tackling. These solutions need to be in place. You need the right tools in the toolkit to be able to help yourself survive.

Anonymous Author
We have been using SolarWinds since before I got to campus, so we're on the hook to think about this type of impact. The reality is until somebody is breached, until somebody is personally affected, no one pays attention. At UCLA, we know our leadership is definitely concerned about ransomware and security issues in general. Those are the things that get people's attention, and then once you've got their attention, you can actually try and move forward with a solution, or multiple solutions. The difficulty there lies in needing more people. There just aren't enough people with that skill set already in place to be able to do that. Even though you want to rush to fix the problem, it's still months away until you can get that group of people together that can actually start to move forward, get it resourced, get it funded, get it organized in a way that you can actually implement something and do it. You can't knee-jerk react to Orion and say, "Oh, let me fix the problem." No, too late. Beforehand we had FireEye. FireEye was what picked it up for us. FireEye is relatively new to us and if we didn't have FireEye, we'd have no idea. And I'm one of the lucky ones, at least for now, it doesn't look like it phoned home. I don't have ADFS. This goes back to technology, right? When I walked in the door, we didn't even have a SIEM, right? It's been on my list. We implemented Splunk in June. I can go back now and look at Splunk and see what happened... yay, right? Again, it seems like these little moral victories, that you would think would be normal blocking and tackling. These solutions need to be in place. You need the right tools in the toolkit to be able to help yourself survive.
0 upvotes
Anonymous Author
A large part of my organization is outsourced to IBM, a joy I inherited coming in the door. And IBM uses SolarWinds to monitor its customers. It's a really interesting thing to think about, that the person you hire to trust things is actually the one who got compromised. Internally we found, and we understood where there was SolarWinds, but because our engineering department is a little behind the curve, they weren't on the version that was compromised. In the labs, we dodged a bullet. It's the first time I've heard of being safe by not being up to date. It's brought up all sorts of questions. You do all this work on your third parties to understand what they're doing, but you're trusting that they've chosen solid third parties themselves. In this world of SaaS and distributed computing, and outsourcing things, at one point I was convincing myself at some level that I was more secure because their lives depended upon it. But now I think we really don't understand what our footprint is, because we don't have visibility into it anymore. How do you get visibility into everything Salesforce is doing, and touching around your stuff, right? We've entrusted our security to so many parties now, and we're relying on SOC 2s and ISO27001s. Anyone who's been through those knows, while it forces you into some rigor, you also know the value of the paper it's printed on. It's a tough world to really be able to look anyone in the eye and say, "Yeah, I've got it under control." I think the thing that it comes down to still is identifying what your critical assets are. And once you know what those are, what's the cost of loss? When I'm thinking about enterprise risk management, I'm not just thinking about my cyber risk. I'm thinking about, “well, wow, we've entrusted a fundamental business process with some of these partners, and if they're taken out, what does that mean to us, and how does that impact our business? And what's our backup strategy, if that goes away for a whole lot longer than any of us can envision?” For me it is also about DR and business continuity. The pandemic raised this when we started asking our vendors, "How are you taking care of your critical assets that keep my stuff up and running?" But I think that this kind of enterprise risk is much bigger than just a security breach.
0 upvotes
Anonymous Author
put it on high alert
0 upvotes