Threat Intelligence & Incident Response

Threat Intelligence & Incident Response
Will SolarWinds recover from this breach?

Top Answer : Here's something to consider, and I think that we're going to see this across the supply-chain piece because when you look at the real executive ranks, the CFO, CEO, COO, they care and they pay attention to market activity and share price. What does that look like here? We study companies. FireEye had a 10% drop after it's breach and it's up 50% since then. Up 50% since before the breach. Literally, people didn't care. And you can say, "Well, FireEye did a great job..." But really, once people realize that it wasn't going to really impact the business of FireEye they said, "Okay, we're pretty good” You get the initial emotional sell-off and then within a few weeks, a couple of months, a couple of quarters in some cases, it's above where it was before. So when you look at it from a public company and if you go to the theory that the board and the CEO's sole responsibility is shareholder value, the data says cybersecurity is irrelevant to shareholder value other than in a temporary fashion. And if their job is to maximize long term shareholder value, they shouldn't care about information security. That’s one of the reasons why we have an issue in the industry. If you remember, a couple months ago United Health Services had that big breach. It went from 110 down to 104 and it sits at 142 today. The organization that is impacted but still has not recovered from its breach is SolarWinds and I believe that the reason why is because shareholders are actually waiting to see, "Are they going to lose customers over this?" Because once they realize they're not going to lose customers, because it's super-sticky and no CIO is going to rip out their whole network infrastructure monitoring, the shareholders won’t care.

What can security professionals do differently to better manage supply chain risk?

Top Answer : I look back in my career and when I was a finance person in '93 in Intel's IT organization, I nationalized computing. And I built a supply-chain for hardware, software. Why? Because I was a finance guy. Inventory management is the only way to control cost. Well, when I circled back into security, luckily all of that was still there because everything funneled through the purchasing processes I had built eight years earlier. It wasn't perfect but I had 95% inventory management from the day I landed and it saved my ass. And then I pivoted from there, being a former finance and procurement guy and thinking about trust in supply-chain stuff even years ago, well before the whole third-party risk management stuff went out I started embedding third-party risk type stuff into the purchasing and financial controls. We had the whole notion that trust would become the attack surface and the thing you trusted the most was the thing that would make you most vulnerable, which then framed how we strategically really worried about things. Hell, when everybody was adamant about encryption, I was so flipping paranoid about the use of encryption. If we mismanage the key or somebody gets those keys, we're screwed. I was worried about ransomware in 2005/2006. Just with deployment of hard disk encryption and all that other stuff, because I'm like, "You get a rogue admin, somebody owns the box, you own this..." You could literally have created the ransomware events then, without even doing malware, if you just had the right aspects to the infrastructure and shut off certain things. I don't know where it's at, at Intel these days, but as I grew in that everybody always wanted to take away from me and I'm like, "No, I want to be the inventory manager because it will then give me the base of things." I still have debates with peers on that because they think of it as unglamorous but I go, "It's such a critical dependency to the role and if it's not being done right, take it over so that it can be done right. So, that you can then execute your role." I think that the whole third-party risk management approach is like doing a SOC 2, and it isn't sufficient. You go, "Okay, I've got some basic controls and I can answer some policy questions, but doesn't tell me that they know the risk issues and that they're managing them well." Which was why, when I was at Intel, when I was at Cylance, hell even at Cymatic, I go have a conversation with my peers at my critical vendors that could cause me substantial harm and then potentially my customers. The lawyers and compliance team might want all those questions and stuff like that, but I want to know my peer and go, “Can I trust you?” And you're going to answer my direct questions. And if there's any wishy-washiness, then I worry. This approach also allows you to take more risks. The riskiest technology in early adopters of technology should be the security team. Why? Because we're the risk manager so we should be the ones taking the risks ahead of everybody else so that we can figure out how to manage them before everybody else gets there. And instead, we create all these encumberments to innovation that then causes people to go around us, which means we're actually generating risk by slowing people down. And we should be the first mover. Run to the riskiest things first. Once you're there you can sort it before other people get there. It's completely counterintuitive to our DNA, which is to be risk-averse. We should be the biggest risk takers on technology because then we actually manage risk to our organization better.

If these companies were affected then the foundation of computing could be at risk. If you could manipulate at the hardware layer via the firmware, BIOS, ect then a threat actor could weaponize well below the operating system which brings in to question the integrity of the entire computing stack and everything above it.  The firmware and bios are like the rebar and concrete for a building. If that foundation is weak then the entire structure and anything dependent on it is at risk. We cannot underestimate the potential or the severity of these companies being potentially affected by the SolarWinds hack and what that means for the foundational computing hardware they provide to the world.  What do others think ?  How could this impact your organization ?   Big tech companies including Intel, Nvidia, and Cisco were all infected during the SolarWinds hack - The Verge

Top Answer :