In December 2020, a massive data breach made headlines: More than 100 private sector companies and at least nine federal agencies were targeted by hackers through a malicious update to SolarWinds’ Orion network monitoring platform. Believed to be backed by a foreign government, most reports call it the worst data breach to hit the U.S. government in history. Experts estimate recovery will require extensive recalibration and leadership as the nation and businesses evaluate cybersecurity protocols.
While the federal response and investigation will take months to sort out, business leaders and CISOs need to especially take note of this massive data breach. Journalists and news organizations reported the chilling details of the breach — that it started as early as March 2020, likely required a thousand hackers to deploy such a tactic, and that such a persistent attack went unnoticed for months.
“As a CISO, after looking at the Vivo model predictions, this breach was not a total surprise,” says Fred Cobb, CISO and Executive Vice President at InfoSystems. “Using Vivo’s predictive risk analysis model, SolarWinds had a somewhat disappointing score months before this came to light.”
As Cobb and national reports confirm, this attack had been underway for months before it was noticed.
“The amount of exfiltrated government agency and private sector data that has made its way into the wrong hands is a huge worry to national security and to private sector businesses,” Cobb says. “Future victims of this attack may include all of us to some degree.”
Understanding Vendor Risk
This breach should be a huge wake-up call to CISOs, Cobb says. So much research, proof of concept testing, feature set comparison, and cost comparison are conducted when making purchase decisions for both CAPx and OPx security tools and services. What is still off the radar for many CISOs is proper vendor risk and vendor reconnaissance work.
“Supply chain and vendor risk should be of primary concern,” Cobb says. “Consumers of security products should not have to worry about the security product itself acting as the conduit for cyber exploitation. Sadly, this was the case with SolarWinds.”
As a leading cybersecurity and IT provider in the Southeast, InfoSystems did not have SolarWinds products susceptible to the Orion vulnerability. Company leaders plan to eliminate SolarWinds products from within the company’s IT environment based on the long-term negative impact to that brand.
Take Steps to Mitigate Risk
It’s crucial for companies to adopt a vendor risk management process. With one in place, InfoSystems didn’t require substantial security changes required as a result of the SolarWinds event.
“This breach is an example of the ramifications of using unsecure products that have hooks into the very core of our IT environment,” Cobb says. “This incident certainly calls for additional checks and balances on any product that has the ability to extract sensitive data from log files and exfiltrate that data into the cyber ether.”
Cobb encourages CISOs to make vendor risk a continuous part of any cybersecurity program.
“Talk with vendor reps to better understand the internal construct of how their security products work, though it may depend on the proprietary nature of many products,” Cobb says. “Maintain a defense-in-depth strategy with segregated tools that can identify command and control presence or consistent threat activity.”