It is well-known that there are thousands of reported common vulnerabilities or exposures (CVE) in software and libraries. The Solarwinds breach illustrates the clear risks of a compromise with wide reaching effects. So what have we learned?
Regardless of the size of the organization, and it may very well be an individual as well, conducting a proper threat and risk analysis on data, systems and software is the first key step in understanding how to secure your data and networks. After all, if one is unable to grasp the extent of exposure and risk, how would one be able to properly defend against possible attacks and breaches?
Conducting regular assessments is vital for understanding and defending, and could mean the difference between deterring a threat actor versus leaving a door wide open for them.
Individuals and organizations should seek to improve software supply-chain governance. Understanding and implementing industry best practices such as the NIST Supply Chain Risk Management guidance should be adhered to as closely as possible. Having a consistent set of standard practices in code reviews, security assessment of new software and applications, as well as proper documentation and logs are just a few of many actions individuals and organizations may implement in order to improve security measures.
Understandably the initial phase of implementation will add complexity to internal supply-chains and approvals, and cost more time and capital. However, best practices and standardization should not be ignored as the costs of such attacks and breaches continue to increase in both capital time.
Require Vendors to perform continuous security and vulnerability assessments
Individuals and organizations should expect and require their vendors to perform regular security and risk assessments. The current practice in the industry is lacking. At the starting stages of a contract, support and assessments are done initially. However, that is often followed by years of negligence.
This should be a standard industry wide practice, and needs to be mandatory for vendors to adhere to as the costs of negligence continues to rise.
These are some of the many lessons we learned from the Solarwinds incident. A deeper dive would highlight the need for things such as analytics based threat detection and data exfiltration prevention, simulating similar situations in a controlled environment, and even new technologies to help defend against the ever evolving threat landscape we face today.
One thing is clear, we can only work to harden our security through diligence and an open mind.