The effects of the SolarWinds compromise thrust CIOs into action.
Data, systems and integrity of operations came under fire as rogue actors leveraged SolarWinds Orion, a network management systems (NMS) standard, in a sweeping cyberattack, infiltrated federal agencies and private sector companies.
The IT organization, with the CIO at the head, undertook two critical response phases. The initial stage comprised immediate risk mitigation, blocking rogue actors from potentially accessing company systems or data, and assessing for damage. Next, companies began evaluating the steps leading up to the exposure, and asking sharper questions of existing tech tool integrations.
To future-proof organizations against risk in the IT supply chain, CIOs must develop a greater understanding of the third-party risk their companies face, and thoroughly vet the security of the tools they deploy.
CIOs that want to safeguard their organization against future attacks must walk away from the SolarWinds hack with greater awareness of risk exposures in the IT supply chain. Using information they gather about vendor security, heads of IT can make informed decisions to curtail future risk.
Attention to third-party cyber risk has increased over the years, according to Scott Crawford, research director for the Information Security Channel at 451 Research, a part of S&P Global Market Intelligence.
"This type of incident highlights that organizations can be exposed to supplier risk in a very wide variety of ways," Crawford said. In this case, the attacker compromised updates to a piece of software, exploiting legitimate channels for maintenance in order to distribute malware via backdoor functionalities.
An attack of this nature could be seen as an excuse to point the finger at IT suppliers for failing to uphold security, according to Crawford. But the event highlighted that "any organization that administers IT and produces software is potentially exposed to compromise, and if its products and services are used by others downstream from them, they too may be subject to compromise."
After SolarWinds, questions wrap around the landscape of IT suppliers. CIOs will prod integrations touching critical systems, and the providers that service those vendors.
"There's a lot of unknowns about this compromise, the extent of it and the risks of other possible supply chain risks," said Luke Tenery, partner at StoneTurn.
An illusion of immunity
Through the SolarWinds breach, attackers successfully compromised a highly-trusted provider of NMS tools. The company has a user base of over 300,000 customers globally, including 425 of the Fortune 500 organizations.
In an SEC filing, the company said it believes less than 18,000 of its customers were impacted by the vulnerability.
"The fact that SolarWinds is so relevant in the IT space, so many different customers are using it in some fashion, and to have that be the entry point to FireEye ... was incredibly concerning," said Joe Fizor, lead solutions engineer at TBI.
In the security space, vendors have turned to cybersecurity scores — akin to credit scores — to reflect the risk level of specific tools. The SolarWinds breach will lead customers in the space to further prod the tools vendors implement, and what the reputation of those tools is like.
"If you're not asking the questions, if you're just grabbing tools and being too trusting, that's going to be the biggest flaw," Fizor said.
Business units challenge CIOs to quickly enable digital tools, while upholding integrity and security in the process. In the wake of an attack, IT leadership and security organizations must partner to overcome the crisis.
"They need to be able to find information quickly, easily and remediate problems when they happen," said Fizor. "I wish I could say 'if' those problems happen, but in this day and age, everybody has a target, [and] everybody is open to an attack."
There's an assumption that if an organization is competent regarding cybersecurity and diligent about its practices, it's also immune to compromise, according to Crawford. But the reality is that "any organization ... may be subject to attack if the adversary is dedicated and skilled enough, has sufficient motivation, and it's not seen as cost prohibitive," Crawford said.
Correction: This article has been updated to add the full name and title of Luke Tenery, partner at StoneTurn.