Nearly three months after the SolarWinds hack went public, the story is still unfolding as organizations investigate the damage done to their IT infrastructure.
How IT departments procure third-party services and work with vendors will change in response to the vulnerabilities exposed by the attack.
As a third-party vendor to other organizations, SolarWinds had high-level controls and permissions within critical pieces of infrastructure. Jeff Horne, chief security officer at Ordr, predicts there will be legislation or guidance coming from the federal government on third-party risk management.
"We're going to see a lot of change in third-party risk management, but also a change in how do I treat third-party vendors with that level of access in my network," said Horne. But moving on from SolarWinds requires rebuilding trust, not just meeting a new set of guidelines.
While businesses are inclined to trust big, well-known names because of their reputations within the industry, SolarWinds — and the recent Microsoft Exchange vulnerabilities — both proved that every company is fallible to threats, according to Jim Bowers, security solutions architect at TBI Inc. and sister company TechGuidance.com.
Working with third-party vendors won't be out of the question, but IT departments will have new responsibilities to integrate security into procurement. "These tools do provide value to an organization, but yet, they don't have to go everywhere, necessarily," Bowers said.
IT departments will have new questions for third-party vendors, such as what type of access the vendor has to source code repositories, if the access is monitored, whether anomaly detection is in place and ensuring two-factor authentication for developers.
For IT teams, SolarWinds also hit home that "you can't protect what you can't see on your network, and you also can't manage what you don't know about," Horne said. New mitigation efforts centered around network visibility are cropping up in response to the concerns.
IT strategies to prevent third-party risk
IT teams may have new boxes to check when vetting vendors, but compliance doesn't always equal security. A better understanding of the network ecosystem with visibility into vendor access could help prevent future supply chain attacks.
"What we know is that we can't trust vendors, and that our vendor risk management processes are woefully ... ill-equipped to deal with this type of situation," said Steven Aiello, security practice director at AHEAD.
"My real hope is that vendor risk management will put more pressure on the suppliers to disclose exactly how their software works … so that the software can be properly secured," said Aiello.
Simply buying security measures, such as firewalls, will not keep businesses safe without the strategy and training to deploy it effectively. "The conversation that we're having now is, 'we bought all this stuff, and it's not working. How do we take a more strategic look at it?'" said Aiello.
After the discovery phase to better understand and deploy IT assets, organizations can benefit from entering a continuous-validation phase.
Not only will IT and security teams have to validate all third-party permissions on the network, but they will also be responsible for continuously ensuring a vendor follows them, according to Ami Luttwak, co-founder and CTO at Wiz.
Internally, IT departments can also reflect on the relationship between developers and security teams. The teams can work together to understand the scope of third-party vendors within the environment and monitor permissions. "It has to be a joint partnership to understand the risk," said Luttwak.
Ripping out SolarWinds and affiliated organizations to mitigate damage in the short term works, but it doesn't solve the vendor risk management issues at the root of the problem.
"There's no silver bullet" to mitigate all vendor risk post-SolarWinds, Bowers said. Organizations can, however, increase compliance with the National Institute of Standards and Technology frameworks or build out a defense-in-depth model to bolster protections.
IT and security can also reflect on their past shortcomings to do better moving forward. "It's not an attack on how well you've done," said Bowers. Instead, it's opening the organization up to scrutiny to prioritize cybersecurity over everything else.
Editor's note: This article has been updated to add an affiliate company to Jim Bowers's title.