SolarWinds was stuck facing response and recovery with multiple stakeholders: The company needed to cooperate with federal law enforcement and investigators, private industry investigators, customers, insurers, and so forth following its historic attack.
"Sometimes these things can be viewed as technical security issues, but the reality is the risk issues," said Tom Reagan, leader of the U.S. cyber practice at Marsh, during a webcast hosted by Marsh Wednesday. "No organization would realistically attempt to contain a chemical spill or fight a fire on their own, you need specialized expertise and assistance."
After a cyber incident, companies are tempted to keep things close to the chest. Different hands involved in recovery have different motives than that of a business. SolarWinds is currently juggling the motivations of all stakeholders while keeping the business resilient.
While other secondary victims of the hack, including FireEye and Microsoft, had some tools poked around by the attackers, it "sounded worse than it is," Brian Kime, senior analyst at Forrester, told Cybersecurity Dive in March. Most of those tools were open source with modifications and the companies didn't lose intellectual property.
Kime said the attack on FireEye was likely hubris on part of the perpetrators; they attempted to create another multifactor token for an existing employee when FireEye was alerted. The attackers knew they would get caught at that point.
"FireEye handled it really well, to the point that they can say, 'Look we broke open this whole thing. Yeah, we were compromised, but we discovered the entire campaign,'" said Kime.
SolarWinds is a legacy network management provider, making it the perfect conduit for attack. Now the legacy company is the poster child for overhauling an outdated build process that all companies share — regardless of industry.
"The truth is that every Fortune 500 is a software company," said Alex Stamos, part of Krebs Stamos Group and independent consultant for SolarWinds, during the webcast.
Tech providers in particular can struggle with access management because there's an underlying belief that the frontline employees, the ones building the product, need to have control and modification freedoms for their environments.
But "as you start to add people in different business units that don't need that kind of access, it's hard to reset it," said Stamos.
One of the first things companies need to do is revisit developer freedoms; perhaps it's the machines they have access to or where software installation is allowed. Security policies around the build cycle need updating.
SolarWinds recommends removing some of "development engineering controls and putting it more under the guise of IT, guise of audit or guise of inspection," said Tim Brown, CISO of SolarWinds, during the webcast.
The majority of the employee base likely does not need a lot of access beyond email or specified applications. Brown recommends companies treat employees with mission-critical access "special," and apply a tiered model of access. Triaging employee access rights is a tenet of zero trust, and extends to how much time an employee needs access to an environment, whether it's indefinite access or only a few minutes.
The SolarWinds hack "is probably one of the most impressive cyber espionage campaigns I've seen," said Stamos. "It's impressive because of the subtlety they used, although it's not completely unprecedented." The U.S. has been a perpetrator of supply chain attacks, backdooring cryptographic algorithms which are then used by another actor, such was the case for Juniper Systems in 2015.
But it wasn't until now the willingness to engage in cross-sector information sharing made a sharp turn. That's partly due to insufficient investments and proficiency in recovery and restoration.
As an insurance provider, Marsh gets "to look at thousands of different organizations; every shape, color, location" and the maturity of their security controls, said Reagan. "Organizations score very, very high on prevention technology," and respectable scores follow through risk identification and detection.
But "by the time you get down to recovery, and restoration, organizational maturity has come right off," he said. "People are way over indexed on prevention, and they're not looking across the risk spectrum."
Companies placing too much trust in their security is only part of the problem too. Resource allocation in information security is efficient enough for day-to-day operations and threats. "As you start to move into the more exceptional and exotic events, the catastrophic events, there's just no possible way to cover all of them," said Reagan.
Cyberconflict is closing in on the private and public sectors equally. Enterprises are nation-state targets 35% of the time, compared to governments or regulatory agencies representing 12% of targets, according to a recent study conducted by Dr. Michael McGuire, senior lecturer at the University of Surrey, and sponsored by HP.
The SolarWinds compromise impacted at least 100 companies and nine federal agencies as part of a patient, methodical cyber espionage campaign. The selective, secondary attacks launched on companies made the Russia-attributed act more complicated, though the White House estimates the SolarWinds Orion compromise disrupted upwards of 16,000 computer systems worldwide.
Still information sharing before an event or recovery is a challenge. "It is nobody's job to pull together the learnings from all of the thousands of companies involved in those two incidents, to come up with kind of societal-level fixes," said Stamos, referring to SolarWinds and Microsoft Exchange. While continuous information sharing improvements are underway, many cyber incidents go unreported to begin with.