Can Third-Party Security Programs Prevent the Next SolarWinds?

While the U.S. government was focused on election security last year, unbeknownst to senior American officials a secret cyber espionage campaign by a major nation-state adversary of unprecedented magnitude was already underway – lethal, stealthy and undetected.

In early December 2020, the U.S. cybersecurity firm FireEye Inc. announced that it had been the victim of a massive cyber intrusion. When FireEye’s investigators set about looking into the origin of the breach, they discovered the attackers had breached FireEye’s defenses through a vulnerability in a product made by one of its software providers named SolarWinds Corp. The attackers had managed to insert malware into a software update SolarWinds sent to its thousands of customers, and any SolarWinds customer who downloaded this malware-infected update unwittingly opened the door to the hackers.

It quickly became apparent, though, that FireEye had not been the only victim, and that the hackers had gained access to hundreds of government and private sector networks, including such agencies as the State Department, the Department of Homeland Security, the Department of Defense, and even the Energy Department’s National Nuclear Security Administration. Even today, cybersecurity experts believe the hackers may still be lurking inside hundreds of networks.

While it’s exceedingly difficult for a single company to prevent a major nation-state’s cyberattack, if there’s one lesson to be learned from the SolarWinds breach, it’s this: An organization can have the best cybersecurity protection in the world, but if one of their vendors is penetrated, then that organization is at risk, too.

The problem is that many major companies and government agencies have no idea how secure their downstream supply chain is, and are frequently unaware of all the third parties who have access to their networks. While a company can mandate that its third-party suppliers maintain a particular level of information security, for an organization with thousands of vendors, it’s always going to be difficult to manually keep track of each supplier.

As if that’s not overwhelming enough, according to Israeli third-party security management company Panorays, cybersecurity professionals charged with defending their organizations must also worry about their third parties’ suppliers, which are sometimes called “fourth parties.” Indeed, in a survey of 2,000 third parties and 37,000 fourth parties, Panorays discovered that third parties with a strong cybersecurity posture generally had more secure fourth parties.

So what does this mean for Fortune 1,000 CISOs, aside from a loss of sleep? First cybersecurity professionals should take care of the “easy” stuff, such as keeping their software updated and – where necessary – adding patches. These steps will go a long way to mitigating the risks of a software supply chain attack.

Second, companies must build a culture of security within their product design. This means including “cybersecurity by design” in their build and development processes, even if this reduces the speed to market of a product or update. And, more broadly, this means implementing a culture of security in the company, which a number of former SolarWinds employees assert was ignored at their organization.

Finally, any robust third-party security program must involve a high level of automation, and the only practical way to do this is through implementing automation yourself. If you’re still using manual processes to track your vendors’ cybersecurity postures, then you’re probably hopelessly overwhelmed.

To be clear, none of these solutions are panaceas, and a patient and determined attacker can still breach even the best defenses. Nevertheless, taking these steps will go a long way toward ensuring your company isn’t the next SolarWinds.

Featured eBook
Vulnerability Prioritization Through the Eyes of Hackers

Vulnerability Prioritization Through the Eyes of Hackers

Software development teams are constantly bombarded with an increasingly high number of security alerts. Unfortunately, there is currently no agreed-upon strategy or a straightforward process for vulnerabilities’ prioritization. This results in a lot of valuable development time wasted on assessing vulnerabilities, while the critical security issues remain unattended. Since fixing all vulnerabilities is unrealistic, it’s … Read More