I have spent thousands of hours for more than a decade answering a range of cybersecurity questions from people around the globe. However, in the past couple of months, I have been inundated with one single question: Could the SolarWinds third-party security breach have been predicted or prevented?
What they—and thousands of other companies—are really wondering following the infamous breach is whether a similar incident could happen to them. And is there something they could do to predict or prevent a third-party breach like that from happening?
Could the SolarWinds breach have been predicted?
Since the SolarWinds breach began as an Advanced Persistent Threat (APT), it essentially acted as a tailor-made sophisticated threat inflicted on an internal tool that was considered to be a legitimate piece of software. As such, it was impossible to predict. In fact, it was so subtle that it managed to stay under the radar and remain undetected for at least nine months. Needless to say, while we couldn’t predict a major U.S. software company like SolarWinds could be the victim of a massive third-party vendor breach like this, we can easily anticipate many third-party breaches as a result of APTs or other stealthy threats in the future. Having said that, one way to possibly foresee potential third-party breaches is to look for degrading security posture of organizations over time, which can be a tell-tale clue that something is amiss.
Could the SolarWinds breach have been prevented?
The attack on SolarWinds was not one of an amateur. It was the work of highly sophisticated state-sponsored actors, making it impossible to recognize that the target software had even been compromised. “I think from a software engineering perspective, it’s probably fair to say that this is the greatest and most sophisticated attack the world has ever seen,” said Microsoft Corporation’s president, Brad Smith, during a “60 Minutes” interview.
Microsoft is just one of 18,000 businesses and government agencies that unknowingly enabled hackers to enter their systems when they installed the compromised SolarWinds monitoring software. How is that even possible? It turns out that the perpetrators painstakingly planned and prepared for this attack by carefully packaging their malware inside Orion, a trusted piece of software, allowing easy, unnoticed entry into thousands of systems during a standard software update. In fact, even a tool whose purpose is to detect malware would not have been able to flag Orion as suspicious, since it was legitimate software.
Planning and preparing is everything
So if you cannot predict a third-party security breach like SolarWinds, and you can’t prevent a sophisticated breach being carried out by a seasoned cybercriminal or terrorist nation-state, what can you do to protect your assets?
There are proactive measures you can take today to help you quickly and comprehensively respond to, remediate and recover from a third-party or digital supply chain breach.
Step 1: Build cyber resilience & recovery
To achieve cyber resilience and recovery, you first must understand what your assets are. While servers and system components are certainly assets, so is any entity that processes or holds your data. Therefore, external third-party services and tools/SaaS apps that process or hold your data should also be included as assets.
Examples include, but are not limited to:
- Internal servers protected by VPN
- Email services
- Marketing tools
- Customer success tools
- Hosting providers
Given the heavy dependence on, and growing number of, third parties, it is imperative to map your vendors. Since many small security teams are charged with a multitude of responsibilities, and just one of those tasks is managing third parties, automation can help streamline and accelerate that lengthy and tedious process.
Without automation, it is nearly impossible to properly manage all of your vendors to the depth and breadth that is required to properly ascertain their security posture. Automation also enables a more expansive discovery phase, giving you more visibility and understanding of which assets need protection.
Step 2: Identify important assets
Now that you’ve identified your assets, you need to prioritize them. Though challenging, it is critical to keep track of your attack surface that has expanded to include whoever holds or processes your data.
Creating an inventory that includes your physical infrastructure as well as your virtual infrastructure (your vendors) is a solid foundation to securing your assets. Once you have identified and prioritized your assets, you must establish a system to monitor all of these assets, creating visibility of their dynamic and changing landscape.
Step 3: Reduce third- & fourth-party risk
As discussed earlier, you utilize third parties for a variety of services. Each third party has its own infrastructure and its own third parties, which are your fourth parties. For this reason. it’s incumbent on organizations to also understand fourth-party risk for parties handling your data.
A cyber attack could result in a breach within either your third or fourth party (or both, like the SolarWinds attack). While SolarWinds’ customers were concerned about their data being compromised, organizations that have a vendor relationship with a SolarWinds customer were similarly distressed about the security of their own data. A big takeaway from this security incident is just how important it is to manage and mitigate third- and fourth-party risk.
Beyond understanding your third parties, you need to have proper knowledge of your contacts in the event of a breach. Though it sounds obvious, unfortunately something as simple as knowing who to contact and how to contact them in the event of a breach is often overlooked. Time is of the essence during a cyberattack, so having all the appropriate contact information lined up ahead of time can be hugely impactful on being able to swiftly respond and react appropriately.
Responding to a breach
According to best practices, international standards such as ISO 27001 offers a framework to help companies manage and optimize their information security management systems and the NIST Cybersecurity Framework similarly offers us guidelines on how to respond and recover from security events. Once implemented, these frameworks help prepare your organization tackle security breaches.
We’ve written a blog post about how to respond and recover from a third-party data breach.
How Panorays can help
Clearly, having visibility into and control over your third-party security is critical to maintaining a strong cyber posture. That’s why Panorays combines automated, dynamic security questionnaires with external attack surface assessments and business relationship context to provide you with a rapid, accurate view of supplier and fourth-party cyber risk. Our platform continuously monitors and evaluates your suppliers, sending you live alerts about any security changes or breaches to your third parties.
Want to learn more about how you can prevent third-party cyber breaches? Contact Panorays today to schedule a demo.