Supply chain attack means security departments need more resources to manage risk
DMI, a leading digital transformation company, is urging organizations impacted by the SolarWinds breach to consider their long-term approach to managing risks while working to resolve the current situation. Orion, the SolarWinds product that was recently hacked, provides centralized monitoring across an organization’s entire IT stack and is widely used by U.S. federal agencies and other major corporations.
“This supply chain attack is concerning because it piggybacked on an otherwise trusted software update,” said Alan Hendricks, senior director, cyber at DMI. “The process meant to reassure users that the software could be trusted was compromised, and organizations are going to have to develop a long-term strategy for managing risks with third party vendors.”
What should organizations do after an attack of this magnitude?
In the short term, Hendricks said any organization that uses the SolarWinds product must immediately take steps to resolve the core vulnerability by taking the tool offline and implementing the vendor patch. Additionally, organizations must conduct forensic analysis to determine the level of infiltration, data exfiltration, affected devices and systems compromised.
Once these immediate steps have been taken, organizations must develop a long-term strategy necessary to prevent future occurrences. Considerations include, but are not limited to, ensuring the network is segmented in such a manner the restricts movement between systems; vetting their product and service vendors to ensure they meet or exceed cybersecurity controls and operational standards; implementing data loss prevention capabilities; reviewing and updating security policies and procedures; and ensuring incident response, continuity of operations, and disaster recovery plans are developed tested, and implemented.
“It is critical organizations utilize threat intelligence tools and processes to help identify supply chain compromises to identify potential threats and vulnerabilities, and plan for appropriate mitigation measures to prevent similar attacks,” Hendricks said. In layman’s terms, he explained, security departments must have personnel, processes, and tools necessary to manage the risk associated with using third party vendors. Supply chain risk assessments are critical to ensure vendors are performing due diligence and implementing industry best practices for security standards and controls.
When developing incident response plans, Hendricks said, organizations must engage their suppliers. Both parties need to have plans to notify the other if their network, systems, or data have been compromised or a compromise is suspected. Organizations must review and monitor vendor access and review system logs on a regular basis. This includes change management controls that regulate updates and other modifications that go into production.
Hendricks added organizations should also implement reliable backup measures to ensure data is available for recovery operations and the backup systems themselves are not at risk of compromise. These measures should include real-time notification and resolution of backup failures and regular testing of backup restoration.
Seek Outside Help
Many organizations do not have the skilled expertise, tools or other resources necessary to accomplish this on their own and will benefit from outside IT expertise. DMI provides the required support and resources to gain and maintain a real-time understanding of current security posture, design and implement end-to-end cybersecurity, and quickly recover from major security incidents.