The way Nick Fuchs sees it, in the aftermath of the massive SolarWinds breach, there has been one silver lining: A greater understanding of the important role security needs to play in any organization. Not only is there an “obvious opportunity to learn from the event,” but also an awareness “around the importance of prioritizing security fundamentals that penetrates all levels of the organization,” said Fuchs, senior director of infrastructure, security, support, and controls at Springfield Clinic.
While that may slow the process for IT to onboard a new application, for example, Fuchs says it enables security professionals to reference this cautionary tale of what happens when the appropriate processes are not in place.
Fuchs and others said the breach is prompting organizations to rethink how they vet vendors and handle application updates.
There are several changes organizations are making. For example, SolarWinds customers are hiring investor relations companies and penetration testing services, according to Jon Oltsik, senior principal analyst and ESG Fellow at Enterprise Strategy Group. “The former are looking for signs of compromises, the latter are testing controls,” he said.
Boards are also “actively asking executives and CISOs if they are vulnerable to similar attacks, causing CISOs to inventory their software and assess potential vulnerabilities,” Oltsik added.
One significant change is that organizations are rethinking vendor risk management requirements, he said. “Some organizations do nothing in this area and some ask vendors to fill in some type of security questionnaire. Now, organizations are considering much deeper cyber supply chain security.”
SEE: Incident response policy (TechRepublic Premium)
This means implementing measures including auditing vendors, demanding penetration tests, monitoring security programs, and mandating that vendors meet certain metrics, Oltsik said.
Further, they are looking at compensating controls like network segmentation, multi-factor authentication, and deception technology, he said. “While 2021 budgets are already established, I expect a lot of spending.”
Research has revealed the perpetrators spent months inside SolarWinds’ software development labs before inserting malicious code into updates that the company then shipped to thousands of customers, according to Krebs on Security. Most alarming is that “the insidious methods used by the intruders to subvert the company’s software development pipeline could be repurposed against many other major software providers,” the site said.
Chris Stroud, technology manager at healthcare provider Great Plains Health, said they were a SolarWinds customer and the breach has “really illuminated that we were doing the right thing with our new defense in-depth model” because it incorporates layers of defense.
“The goal of this model is to create as inhospitable an environment for that actor that’s not supposed to be there,” Stroud said. His security team has restructured the healthcare provider’s network with a new framework that makes it easier to see any successful attempts at penetration or exfiltration of their data, Stroud said.
Now, there is an “increased level of scrutiny,” he said. “SolarWinds really had a good track record,” and based on what Stroud has read, the breach wasn’t visible to customers, “so vetting will be rather hard. It’s going to be hard to trust people.”
Great Plains has implemented an organizational process for vetting third-party vendors, “and part of that is looking at their ethics over the last year,” he said.
The healthcare organization has also migrated to one of SolarWinds’ competitors and is also using some homegrown security tools, Stroud said. “We were using [SolarWinds] mostly for network configuration backups and application diagnostics, like speed tests or internal alarming for CPU utilization on servers.”
Like Fuchs, Stroud said the breach has “really opened the eyes of the non-IT or tech team that [a breach] can happen to anyone.”
A new process for security
Fuchs said that watching the SolarWinds breach unfold “has definitely caused some changes in what we are prioritizing from a process implementation and project standpoint.”
IT officials are now enhancing the application security review process.
“Organizations generally do not perform deep enough due diligence when implementing a new application in their environments,” Fuchs said. “Typically, we ask the surface layer questions around what the application does and consider only the security requirements of the application as it pertains to its implementation.”
Moving forward, they have prioritized the implementation of a stricter process around onboarding that considers not only Springfield Clinic’s security controls, but also mandates that the vendors themselves have, Fuchs said.
For example, does the vendor have internal security policies and controls that are equal to or stronger than that of Springfield Clinic’s? Also, can the vendor provide evidence that they are actually following them?
Other questions from the new ASR process that Fuchs said they believe will help mitigate risk of future events are:
Does the vendor regularly test the strength of their cybersecurity resilience and provide evidence of latest source code scan and/or application penetration.?
Does the vendor have application firewalls or network segmentation in place to restrict access to application programs or object source code?
Does the vendor comply with policies and/or regulations such as SOC2, GDPR, CCPA, NIST, COBIT, and ISO-27001/2? Provide up-to-date SOC/SOC2? Provide evidence of up-to-date certification?
Does the vendor have an employee security awareness program?
“My hope is that we’ll start to see a global adoption of these types of requirements that will result in technology vendors being forced into holding their own internal infrastructure and process to a higher level of accountability,” Fuchs said.
Other changes include the purchase of a vendor access management tool. The hope is that it will further strengthen the controls around vendor access in the Springfield Clinic environment, he said. The new tool will officials to:
- Enforce access approval: Vendor accounts will require a Springfield Clinic employee to authorize their access before they can log in to the system.
- Record their entire session: Which will provide a recorded session of their entire remote session so they will be held to a higher standard of accountability.
- Provide automated behavior detection: If configured properly, it will detect if the vendor is accessing systems he/she should not have access to, or if there is a sudden increase in account access or simply odd times of day from unexpected locations.
The clinic is also using central configurations to control/disable automatic updates “across the entire application landscape of the organization,” Fuchs said. “This is a fine balance,” he added, “because if you go too far on requiring managed updates for every single application … it creates a ton of overhead on the team to maintain and you run the risk of falling behind on keeping the environment updated.”
This presents another dimension of risk resulting in unpatched infrastructure/applications, he noted.
“Starting by prioritizing critical/high risk applications in terms of the type of data and access in the environment is, in my opinion, the proper first step,” Fuchs said. It should be followed by building a process and designating a team to manage those in the application upgrade process.
“In the case of SolarWinds, this would have been considered a critical risk application because it essentially touches every single piece of critical infrastructure/software in our environment,” he said.
Fuchs acknowledged that no matter how strong an organization’s process or technology, there is an inherent level of trust placed on vendors to enforce and proactively manage the security standards in their own environments.
“However, I do believe by getting the right level of buy-in from the organization to prioritize and support strengthening the processes … will collectively reduce the risk of this type of occurrence in our own environments.”