How did the security ecosystem allow for the kind of attack we have seen with SolarWinds?
Sort by:
Asset management is not glamorous, it's not fun but it's critical. I do advisory work for a lot of companies and company I do advisory work for and we were doing a review of their NIST CSF Framework. They have all their maturity scales and all that stuff and they've been on the five year journey, they're getting to three on their maturity scales and we're doing a deep dive on it. And their vulnerability management score was at a 3.8 out of four, on the one to four scale. Asset management was 1.7 out of four. I'm like, "I'm sorry, you can't have a near-perfect vulnerability management capability without having an asset management capability. This is complete horse shit." And you know who had actually done all the work? To do that they spent hundreds of thousands annually to have EY do this. I'm like, "I would go beat them to death that they didn't cross-correlate those things. And now you've got a false sense of security and a false sense of control."
If you stop counting, then they're not there. If you just, don't test it, the virus or malware isn't there.
I was talking to a peer in the financial industry, the Monday after this all broke on Saturday, Sunday and then it went well beyond just FireEye and started spreading. He'd been up almost 40 hours in a row because he didn't know if SolarWinds was in their infrastructure. And they were trying to determine the first order of magnitude, "Is it anywhere in the infrastructure we manage?" And then the second order was, "Anybody that's a critical supplier?" Luckily, they didn't find it in their direct environment, but they didn't know. And this is a multi-billion dollar financial institution. They just, they didn't have that asset management or inventory knowledge. We've seen the growth of the third-party risk management stuff and all the money spent and all the business process stuff. I believe that ~95% of that has added no value to actually reduce risk in third parties, because it was a bunch of solutions for check-the-box compliance. Feel-good things rather than getting to the heart of the issues. When I arrived at Cylance, I was the first internal security guy in the security company. I didn't have those compliance things and I didn’t care. I went and wrote, with a few people, a multi-page white paper on why you should trust us, and then I had one-on-one conversations with people. And it was like, "Here's the preeminent risk that I have that could affect you and here's how I'm managing it." If you'd sent me a 500 questionnaire thing, I could have answered all of that stuff but it's not going to tell you what I'm telling you right now. Because it's surface-level things, not at the heart of what the real risk issues are for my company that could affect yours. And I think it's because we've approached that third-party risk in the same peanut butter spread that we do everything else, that these breaches can happen.
I think you're absolutely right. I think this is going to get us out of the compliance checkbox business that TPRM has become, and it's going to require a little bit more scrutiny of critical vendors. You cannot do high level scrutiny of all your vendors, but vendors that are going to have a much wider footprint in your environment or vendors that have access, your scrutiny level is going to be a little bit deeper. So I think there's going to be a little bit of a maturity growth that's going to come over there.
The SolarWinds component is just yet another aspect of a soft supply-chain piece. I would actually bet, probably almost any amount of money, that if you went to and grabbed any random Fortune 1000 CISO and said, "Hey, tell me who your top 40 suppliers are," they would literally have no clue. They'd be like, "Well..." There's big tech companies they might be able to name but actual software, data flow components, we've just never paid attention and we've continued to not pay attention.
What the SolarWinds breach highlighted was the need for basic asset management. And just going one step further, it's not just the assets you have but what do the assets actually talk to? What are they dependent on? It highlighted the need. The SANS top 10, right? They tell you to do that and nobody ever does that. Who wants to do the basic stuff? It's the boring stuff. You definitely want to do all the nation-state stuff that you want to go after.