How did the security ecosystem allow for the kind of attack we have seen with SolarWinds?

1.8k views1 Upvote7 Comments

Managing Partner & CISO in Software, 11 - 50 employees
The SolarWinds component is just yet another aspect of a soft supply-chain piece. I would actually bet, probably almost any amount of money, that if you went to and grabbed any random Fortune 1000 CISO and said, "Hey, tell me who your top 40 suppliers are," they would literally have no clue. They'd be like, "Well..." There's big tech companies they might be able to name but actual software, data flow components, we've just never paid attention and we've continued to not pay attention.
Board Member, Advisor, Executive Coach in Software, Self-employed
I was talking to a peer in the financial industry, the Monday after this all broke on Saturday, Sunday and then it went well beyond just FireEye and started spreading. He'd been up almost 40 hours in a row because he didn't know if SolarWinds was in their infrastructure. And they were trying to determine the first order of magnitude, "Is it anywhere in the infrastructure we manage?" And then the second order was, "Anybody that's a critical supplier?" Luckily, they didn't find it in their direct environment, but they didn't know. And this is a multi-billion dollar financial institution. They just, they didn't have that asset management or inventory knowledge. We've seen the growth of the third-party risk management stuff and all the money spent and all the business process stuff. I believe that ~95% of that has added no value to actually reduce risk in third parties, because it was a bunch of solutions for check-the-box compliance. Feel-good things rather than getting to the heart of the issues. When I arrived at Cylance, I was the first internal security guy in the security company. I didn't have those compliance things and I didn’t care. I went and wrote, with a few people, a multi-page white paper on why you should trust us, and then I had one-on-one conversations with people. And it was like, "Here's the preeminent risk that I have that could affect you and here's how I'm managing it." If you'd sent me a 500 questionnaire thing, I could have answered all of that stuff but it's not going to tell you what I'm telling you right now. Because it's surface-level things, not at the heart of what the real risk issues are for my company that could affect yours. And I think it's because we've approached that third-party risk in the same peanut butter spread that we do everything else, that these breaches can happen.
1 Reply
CISO in Finance (non-banking), 501 - 1,000 employees

I think you're absolutely right. I think this is going to get us out of the compliance checkbox business that TPRM has become, and it's going to require a little bit more scrutiny of critical vendors. You cannot do high level scrutiny of all your vendors, but vendors that are going to have a much wider footprint in your environment or vendors that have access, your scrutiny level is going to be a little bit deeper. So I think there's going to be a little bit of a maturity growth that's going to come over there.

CISO in Finance (non-banking), 501 - 1,000 employees
What the SolarWinds breach highlighted was the need for basic asset management. And just going one step further, it's not just the assets you have but what do the assets actually talk to? What are they dependent on? It highlighted the need. The SANS top 10, right? They tell you to do that and nobody ever does that. Who wants to do the basic stuff? It's the boring stuff. You definitely want to do all the nation-state stuff that you want to go after.
3 Replies
Board Member, Advisor, Executive Coach in Software, Self-employed

Asset management is not glamorous, it's not fun but it's critical. I do advisory work for a lot of companies and company I do advisory work for and we were doing a review of their NIST CSF Framework. They have all their maturity scales and all that stuff and they've been on the five year journey, they're getting to three on their maturity scales and we're doing a deep dive on it. And their vulnerability management score was at a 3.8 out of four, on the one to four scale. Asset management was 1.7 out of four. I'm like, "I'm sorry, you can't have a near-perfect vulnerability management capability without having an asset management capability. This is complete horse shit." And you know who had actually done all the work? To do that they spent hundreds of thousands annually to have EY do this. I'm like, "I would go beat them to death that they didn't cross-correlate those things. And now you've got a false sense of security and a false sense of control."

Managing Partner & CISO in Software, 11 - 50 employees

If you stop counting, then they're not there. If you just, don't test it, the virus or malware isn't there.

Board Member, Advisor, Executive Coach in Software, Self-employed

And of course the CISO who I'm beating the crap out of, because somebody else in their management chain asked me to provide some perspective, he goes, "Well, that's just the scope of the things that we know." And I'm like, "Well, that's stupid. It should be deprecated relative to the reach that you have." It's like, "You can't give yourself a pat on the back for that when it might only be 50% of the total assets. But you're telling me right now you have no idea what the total assets are."

Content you might like

crowd strike38%

sentinel one56%

carbon black5%




CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.4k views133 Upvotes324 Comments

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.30%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.53%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.12%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


9.1k views9 Upvotes1 Comment