How has the Solar Winds breach impacted how your organization thinks about IOT security?

167 views1 Upvote7 Comments

CIO in Education, 1,001 - 5,000 employees
We have been using SolarWinds since before I got to campus, so we're on the hook to think about this type of impact. The reality is until somebody is breached, until somebody is personally affected, no one pays attention. At UCLA, we know our leadership is definitely concerned about ransomware and security issues in general. Those are the things that get people's attention, and then once you've got their attention, you can actually try and move forward with a solution, or multiple solutions. The difficulty there lies in needing more people. There just aren't enough people with that skill set already in place to be able to do that. Even though you want to rush to fix the problem, it's still months away until you can get that group of people together that can actually start to move forward, get it resourced, get it funded, get it organized in a way that you can actually implement something and do it. You can't knee-jerk react to Orion and say, "Oh, let me fix the problem." No, too late. Beforehand we had FireEye. FireEye was what picked it up for us. FireEye is relatively new to us and if we didn't have FireEye, we'd have no idea. And I'm one of the lucky ones, at least for now, it doesn't look like it phoned home. I don't have ADFS. This goes back to technology, right? When I walked in the door, we didn't even have a SIEM, right? It's been on my list. We implemented Splunk in June. I can go back now and look at Splunk and see what happened... yay, right? Again, it seems like these little moral victories, that you would think would be normal blocking and tackling. These solutions need to be in place. You need the right tools in the toolkit to be able to help yourself survive.
CIO, 5,001 - 10,000 employees
A large part of my organization is outsourced to IBM, a joy I inherited coming in the door. And IBM uses SolarWinds to monitor its customers. It's a really interesting thing to think about, that the person you hire to trust things is actually the one who got compromised. Internally we found, and we understood where there was SolarWinds, but because our engineering department is a little behind the curve, they weren't on the version that was compromised. In the labs, we dodged a bullet. It's the first time I've heard of being safe by not being up to date. It's brought up all sorts of questions. You do all this work on your third parties to understand what they're doing, but you're trusting that they've chosen solid third parties themselves. In this world of SaaS and distributed computing, and outsourcing things, at one point I was convincing myself at some level that I was more secure because their lives depended upon it. But now I think we really don't understand what our footprint is, because we don't have visibility into it anymore. How do you get visibility into everything Salesforce is doing, and touching around your stuff, right? We've entrusted our security to so many parties now, and we're relying on SOC 2s and ISO27001s. Anyone who's been through those knows, while it forces you into some rigor, you also know the value of the paper it's printed on. It's a tough world to really be able to look anyone in the eye and say, "Yeah, I've got it under control." I think the thing that it comes down to still is identifying what your critical assets are. And once you know what those are, what's the cost of loss? When I'm thinking about enterprise risk management, I'm not just thinking about my cyber risk. I'm thinking about, “well, wow, we've entrusted a fundamental business process with some of these partners, and if they're taken out, what does that mean to us, and how does that impact our business? And what's our backup strategy, if that goes away for a whole lot longer than any of us can envision?” For me it is also about DR and business continuity. The pandemic raised this when we started asking our vendors, "How are you taking care of your critical assets that keep my stuff up and running?" But I think that this kind of enterprise risk is much bigger than just a security breach.
1 4 Replies
CIO in Education, 1,001 - 5,000 employees

Your point is well taken. Salesforce got breached last year, right? And at the end of the day, you're entrusting somebody else with something for which you're responsible. So how do you sleep at night knowing that they may or may not take that trust the same way in which you're expecting it to be executed. You just can't, you never will.

CISO in Software, 51 - 200 employees

With Salesforce and all these other SaaS platforms we're using, we are trusting them with our data and everything else. I've had this conversation many times, but a lot of companies I work for just say, "Hey, we have this SLA in place, we trust that they're backing up all our stuff," but in reality, is that happening? If not, do we want to also be secondarily responsible for backing up all our Salesforce data, our NetSuite data, whatever tools we're using?

MD - Digital, Data and Analytics in Healthcare and Biotech, 10,001+ employees

When it comes to enterprise risk, we looked at our major challenges in order to establish a comprehensive cyber security strategy. Performing an effective oversight was a big issue. We want to take a holistic approach and make sure that we are mitigating global supply chain risks, that means installation of malicious software or hardware. We are addressing the cybersecurity workforce management challenges, and also ensuring that we take emerging technologies into account. For example, artificial intelligence necessitates dealing with the kind of issues that can get built into the code and the model. We've started focusing on improving and implementing those cybersecurity initiatives, working with the CISOs organization. We took a holistic approach in terms of protecting that critical infrastructure, because my team supports all of the analytics (KPIs and KRIs, risk indicators, and the key performance indicators) and the RAMs that go into that organization.We wanted to make sure that we have a federal response to all of the incidents while we are providing the capability of decision-making, in terms of protecting the cyber critical infrastructure, to our CISO’s organization. We wanted to make sure that we are protecting privacy and sensitive data, and we wanted to do that by response, not by reaction. I think that's where we started the conversation, but then we saw a lot of the community contributing to us within the financial services area. The practice of corporate risk management allows us to look at risk from a holistic perspective, not only specifically from a security perspective. A community of practice enables us to understand what the vulnerability risks are. What is needed with respect to infrastructure, strip security, data privacy, and data management. And what integrity and reactive security is needed. The increase of regulatory awareness is a proactive approach that we took. I came from healthcare to financial services. Both are heavily regulated, but the response time to incidents is different: healthcare is reactive, whereas financial services is a little bit more proactive. We wanted to make sure that we are embracing these new technologies, data, and analytics, and leveraging that regulatory data to drive each. A lot of what we did was through sensing and being influenced. We were not the leaders in that, but we followed good leadership in that respect to measure the impact of their influence.

Director of IT in Transportation, 5,001 - 10,000 employees
put it on high alert

Content you might like

Patch management: to reduce attack surface and avoid system misconfigurations39%

Malware and ransomware prevention: to protect endpoints from social engineering attacks58%

Malware and fileless malware detection and response: to protect against malicious software49%

Threat Hunting: to detect unknown threats that are acting or dormant in your environment and have bypassed the security controls33%

Not planning to change endpoint security strategy10%



CTO in Software, 11 - 50 employees
No, we haven't published corporate guidance establishing guardrails for use of commercial generative AI services.
Read More Comments
1.8k views1 Upvote3 Comments

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
40.9k views131 Upvotes319 Comments