The SolarWinds attack was stunning in its scope and scale. If it were an earthquake, it would be 9.9 on the Richter scale. As digital transformation accelerates in 2021 and beyond — and applications accelerate as central enablers of business and all manner of digital life — cyberattacks have become technology’s natural disasters. Both have the power for profound devastation, threaten our sense of safety, and are (sadly) the reality of our world today.
There is, however, one notable difference between a natural disaster and cybercrime. It is within our control to reduce the devastating impact of cybercrime. We can learn from the weaknesses the SolarWinds attack exposed and use this event as a catalyst for behaviour changes that will materially reduce the impact of future attacks. We cannot prevent cybercrime. But unlike natural disasters — we can mitigate more outcomes by changing our ways of working.
I have always been passionate about environmental issues as part of my agricultural work in Africa. As a result, I’m a steady consumer of environmental studies and research. As the CEO of F5, I believe there are practices and learnings we can glean from environmental study that can be applied to application security innovation. Our natural environment and enterprise applications are both essential for humans to thrive—and both are constantly at risk. I recently read a study in the International Journal of Disaster Risk Reduction about natural disasters as an “opportunity for improved environmental conditions.”
This particular paper presented cases where natural disasters provided a window of opportunity for change. As I read devastating stories about disasters around the globe and how response and recovery were managed, one particular case stood out: the “triple disaster” that hit Japan in 2011 (earthquake, tsunami, and resulting damage to the Fukushima nuclear plant). The paper contends that what the Japanese government did in response to the triple disaster (and I’m paraphrasing) was to use that devastating series of events as an opportunity to improve environmental conditions through a philosophical shift in practices and policy. In essence, learn from the weaknesses exposed by disasters and commit to change for the betterment of all.
The SolarWinds supply chain attack was a cybersecurity “triple disaster”—a sophisticated nation-state attack, and exposure of an entire digital supply chain that struck during pandemic – a time when we are heavily reliant on digital supply chains. As of late December, SolarWinds stated that its customers included 425 of the U.S. Fortune 500, the top ten U.S. telecommunications companies, the top five U.S. accounting firms, all branches of the U.S. Military, the Pentagon, and the State Department, as well as hundreds of universities and colleges worldwide.
This triple disaster is our opportunity to drive a fundamental change as business leaders. Because how security is prioritised and deployed in two fundamental ways has far-reaching implications for the long-term health and safety of the business.
- Application development, deployment and management must include corporate security standards and traditionally siloed NetOps, SecOps and DevOps must collaborate like never before. Today, applications are developed by centralised and decentralised teams. Security features are often subjective decisions, making 53 the entire application portfolio potentially vulnerable.
- Prioritising cybersecurity at the corporate level. Specifically, following three information security practices that address the primary ways enterprises are targeted and breached most commonly:
- Access Control: Fully adopt zero trust as your access control model. The essential core of your access control program must distrust all accounts (user and service) in case any of your upstream controls fail and privileged accounts are used by attackers to pivot through your network.
- Vulnerability Management: Exploiting vulnerabilities is always a part of the attack. Vulnerability management is critical to good cybersecurity hygiene—starting with building secure code in your SDLC processes (a great opportunity for collaboration and alignment with DevSecOps), remediating known vulnerabilities in a timely manner, and using a web application firewall to protect your applications until you patch. The recently leaked FireEye red team tools—primarily targeting old vulnerabilities with publicly available exploit code—is a real example of the dangers of slow patch processes.
- Security Monitoring. Proper logging and monitoring, including decrypting traffic for inspection, is critical for business operations. Security monitoring can no longer be an add-on or optional as security risks are the biggest threat to the availability of your applications now, and a breach could materially impact your business.
The SolarWinds attack clearly demonstrated that until cybersecurity is a top priority we remain as vulnerable as the weakest link in the digital supply chain. Best practices dictate that cybersecurity is viewed and deployed as an ecosystem, not a single solution. Each of the programs noted above have components that address digital supply chain risks, including restricting and monitoring privileged service accounts assigned to vendors, testing and applying security updates, and monitoring the performance and behaviour of all systems and accounts in your network. If your supply chain vendors get these three core programs right, you can increasingly trust them with the risk you are transferring to them.
Despite the very real cyber threats and risk, there is good news. We can make something positive come from this triple disaster with a commitment to change for the betterment of all. With these cybersecurity changes in place, our applications, customers, companies, and communities will be far (far) better prepared and more resilient when the next big one strikes.