Resources

Trusting Third Parties: SolarWinds Security Breach

Written by: Daniel Martin

On December 13, 2020, SolarWinds announced that they fell victim to a cyberattack. The group responsible was able to infect legitimate SolarWinds Orion software patches with malware now known as SUNBURST. FireEye, a $3.5 billion cybersecurity company known for identifying culprits in some of the world’s biggest data breaches, was one of the customers affected by the attack. FireEye announced that “a nation with top-tier offensive capabilities” breached their perimeter by exploiting the SUNBURST malware attached to SolarWinds Orion updates. The attackers used this access to steal the FireEye tools used for red team exercises on client networks. Those stolen tools are now at large and may soon be used by black hat hackers to break into other networks.

SolarWinds is a well-regarded cybersecurity company with over 300,000 global customers—including more than 425 of the U.S. Fortune 500 companies, all five branches of the U.S. military, and even the Office of the President of the United States.

Many companies might be thinking, ‘if an institution like SolarWinds can be breached, how can I trust my third parties with the security of my data?’ Companies shouldn’t underestimate the potential power of malicious actors, and shouldn’t place 100% of their trust in a third party responsible for securing their data. However, there are steps that can be taken to lower the chances of being affected by a third-party security breach.

Vendor Due Diligence

All businesses should perform vendor due diligence. A large portion of due diligence involves filtering out any companies that don’t prioritize protecting your data. During this process, you should ensure that the vendor:

  • Aligns their security posture with industry standards and best practices
  • Continually has penetration tests and vulnerability scans performed on their network
  • Has an Incident Response Plan (IRP) in place
  • Monitors for known and new threats
  • Stays up to date with vulnerability remediation and patching efforts

You should also make sure that:

  • The contract includes a ‘right to audit’ clause
  • The vendor has a secure coding process that includes both developer training and code testing

Third-Party Incident Response Planning

An IRP documents the procedures that will take place in the event of a cybersecurity incident, including:

  • Responsibilities
  • Remediation timeframes
  • Tracking and monitoring
  • Notification to clients, regulators, and law enforcement

If the vendor has a robust IRP, then you can rest a little easier knowing that in the event of a security incident, the third party is prepared with a plan to contain and lessen the breach’s impact.

It’s not enough for your vendors to have strong IRPs. It’s essential that your own IRP effectively integrates services that your vendors provide while considering the level of network access they have and the types of data they hold. The IRP should outline the timeframe in which the third party is required to disclose the incident to your company so you can take the appropriate actions to stay alert for malicious activity on your network. Federal banking agencies, like the Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC), are currently proposing a new rule that would require service providers for banks to disclose incidents to:

  • Their regulators within 36 hours
  • Their banking customers immediately after becoming aware of an incident that could disrupt the bank’s services for over four hours

Diversify

It’s sometimes said that it’s not wise to ‘put all your eggs in one basket,’ and the same can be said for your network security. Your network needs to be diversified and have multiple layers of security to eliminate single points of failure (SPOF). If you put all your faith in your firewall vendor, then you have a higher chance of suffering negative effects in the event of a firewall breach. Instead, think of using multiple vendors and multiple security systems to protect your network against cyber threats. Having a firewall, intrusion prevention and detection system, network access and monitoring controls, network segmentation, antivirus software, and data encryption will help eliminate the threat of SPOF.

Backups

Backups are your last line of defense in the event of a data breach. If an attacker manages to break through your perimeter due to vendor or device failure, then they’ve gained the ability to encrypt or delete your data. Having backups of your data readily available can help diminish the impact of a ransomware or similar cyberattack. Create multiple backups and store them on different types of media, including offline and on the cloud. Store the backups securely and ensure that the location of (and access to) the backups is kept on a need-to-know basis.

Conclusion

The damage of this high-caliber attack against SolarWinds is still being evaluated by experts, and according to FireEye, it “demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.” Companies must have contingency plans in place to mitigate the severe impact of an attack on the third parties that are tasked with securing confidential data. By conducting thorough due diligence, diversifying your protections, and creating backups, your company can lower their chances of suffering the consequences of a third-party security breach.