Few cybersecurity breaches have caused more consternation among industry experts than the far-reaching 2020 attack against SolarWinds. In fact, concern has built up throughout the cybersecurity community as new details come to light.

In an (ISC)² survey of 303 cybersecurity professionals fielded from February 10-28, 2021, a solid majority of respondents (86%) said they would have rated the breach “very” or “extremely severe” when they first learned about it. However, roughly six weeks after the incident was reported, as more details emerged, the number of respondents who indicated that the breach was “severe” increased from 51% to 55%. On a scale from 1 to 5, the perception of the severity of the breach also increased over time, from an average of 4.34 initially up to 4.37.

This perception of increasing severity is atypical of most breaches. Headlines tend to fuel speculation in the immediate aftermath of a public disclosure, which is then tempered by remediation of the threat. In other words, severity spikes in the short term and decreases as more information becomes available.

As the chart below depicts, the SolarWinds incident bucked that trend in the eyes of cybersecurity professionals, who see it as a Pandora’s Box that affects a broad range of organizations and reaches deep within their infrastructure. As one respondent noted, “If you had a “catastrophic” rating [option], I would have picked it.”

“Initially the severity and impact was greatly downplayed,” noted another respondent. “The more I know, the less I want to. It was worse once the details emerged.”

What Happened?

SolarWinds reported to the Securities and Exchange Commission (SEC) that up to 18,000 customers installed updates to its Orion software which had been compromised with malicious code. Just how many were affected is unknown. “I still think there are companies that were affected by the SolarWinds incident that don’t know it yet,” said one survey respondent.       

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a forensics collection tool to find indicators of compromise (IOC) in connection with SolarWinds products affected by the breach. The incident, said one survey respondent, was “not only broad in scope but also in deep penetration across many different companies.”

(ISC)² chose to poll cybersecurity professionals about this particular cyberattack because of its scope. The goal was to assess the impact on cybersecurity professionals, how they are reacting, and what lessons could be learned to prevent future breaches.

Keeping Us Up At Night

This was a supply chain attack, an especially nefarious type of hostile action that targets various entities through a supplier of technology and security services – the very companies customers expect to protect them from cyber threats. Said one participant, “The way the attack was used to pivot to expose potentially thousands of SolarWinds customers demonstrates an often overlooked threat vector.”

According to another respondent, “Attacks on our software update/patching supply chain are high up on the list of things that keep us up at night. An attack on the software that controls our entire network and systems is even more frightening.”

Impact on Cybersecurity Teams

The incident has prompted reviews of security tools and protocols by many cybersecurity teams. Cybersecurity professionals said they have stepped up activities such as forensic analyses, re-architecting of systems, and making sure all patches are up to date. Many respondents reported getting questions from their executive teams about their own security protocols, prompting time-consuming due diligence and reporting activities.

Naturally, a first step by many cybersecurity teams was to investigate whether their companies or customers were attacked. “We had to shut down SolarWinds and switch to PRTG,” said one respondent. Said another: “We have gone through patching cycles to eliminate the vulnerability.”

Of course, not everyone was impacted. And not all companies that run SolarWinds products were compromised since they use solutions other than the Orion platform. For instance, according to SolarWinds, MSP products were not affected. Even so, some respondents say there were consequences. “As a SolarWinds MSP customer, I have had to do a lot of explaining to our customers about what was involved in the breach and why we are continuing to use a SolarWinds product.”

Lessons Learned                                                                                                        

Cybersecurity professionals are assessing the lessons learned from this incident. There are many – and some of them aren’t necessarily new. Consider these responses:

Zero Trust is the truest security model and will be for the foreseeable future as there are no guarantees in the cybersecurity industry.

Weak controls around admin credentials and undetected code modifications are dangerous.                                                                                                                   

There are so many companies that don’t pay attention to their vulnerabilities or patch their systems.

Vetting is not done by finding the cheapest, functional solutions. It must be thoughtful, analytical and deterministic.

You cannot delegate trust to another organization. 

Securing your own environment is not enough, third party suppliers can be the weakest link.

There were frequent mentions of the need for patching – and calls for better patch management approaches. “The key takeaway is the need for a more secure supply chain for patch deployment, which has been only issued using old concepts,” said one respondent. Another respondent summed it up: “If an organization hasn’t committed to full patching and response, then they will serve as a pivot point to other services they are tied to.”

Taking Action 

Based on lessons learned, cybersecurity professionals proposed a number of recommendations to fortify cyber defenses, including:

• Improve third-party governance and due diligence practices
• Improve controls to perform extra due diligence on any third-party software (say through automated software analysis)
• Watch outbound traffic and know what it should be
• Isolate systems with broad access to other systems
• Harden systems and conduct thorough research before deploying a solution
• Segment networks
• Employ a multi-faceted approach, incorporating humans and technology
• Improve IOC detection mechanisms
• Disallow Internet access to systems that do not require it

And as one respondent put it: “The principles are known: least privilege, cyber hygiene on credentials and software development best practices. This attack is a call for action to implement (these controls) at all levels.”

These comments reflect a growing sentiment among cybersecurity professionals that dealing with the fallout from breaches is the true test of cyber readiness and resilience. “Even when you do everything right, you can still be breached,” said one respondent. While no one is conceding the war to the bad actors, there is a sense that organizations as a whole need to be more vigilant about defending their data, networks and people, and allocating the necessary funds and resources to cyber defenses.

Continuing the Discussion

The incident has been a flashpoint for strong opinions about the security of supply chains and how third-party systems should be managed by organizations who utilize them. Even in its wake though, a potentially more damaging Microsoft Exchange breach has trained the spotlight again on the technology supply chain and the inherent risks that exists within it.

Join (ISC)² for a roundtable panel discussion on Tuesday, March 30 at 1pm ET in a webinar titled “SolarWinds Fallout Has Execs Asking: How Secure Is Our Supply Chain?” when several security practitioners will explore these issues and share anecdotes and best practices related to third-party technologies in the security stack, and how peers in cybersecurity leadership positions are future-proofing their defenses while planning for worst case scenarios.