Originally post 12/30/2020

By now everyone in the IT world, and many on main street, are aware of the SolarWinds breach.  The fact that top tier firms like FireEye Security and Microsoft, among others, sustained hacks using SolarWinds to infiltrate their network should give every CIO and CISO a moment of pause.   

Instruction Detection Systems (IDS) and End Point Detection and Response Systems (EDR) cannot be fully relied upon to detect novel attacks that are as sophisticated as this SolarWinds compromise.  Developing a response to the inevitable breach must be part of any long-term strategy.  Protecting systems and data requires intentional security engineering to minimize the threat and detect any suspicious activity. 

Everyone wishes the SolarWinds incident was an isolated case, but every CISO knows it is the tip of the iceberg; simply the latest major breach.  CIOs and CISO’s must implement steps to not be the next victim.    

A few immediate steps: 

  • Implement threat hunt to illuminate current adversarial impacts 
  • Perform a penetration test or vulnerability assessment every 12-18 months 
  • Evaluate fire walls and intrusion detection systems to ensure most current settings 
  • Use two-factor authentication 
  • Provide user training to all staff 
  • Use data encryption for data at rest 
  • Evaluate all third-party software on your network for vulnerabilities 
  • Remove unneeded third-party software; update to latest version if it must stay 
  • Evaluate In-house written code for vulnerabilities with a competent code review 
  • Monitor all relevant Cyber Security information available 
  • Implement a “honey pot” on the network to assist with notification of intrusion 
  • Audit all Domain Admin account activities 
  • Determine if impacted by SolarWinds and validate all internal to external traffic by evaluating logs and accounts 
  • Update all endpoint protection 

A few long-term solutions: 

  • Invest in a proven Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) 
  • Invest in Endpoint Detection and Response (EDR) System 
  • Invest in a proven SIEM to correlate EDR and IPS and IDS  
  • Monitoring of detection systems and regular threat hunts required 
  • Invest in edge protection 
  • Invest in quality user training 
  • Consider cloud-based infrastructure and cloud-based security (cloud infrastructure DOES NOT automatically mean secure) 
  • Develop a cyber security strategy that is right for the organization 
  • Develop a Continuity of Operations Plan (COOP) in the event of a catastrophic breach 
  • Develop a secure and robust back-up and recovery plan 

The SolarWinds breach and the associated hacks shows that every organization is vulnerable.  The key is to be prepared for intrusion prevention, detection and response.  Have you done what you can to be prepared?