Exploring the Long-Term Ramifications of the SolarWinds Attack

The recent SolarWinds breach was part of a much larger attack that was carried out through malicious updates to a popular network monitoring product. The attack impacted major government organizations and companies and highlighted the severe impact software supply chain attacks can have when organizations are unprepared to prevent and detect such threats. 

The attack is believed to be one of the most widespread and damaging cyber-attacks in history. SolarWinds’ Orion network management system is used by more than 300,00 organizations, including U.S. Federal agencies and 425 of the Fortune 500.

HMG Strategy recently hosted a roundtable discussion with a group of top-tier security leaders to gain their insights on the long-term ramifications of the SolarWinds attack. The discussion, which was moderated by HMG Strategy President and CEO Hunter Muller, explored the implications of the attack, the risks it entails, and best practices for CISOs and their teams to be better prepared for similar disruptions going forward. 

The roundtable’s panelists were Jesse Bociek, CISO at Tenneco; Rocco Grillo, Managing Director, Global Cyber Risk & Incident Response Investigative Services at Alvarez & Marsal; Lakshmi Hanspal, Global CSO at Box; and Monti Knode, Director of Customer Success at Horizon3.ai. The panelists were joined by many accomplished technology experts. 

One of the roundtable participants, a CIO for an industrial equipment manufacturer, suggested that the SolarWinds attack will prompt CIOs and CISOs to look at their organizations’ supply-chain activities – and vulnerabilities – more closely.

Monti Knode, Director of Customer Success at Horizon3.ai, pointed to the immense consequences faced by government agencies in such a breach, and warned that organizations must critically examine the amount of credentialed and privileged access given in the name of convenience that could increase risk. In his work with the Department of Defense, he noted that the DoD took a slow approach in adding software that sped up the security and update process.

“But now, what am I giving up in order to be that fast?” asked Knode. “We can reset credentials, reset some infrastructure, but rebuilding the risk profile is long-term.”

Lakshmi Hanspal, Global CSO at Box, brought up several questions security experts must consider in the wake of the SolarWinds attack. Are automatic updates on, and is that good or bad? Should more onus be placed on the supply chain and third parties? Should resiliency testing today extend to the supplier?

The importance of collaborating with partners along the supply chain, as well as the wider intelligence community, was also a topic of discussion. Hanspal considered sharing tactics throughout the intelligence community and promoted working closely with third parties.

“We can all lean into our third parties as partners first, understanding where they need help,” said Hanspal. 

Rocco Grillo, Managing Director, Global Cyber Risk & Incident Response Investigative Services at Alvarez & Marsal, also asked the group whether the SolarWinds attack would cause executives to consider a new level of due diligence from their partners. 

“Whether it’s part of a contract, whether it’s management, you really need to have that comfort from an organization to partner with a third party,” said Grillo. 

For its part, Tenneco “has security as it relates to practical terms and conditions for the supply chain,” offered Jesse Bociek, CISO at Tenneco, speaking to the importance of security in contract and terms and conditions, both upstream and downstream in the supply chain. 

“The other aspect of the agreement is cyber insurance,” said Hanspal. “What level of insurance would you have as an organization? When your cyber insurance brokers come to you and you are showcasing controls, extend that to supply chain resiliency. Ask them what they’re seeing, what coverage might be important to have, commensurate to your organization.”

Participants in the roundtable also brainstormed on best practices for keeping members of the board informed. 

“Boards want to be updated periodically,” said Knode. “They want to hear ‘Are we impacted?’,”

To varying degrees, companies that are dependent upon their supply chains may also be SaaS providers as well, which presents its own set of challenges. 

“How can this not happen to our customers as well?” said Knode.

Grillo was quick to add that taking protective measures was not just an IT and security issue, but a business requirement as well.

“Executives have to be involved with it,” said Grillo. 

In times of crisis, communication between members of the leadership team is integral. 

Overall, the most important consideration for technology executives is to look forward. While looking at the future supply chain ecosystem, the big question is how to get ahead and stop a crisis like the Solarwinds attack from occurring in the future. 

“Every now and then, the industry gets a wake-up call, and this is one of them,” said Hanspal. “There are more unknowns than knowns, and some impact yet to be played out.”

Be sure to register for our next SolarWinds roundtable discussion on March 24 at 11 a.m. ET to discover the latest findings and next steps that security teams should be taking to help protect their organizations. Click here to register.