Lessons from the SolarWinds Breach to Enhance Your Cybersecurity and Vendor Management Programs
WHAT HAPPENED?
Remediation efforts have been underway for nearly two months following the burgeoning SolarWinds attack. Initial findings indicated that the breach affected an estimated 1,800 companies, including major cybersecurity vendors like Mimecast and Qualys. While researchers are still decoding systems to find what companies and organizations may have been impacted, lists of believed victims have emerged with other big names like Cisco, Microsoft, SAP, and Intel (see an expanded list here).
The goal of this attack was to infect subsequent users of the software, which is commonly referred to as a “supply chain attack.” Investigations strongly suggest the attack was initiated by a foreign nation state and show that its effects are cross-industry and exceedingly widespread.
Even if your firm was not directly affected by the breach, it is likely that at least one of your third or fourth parties was affected. Below are some takeaways for minimizing the impact of supply chain attacks and what your firm can do to help mitigate potential risks:
Lesson 1: Supply chain attacks will likely become more common.
Network monitoring systems are a prime conduit for data breaches. If compromised, network monitoring systems can be used to grant the attacker the same access rights as monitoring systems. Firms should manage this potential risk through implementing comprehensive vendor management programs.
Lesson 2: Vendor management is increasingly important.
In 2020, the U.S. Securities and Exchange Commission increased its focus on third-party service providers and financial firms’ oversight of their vendors’ cybersecurity and privacy controls. Regulators will likely increase scrutiny on vendor management as supply chain attacks increase.
Vendor due diligence programs should require: (1) initial review and approvals by the personnel responsible for overseeing vendor management prior to engaging the vendor; and (2) periodic reviews thereafter based on the vendor’s risk profile. Additional reviews may also be triggered based on events, like breaches, market conditions, or organizational leadership changes.
Following largescale breaches, it is critical to follow up with your key service providers to determine whether your firm’s sensitive data was breached. Even if you were not directly affected by the SolarWinds breach, it is likely that at least one of your third or fourth parties was affected.
Firms should contact vendors who store or process firm data to determine whether the vendor has been affected by this attack. If you need assistance, Fairview Cyber provides full-service vendor due diligence administration.
Lesson 3: Post-incident documentation is critical.
If your firm was affected by the SolarWinds breach or another largescale cybersecurity attack, follow the guidelines set forth by the industry experts. If you deviate from expert recommendations, document your reasoning. This documentation will help your firm respond to potential litigation in the future. Coordinate with legal counsel to ensure you maintain privilege over documents, if possible.
Following an incident, firms should conduct an analysis to determine key takeaways and lessons learned. Incorporate any takeaways into your firm’s policies and procedures.
Lesson 4: Monitor reliable resources for new information following a data breach.
In many cases, new information will become available in the weeks and months following a data breach. It is important for firms to stay apprised of this information and tailor response plans, as necessary.
WHAT DOES THIS MEAN FOR ME?
The investigation of the SolarWinds Orion Hack is ongoing and new information is released daily by government and private sources assisting in these efforts. If you would like to report an incident or learn more regarding reporting, please visit https://www.us-cert.cisa.gov/report. For additional guidance, see https://www.solarwinds.com/securityadvisory/faq and https://www.cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3.
At Fairview Cyber, we support clients in monitoring third parties, conducting vendor due diligence reviews, and building strong security foundations to prevent attacks by bad actors. If your firm has not already taken steps to assess whether key vendors were impacted by the recent SolarWinds breach, contact Fairview Cyber for support today. We offer full-service solutions and a la carte options tailored to fit your firm’s specific needs.