The SolarWinds attack was stunning in its scope and scale. If it were an earthquake, it would be 9.9 on the Richter scale. As digital transformation accelerates in 2021 and beyond—and applications accelerate as central enablers of business and all manner of digital life—cyberattacks have become technology’s natural disasters. Both have the power for profound devastation, threaten our sense of safety, and are (sadly) the reality of our world today.
There is, however, one notable difference between a natural disaster and cybercrime. It is within our control to reduce the devastating impact of cybercrime. We can learn from the weaknesses the SolarWinds attack exposed and use this event as a catalyst for behaviour changes that will materially reduce the impact of future attacks. We cannot prevent cybercrime. But unlike natural disasters—we can mitigate more outcomes by changing our ways of working.
Our natural environment and enterprise applications are both essential for humans to thrive—and both are constantly at risk.
The SolarWinds supply chain attack was a cybersecurity “triple disaster”—a sophisticated nation-state attack, and exposure of an entire digital supply chain that struck during pandemic – a time when we are heavily reliant on digital supply chains. As of late December, SolarWinds stated that its customers included 425 of the U.S. Fortune 500, the top ten U.S. telecommunications companies, the top five U.S. accounting firms, all branches of the U.S. Military, the Pentagon, and the State Department, as well as hundreds of universities and colleges worldwide.
This triple disaster is our opportunity to drive a fundamental change as business leaders. Because how security is prioritized and deployed in two fundamental ways has far-reaching implications for the long-term health and safety of the business.
- Application development, deployment and management must include corporate security standards and traditionally siloed NetOps, SecOps and DevOps must collaborate like never before. Today, applications are developed by centralized and decentralized teams. Security features are often subjective decisions, making 53 the entire application portfolio potentially vulnerable.
- Prioritizing cybersecurity at the corporate level. Specifically, following three information security practices that address the primary ways enterprises are targeted and breached most commonly:
- Access Control: Fully adopt zero trust as your access control model. The essential core of your access control program must distrust all accounts (user and service) in case any of your upstream controls fail and privileged accounts are used by attackers to pivot through your network.
- Vulnerability Management: Exploiting vulnerabilities is always a part of the attack. Vulnerability management is critical to good cybersecurity hygiene—starting with building secure code in your SDLC processes (a great opportunity for collaboration and alignment with DevSecOps), remediating known vulnerabilities in a timely manner, and using a web application firewall to protect your applications until you patch. The recently leaked FireEye red team tools—primarily targeting old vulnerabilities with publicly available exploit code—is a real example of the dangers of slow patch processes.
- Security Monitoring: Proper logging and monitoring, including decrypting traffic for inspection, is critical for business operations. Security monitoring can no longer be an add-on or optional as security risks are the biggest threat to the availability of your applications now, and a breach could materially impact your business.
The SolarWinds attack clearly demonstrated that until cybersecurity is a top priority we remain as vulnerable as the weakest link in the digital supply chain. Best practices dictate that cybersecurity is viewed and deployed as an ecosystem, not a single solution.
Despite the very real cyber threats and risk, there is good news. We can make something positive come from this triple disaster with a commitment to change for the betterment of all. With these cybersecurity changes in place, our applications, customers, companies, and communities will be far (far) better prepared and more resilient when the next big one strikes.
By François Locoh-Donou, President and CEO of F5
Follow IT News Africa on Twitter