Questions for the C-Suite after Solar Winds

SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who unknowingly deliver attacks — especially ransomware in the past year — to the customer company. Once a compromised company is delivering a sophisticated attack through a software upgrade it’s already too late to do anything but contain the damage. The first line of defence needs to be upstream — at the point where the supply chain company is first compromise

In an earlier post I talked about the principles of supply chain compromise. But C-Suite executives will want to go beyond the immediate problem and look for the next SolarWinds. Once they have asked their team all the obvious questions about their current use of SolarWinds Orion within their own company networks, and the likely exposure, they should be asking two bigger questions.

  1. Which companies in our supply chain were exposed to the SolarWinds compromise, even if we weren’t directly?
  2. Looking across our entire supply chain, can we see other companies who have poor security and might compromise us? If so, what are we doing about it?

SolarWinds and other supply chain attacks should force a shift in mindset for senior executives. They need to start seeing their entire vendor ecosystem as an extension of their own networks, because that’s how attackers see it. They need not just to do due diligence when onboarding a vendor, but continuous monitoring. Cyber threats and company networks are dynamic, so a dated snapshot isn’t going to help. In the modern cyber context, auditing your supply chain once a quarter, makes as much sense as having a managed security service that works only once a quarter, or a company SOC that only operates occasionally. It’s like buying an antivirus product for your laptop and only switching it on when you want to audit how bad things are.

If you are monitoring the entire supply chain continuously, including the long list of companies no-one has heard of where the attack may actually come from, you then need to do something with that information. Even the best cyber team cannot cope with the sheer volume of data about 10,000 vendors: they need an expert service to prioritize actions and approach the vendor to help them improve. Cyber problems in the supply chain don’t just need identifying and cataloguing, they need fixing if the risk is going to be reduced. We have to move from admiring the supply chain problem to fixing it, assessing the risk to reducing it.

This continuous monitoring, escalation of real concerns, and remediation with supply chain companies means processing huge volumes of cyber external metadata on thousands of companies in real time. To avoid burying customers in false positives demands sophisticated automation and a high degree of expertise, especially about how supply chain attacks are delivered. But it is possible and can be bought as an expert service.

I have always avoided capitalising commercially on cyber incidents like the SolarWinds attack. The fact remains that an expert company could of course tell within hours which companies in the supply chain were likely to be exposed, without going through lengthy internal investigations. But much more importantly, we can answer the key question about what a company like SolarWinds Corporation looks like from the outside — from the attacker’s perspective. As with so many other supply chain companies, plenty of IT hygiene and vulnerability issues were visible, but we automatically highlighted five which we thought of serious concern (open RDPs and an Exim email server vulnerability which has been exploited previously). We do not know officially how the attack on SolarWinds was delivered, but we can say with certainty that these routes could have been readily exploited by an attacker. Finding those routes and closing them at speed is the supply chain challenge.

Cyber Security Specialist. Chairman of BlueVoyant International. Former GCHQ Director & Founder of UK National Cyber Security Centre. Views are his own.