Why care about the FireEye/Solarwinds hack? It’s not the biggest cyber threat, in most organizations…

Reflections on the latest big hack – in a security strategic context

By Henrik Christensen Lei, Director of Security and Identity at CTGlobal

Years ago, I agreed with those who believed that we needed “good” stories in cyber security, to raise security awareness. By “good” we meant “spectacular-in-the-fear-mongering-sense”.

I do not believe that anymore, because I no longer see anything good coming out of these cases. At this point in time we are drowning in spectacular security stories, and instead of helping, the stories are just putting even more pressure on a large and sore pain point that can’t be easily fixed, because they take away focus from the underlying issues that are far more critical than any one isolated security incident. 

Every time a story breaks – the latest SolarWinds/FireEye hack being a prime example – our attention is on technology: How technology failed, and what to do to fix this short term. But the problem is not (never!) one single piece of software or hardware that failed. The problem is that in most organizations, security is out of balance and focus, and not sufficiently embedded in corporate culture. The reality is that most of the time security risks are not sufficiently understood in organizations and that, as a consequence, there is no consistency in how we accept or mitigate risks. When something like the FireEye/SolarWinds incident occurs, too many people are surprised and react irrationally, pulling a lot of other people down the same path. The big vendors scramble to argue that they have the best technology response to the specific issue. But in my opinion, in doing so they completely miss the point and inadvertently skew the conversation, doing more damage than good to the overall security posture of organizations.

What happened this time?
Before digging further into this, let’s talk about what happened in this latest “good story”:

FireEye, one of the most respected and capable security companies, got hacked. So, the first high-level conclusion must be that “if they can hack FireEye, nobody is safe – certainly not the majority of organizations, who are probably way behind on security”. And that’s true. We know that the initial shock-and-horror of a reputable security firm getting hacked, is of course just the headline-grabbing tip of the iceberg. More incidents will follow. 

The short version of the story is this: We know that perpetrators managed to embed code into software from SolarWinds. Now, everyone using SolarWinds Orion will potentially carry malware, disguised as valid and signed secure code from SolarWinds, into their organization. Walking straight over the bridge past the guards. The result is that the bad guys now have a backdoor in the network and can potentially use this for any purpose. A large number of high-profile organizations have been impacted by this and the potential magnitude is quite significant.

The story continues to evolve, disclosing technical details about how advanced and sophisticated the perpetrators are. Unfortunately, the story will quickly become old news as other urgent-important things take precedence. Things move incredibly fast in security, and the fact is that until now we still know very little about the real damage done.

And do the details about what happened, actually matter?
Most speculations about the people behind the hack points towards the usual nation-state-perpetrator suspects. As for the actual goal, speculations flourish and it can be hard to point out qualified statements from clever guesswork.

Certainly, as a consequence of this hack a lot of organizations probably now have a backdoor (or several) in their network. But that doesn’t mean that they are actually, specifically and individually under threat in this particular case: If your organization is average, non-critical and you do not fall into a category where military grade security or similar is needed, my guess is that this is not the first backdoor in your network, and it will not be the last. Also, it should be said that this backdoor has probably been there for quite some time, as SolarWinds was compromised at least several months ago. So, should you investigate and close the gap? Yes. Should you panic? No. Why? Because your organization is probably not the intended target and rushing a response might do more harm than good.

As with many past security events on this scale, chances are we will never know what the real strategic purpose was. And, I might add, that most organization will never with any certainty get a clear answer to the question: “Did they use their access for anything bad”. Remember this.

What is an appropriate response to this type of incident?
There will be many variants of responses out there. Some organizations will be ready for fairly thorough investigations and will probably be able to provide limited clarity. The majority of organizations, however, will not be able to do so, and will struggle to answer that essential question: “Did they use their access for anything bad?” 

I have no interest in downplaying this incident, but as early as before Christmas — just days after the hack was publicly disclosed – several media outlets named the incident “the worst in a decade”. I find these reactions quite concerning, considering the limited facts available. Sure, the sheer magnitude is potentially very big, but we still don’t know most of the facts, including information about the actual harm done. It could be a step towards something really harmful, but I would argue that most “normal” organizations have bigger and more qualified threat to worry about.

That is why I believe now is a time to reflect and learn — it’s still too early to let this incident define new short-sighted technical initiatives. In my opinion, crying wolf doesn’t help the cyber security agenda.

Is “zero trust” a reasonable approach?
One thing, I believe we should reflect on as security professionals, is the concept of “zero trust” (in the broadest sense of the term).

The SolarWinds attack was another supply chain attack. We have seen it before. And it is a good offset for giving some thought to a term we often apply to security approaches: “Zero Trust” — the idea that never trusting any vendor or any software and always assuming the worst case scenario is a viable best security practice. 

The idea of not trusting anything is fascinating to most security people. But in the real world it is quite limiting if we can’t put some level of trust in our supply chain. Trust is a core concept that has to be in place, at least to some degree, both in the physical and digital world. We need to place some trust in our users to behave reasonably, trust our vendors to deliver securely, and trust law enforcement to react, if trust has been broken unlawfully. At least the average organization does.

Trusting someone or something is the same as taking a chance, as accepting risk. We can’t remove all risk and we shouldn’t — taking risk is a prerequisite for achieving something and growing. Many organizations have an unhealthy ‘zero tolerance’ culture for known cyber risks; and many security people are not personally comfortable accepting risks. Why? Because a) nobody wants to be caught out, when one of these major cases break; and b) most security people know that, in reality, the potential risks are much bigger and less controlled than top management thinks. 

Risks do not disappear if you don’t talk about them — although silence is unfortunately the risk strategy in some organizations, because whoever spots a risk easily becomes the owner of it. 

It is essential to accept that there are risks, if you are to deal with them. It’s a question of realistic and informed risk management. 

While “blind acceptance of risk” — where you basically accept that you are clueless and powerless — is not a viable strategy, the same is true of the opposite strategy: “zero tolerance of risk”, which is equally unviable and impracticable. Add to that: “Zero tolerance” quickly turns into “blind acceptance”, since controlling everything is so difficult the only option is to resign yourself to the impossibility of the task and ignore the threats around you. 

If you build your security strategy around these types of high-profile incidents and media stories, you will most likely end up with a patchwork of security capabilities and components that provide little value. Boards don’t understand why all those millions of dollars were not enough to enable IT to provide viable answers to their question: “Did they use their access for anything bad?”. We might be able to confirm that we have been vulnerable to or a target of the incidents, but the wrong strategy has left us in the dark, unable to connect the dots and provide answers that give meaning in a business context. 

As a security professional you might end up with additional funding on the back of these spectacular incidents. But it comes with expectations of providing perceived value, and most likely also with demands of quick resolution. 

What should you do?
On the back of the latest (any!) incident, that leaves you unsure of threat impact and breach status, you can choose one of two paths: You can add yet another patch to the security patchwork. Or you could take a step back, and consider what the real reason is for things not being as well as expected – why, once again, you were caught out. 

And the thing is: More technology is not the solution, unless your technology solutions are heavily interconnected and playing each other strong. Most likely, they’re not. 

The hard fact is that most organizations never utilize all the features in the security technology they buy, simply because they underestimate how many stumbling blocks the road to success is littered with, most importantly and frequently the lack of the right people and processes. 

And with the right people and processes I don’t mean the most clever and innovative; I mean the ones that resolve and execute the core disciplines and deal with all the basic issues that so often scream for more attention.  

Security should no longer be siloed off as a separate pillar in organizations. It should be embedded in all aspects of doing business, and work in a delicate balance with usability and performance. 

Understanding how the business works, defining what is normal in your specific business, and having relevant data available for security analysis, are key elements. 

So, what is the real take-away? 

• Take a step back and reconsider your security strategy. Do you have the necessary interconnected solutions and a holistic security strategy?
• Accept the fact that you are not fully in control and that you can’t prevent all bad things. Yes, sorry to say: Most of you will have to accept and live with risks that may be considered quite significant to some. At the end of the day, security is a game of cost vs. benefits. Make this a disclosed risk discussion in your organization and accept neither blind acceptance nor zero tolerance of risk.
• Create balance in security and work towards improving your ability to detect incidents and responding to them. It’s a game of cat and mouse, but think of your house as very old and the mouse as very clever. Next time the unknown hits, you need to be closer to answering the real question: “Did they use their access for anything bad”. 

My best advice is always: Do not run out and buy a shiny new power tool to add to the wall of your toolshed, whenever you hear of a new threat. Instead, make sure you use all the tools you already have, and do the ground work – plan your construction well, diligently go through all maintenance processes on a regular basis, and make sure your organization understands how and why they can play a role in protecting the assets, that the shed was built to shield.

Can we help you?
At CTGlobal it is our experience that the Microsoft Security suite, when implemented and run correctly, is more than sufficient protection for the majority of organizations While not perfect, it provides a value proposition and holistic approach that is hard to beat, if adhering to appropriate policies and processes, and following best practices. Get in touch to learn more about how we can help design and implement a solid security framework, customized to your organization.