SolarWinds - How Cybersecurity Teams Should Respond
By Paul Kurtz Co-founder and Executive Chairman, TruSTAR Technology
SolarWinds perhaps represents the most severe hack of the digital age.
The playbook of our adversaries continues to evolve, but defenders are losing, and the gap is widening. Discussion of imposing consequences on adversaries seems pointless so long as we keep falling farther behind. Similarly, finger-pointing will not work as this hack was not a single mistake like many we have seen in the past. In this case, it is clear the adversary used a suite of sophisticated techniques to cover their tracks, including a supply chain hack and using steganography to embed command lines.
FireEye has started what must become the norm: disclosing as much detail as possible as fast as possible about the attack techniques and indicators of compromise. Sharing indicators of compromise accelerates the discovery of other victimized systems. Today government agencies and companies are searching for indicators of compromise within their networks.
So, now what? How should organizations respond?
No doubt, the market will respond with new tools that could help identify similar future attacks. However, success will be temporary given adversaries continue to move faster than defenders. Rather than retool, we should focus on a more data-centric approach. Recently, the Cloud Security Alliance published a research paper on Cloud-based, Intelligent Ecosystems. The report calls for a paradigm shift to integrate and automate data from security tools and external threat feeds to establish a holistic picture of activity. By doing so, companies and government organizations can accelerate discovery, searching more quickly across all systems for indicators of compromise, like those released by FireEye shortly after they discovered the breach. Given different tools have different functions, it is likely indicators of compromise are spread across multiple systems. A data-centric approach rather than a tool-centric approach will help assemble pieces of the puzzle more quickly.
Organizations need to build a "cyber memory" of past events.
The paper also calls out the need for building “cyber memory” of past events; without memory, it is impossible to learn. We need to be able to recall event data from security systems seamlessly. Creating a virtual memory to absorb events will enable Machine Learning to identify patterns to more effectively and efficiently address malicious activity.
This approach is not a panacea and should not be read as preventing future attacks. However, it serves to close the gap and contain problems. The combination of information sharing--like FireEye’s, plus a data-centric approach to building a cyber memory of past event data from tools and external threat feeds will accelerate discovery.
About the Author
Paul B. Kurtz
Co-Founder and Executive Chairman, TruSTAR Technology
Paul began working on cybersecurity at the White House in the late 1990s. He served in senior positions relating to critical infrastructure and counterterrorism on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush.
After leaving government, Paul has held numerous private sector cybersecurity positions including founding the Cyber Security Industry Alliance (Acquired by Tech America), Executive Director of SAFECode, Managing Partner of Good Harbor Consulting in Abu Dhabi, and CISO of CyberPoint International. Paul is also a founding board member of CSA and co-founded TruSTAR in 2016.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.