As the cybersecurity industry continues to parse the news, threat intelligence, and mounting fallout from the SolarWinds compromise, the gory details just keep unfolding. While most of the post-mortem news cycles provide at least some insight for security leaders seeking to learn from such a far-reaching incident, security strategists on the ground should avoid too much of the typical car-wreck neck craning as we sift through the breach details.
In many ways, it is neither here nor there whether it was an intern that caused the breach by using 'solarwinds123' on a file server in 2019. Similarly, getting caught up in forensic attribution to Russian actors or motivations behind the attack can distract from the more systemic cybersecurity problems that "Solargate" exposed.
Chief among them are the weaknesses and lack of resiliency in the modern IT supply chain. It's less crucial to understand how the attackers first broke into SolarWinds systems and more important to think about what they could do with that access. The most solid number thrown around by industry analysts of how many organizations could have been potentially impacted is the 18,000 customers that SolarWinds told the government in initial filings were vulnerable to the flaw they found. But the fallout could ripple out far beyond that with a number of high-profile organizations in the IT supply chain involved. It's not farfetched to assume that attackers used these supply chain compromises to target the customers of SolarWinds' customers.
This is the heart of the Nth-party risk problem, something that last year we at RiskRecon explored at great length with our Ripples Across the Risk Surface report, which showed that events like the SolarWinds breach cause 13x the damage of single-party data breaches due not only to third-party impact, but also fourth-party, fifth-party, and other Nth-party risks.
RiskRecon recently had a lively conversation with some key cybersecurity thought leaders on the subject of SolarWinds. In it, Jim Routh, Head of Enterprise Cyber Security at Mass Mutual, explained that SolarWinds shows how the lines of demarcation between third-party risk and Nth-party risk have grown so fluid in today's IT environments. As he puts it, the SolarWinds scope may still be unclear now but he thinks it's one of the biggest incidents in terms of the number of enterprises impacted due to "poisoning the supply chain."
"As an enterprise, I have to recognize that if I'm dealing with a third-party software supplier, the development for that software is using open source components developed by a fourth party and hosted by a fifth party, a cloud service provider," Routh explained. "So just in the scope of using third-party software, I'm dealing with third-, fourth-, and fifth-party risk as part of an ecosystem that is directly tangible to the resiliency of my enterprise."
SolarWinds drives home the fact that so much code, software componentry, and infrastructure is shared in a sometimes complicated fabric of relationships. Routh says it offers a prime example of why enterprise risk managers need to think about how they can influence the community of partners that contribute to their development ecosystem. He believes that enterprises need to find ways to build more resiliency and quality into their IT deployment pipelines. That means fundamentally changing the way organizations think about third-party governance to include not only real-time monitoring of partners but also enforcing solid repository management and stronger controls over software development and deployment.
"The controls in place to protect secrets and protect sensitive information need to be redesigned to be embedded in the DevSecOps pipeline model because the traditional conventional on-prem controls don't work," he explains. "This is a wake-up call for the enterprise. You don't have to wait for the full scope of SolarWinds to be identified. These are steps we can take now, let's start with some conversations with the CIOs on how to make the entire ecosystem more resilient."