Back in May, I had the pleasure of joining Michael Daniel, president, and chief executive officer of Cyber Threat Alliance, at the Forbes CIO Summit
to discuss creating resilient digital ecosystems without sacrificing agility. In the past two years, we’ve evolved our product development models with a focus on a zero-trust mindset and culture. In doing so, we’ve expanded our thought processes and operations to further shift left in our approach to mitigate and proactively combat risk—rather than simply chasing “secure.”
Achieving a completely secure network is a constantly moving target—a practically unattainable and potentially overwhelming goal for your IT teams. Instead, I introduced a paradigm shift at the summit—with the goal of mitigating risk after risk after risk vs. taking the whole sum of all possible risks and attempting to banish it at once.
The summit was an excellent opportunity to speak with industry leaders and learn more about what companies face as cybersecurity threats increase. In this blog, I want to highlight two of the main points we discussed in the panel, which I believe are helpful for CIOs, CISOs, and any other tech or security leader as we face growing cyberthreats in the future.
Adversaries are becoming more organized—and patient
Perhaps the best example of the patience and organization of cyberattackers today is the December 2020 SUNBURST cyberattack
on our own SolarWinds software build environment. As industry experts have noted, SUNBURST was one of the most complex and sophisticated cyberattacks in history, attributed by the U.S. government to an outside nation-state. Everything the attackers did had a purpose. They didn’t go beyond the access needed to perform their mission. Nor did they attempt to target our source control system or other systems, and they took their time and didn’t make mistakes. The details of its execution unveiled a new breed of threat organizations must now guard against.
Adversaries today are increasingly organized, adaptable, and perhaps most surprising of all, incredibly patient. For SolarWinds, the cyberattack started through a compromise of our email communications, which allowed the threat actor to discover our models of building and releasing code. Through this, the threat actors were able to define an attack not on our source control system but the build system itself. In October 2019, the adversaries conducted a test run and then later inserted 2,500 lines of their SUNBURST malicious code in March 2020. By June, they were out of our system.
The adversaries didn’t take the easy route with a higher chance of discovery. Everything the threat actor did was designed to evade detection by SolarWinds and our customers. They defined a model to intercept the build process supply chain and insert code there.
Our goal in sharing this information is to emphasize how all the moves they made were incredibly focused on their end goal, and they didn’t spend any extra time in the system—so they were less detectable. Adversaries like this aren’t after a quick gain; they’re sophisticated and willing to be patient to achieve their ultimate goal.
A thoughtful approach to security is critical
I championed a paradigm shift when my teams began building a new development model to combat the incident and future attacks. We weren’t trying just to make our system more secure. Instead, we took a thoughtful approach in creating a model resilient to attack designed to minimize risk today while continuing to adapt and reduce future risk. To do so, we’re developing a multiple-build model with no single point of failure. We call this our Next-Generation Build System
Since building software is what we do at SolarWinds, we understand not every company will be able to build this model at the scale we are, but taking a thoughtful approach can help everyone. Building secure and resilient ecosystems start with changing the mindset of security. Security isn’t simply a technical problem to be solved, but instead a series of long-term risks which must be managed. You can’t keep a focused and well-resourced adversary out—instead, what you can do is work to stop the adversary on their path to achieving their goal. Creating blocks and obstacles to stop the adversary is how you win.
It’s important to normalize conversations about risk rather than just security. It’s along the same frame of thought, but when CIOs and CISOs have discussions, they need to look at it through the risk mitigation lens. It’s more important than ever for CISOs and CIOs to work together effectively to help ensure organizational efficiency. Again, having a secure network is a moving target and can become overwhelming, whereas a broader focus on addressing vulnerabilities and threats unique to your system helps create a space for your teams to develop solutions built to minimize risk. And as risk minimization increases, your system becomes far more secure.
Minimizing risk for future security
As Michael said during our panel, there are more risks every day because the network is everywhere, and the threat landscape is far more heterogenous and diverse. Because so much depends on this overarching network, any minor breach or incident is no longer an annoyance or simple issue—it can be catastrophic.
Security teams can no longer afford to work in silos; all teams across the organization must take an active role in minimizing threats. However, by shifting your mindset towards addressing your system-specific vulnerabilities, you can get to a practical measurement of the real risk to your organization.
If you’d like to learn more about our Next-Generation Build System or how we’re working to set the new standard in secure software development, please check out our Secure by Design resource page
and other informational content
around these initiatives, including a video
on our new secure software standards.