The SolarWinds compromise of 2020 had a global impact and garnered the resources of both public and private sectors in an all-hands-on-deck remediation effort. The event also had a deleterious effect on the SolarWinds stock price. These two events, were, predictably, followed by a bevy of civil lawsuits. Fast forward to late March 2022 and we have a federal court saying the suit that named SolarWinds; its vice president of security and CISO, Tim Brown; as well as two prime investor groups Silver Lake and Thoma Bravo may go forward.
As Violet Sullivan, cybersecurity and privacy attorney of client engagement at Redpoint Cybersecurity, observes, the judge finds that the plaintiffs “may have a claim, so the judge is going to hear it.” She explains, “It’s not what is being said in the order that is interesting. It’s what will be shown during the discovery process that is interesting. There will be questions in this suit including: Will the forensic reports be available during the discovery or covered by attorney-client privilege?”
Key question: Did SolarWinds cut corners on security?
The judge’s decision served to highlight what every CISO dreads, the cutting of corners by personnel in the basic implementation of cybersecurity 101. Password management carries a price. SolarWinds is adamant that the infamous password “solarwinds123” that a security researcher found in November 2019 on an “update server” was changed within the hour of being notified and isn’t related to the Russian breach of SolarWinds. However, Sullivan opines, the “password issue on the update server is … just an entry point.”
The judge decided “the allegations of underlying security issues (such as the ‘solarwinds123’ password breach)” need not suggest that these security issues directly caused the loss. Instead, their purpose is to demonstrate that the executives were at least reckless in not realizing that something was dangerously amiss. “An egregious refusal to investigate may give rise to an inference of recklessness.”
Indeed, the one-off violation associated with the “update server” is not unique to any one company. Shortcuts are taken, and policies exist to diminish the likelihood of incidents such as this. That said, former employees, described in the judge’s decision as “a sales engineer, a security specialist, a backup and disaster recovery specialist, a director of global recruiting, an HR contractor, a security account manager, and a marketing associate” all alleged the lack of such cybersecurity policies.
While the civil lawsuit will continue its course, there are several important takeaways for CISOs.
Personnel need to follow policy and procedures
To the company’s credit, they published a “security statement,” which described the seriousness of cybersecurity policies and procedures. Whether this was window dressing or reality is what the suit will determine, as the plaintiffs allege the marketing and public relations statements made by SolarWinds on its website, including video statements from the CISO, projected a mature cybersecurity culture within SolarWinds that did not exist.
CISOs should ensure business or operations are the drivers of the policies and procedures being followed by their personnel with the CISOs team in information security supporting the business. This requires business operations to ensure alignment between what the company is saying publicly and what it is doing internally.
Sullivan notes as the case moves forward, “What other exhibits will be referenced to show negligence on behalf of SolarWinds? What can you imagine as a CISO that might be used against you to show that you are just a compliance ‘check the box’ place, or do you really care about security (reasonableness standard)?”
Maintain a register to track and manage risks
Matt Georgy, CTO of Redacted, Inc., observes, “What makes Solar Winds’ exploitation particularly bothersome is the fact that it’s used to manage/monitor IT systems.” Core to a risk management program is the risk register wherein risks to business operations are tracked and managed, he continues. This includes risks associated with reliance on commercial software applications and open-source software.
Document cybersecurity training
It is noteworthy that this mixed bag of employees and contractors allege that they “were not aware of an information security policy or a password policy, and they did not receive cybersecurity training.” The need for documentation cannot be overstated. Being able to trot out evidence that not only was training provided, but the employee provided attestation the training was received and assimilated, silences allegations of lack of training quickly.
Assign mission-critical tasks according to risk
“Organizations need to reconsider how they assign mission-critical business tasks by risk ranking activities,” says Matthew Rogers, global CISO at Syntax. “It is not always about the work being done that should be assessed when tasks are being assigned. Instead, businesses today must consider the gravity of the error that could happen if work is performed improperly and be overly cautious when identifying ownership of these types of assignments. It’s worth paying more for experience and quality for simple work that could cost you everything if done wrong.”
“At the end of the day, the buck stops with the CISO,” says Justin Wray, director of innovation security at CoreBTS. “Security is not a one-person show,” and the CISO is supported by a team of experts engaged in the technical activities of cybersecurity.
Have a long-term security plan, but be prepared to pivot
Wray makes an observation, which I posit all CISOs would embrace, “It is vital to note that while a high-level, long-term plan is important to a secure IT roadmap, life happens and no one is completely safe from a breach. The security world is changing every day and in the event of a breach, such as SolarWinds, a CISO needs to know how to pivot. Security control and implementation, meaning leveraging day-to-day resources to monitor tools and updates, is the foundation of a solid security posture. Organizations that remain stagnant because everything looks fine on the outside are not properly setting up their organization for success when a breach ultimately occurs.”
Similarly, given the dynamic nature of every business, policies and procedures should and must be easily accessible and updated regularly. Updates are driven by the change in business direction, risk identification, and mitigation all of which are owned by the business operations group, again with the support of the CISO and the infosec team.
Resource cybersecurity according to risk
CISOs are uniquely positioned to provide insight on the threat landscape to business operations and together create the appropriate risk management plan. I recently mentioned how cybersecurity is often something companies get around to. The SolarWinds cyberattack and the resultant civil lawsuits are demonstrating the need for the well-documented investment in cybersecurity must be at the forefront.
The managing director of NetSPI, Nabil Hannan, says, “Internal threats are still a lingering and often under-addressed cybersecurity threat within organizations, especially when compared to the resources applied toward external threats. But, with buy-in from an organization’s leadership team, CISOs can have the resources needed to develop a proactive and ongoing threat detection governance program.”
Those who hesitate may find themselves playing catch up as they are spurred along by the new U.S. Securities and Exchange Commission initiative on the need for publicly sharing information security breach information within four days of discovery that the breach is material will affect direct change. Similarly, the SEC’s desire to have companies describe how they address cybersecurity will drive greater transparency within many companies. This SEC effort will pull infosec out of the back room and to the forefront, like policies, procedures, resourcing, and expertise will be on full display via the required SEC filings.