The Long Deep Reach of the SolarWinds Compromise

April 23, 2021
by Paul Roberts

The news about the compromise of SolarWinds has started to recede but it will remain a watershed event in the history of information security. If you haven’t heard this podcast discussing the compromise and its consequences by the Andreessen Horowitz team at a16z, it is worth a listen.

a16z’s resident CSO, Joel de la Garza, nails the key strategic question regarding information security in organizations when he says, “Where does Security sit? What is the right amount to spend on it? How do you effectively empower it and how do you partner and build security into your business so that it is something that helps enable it versus something that holds it back.” Companies that thrive after this watershed event will grapple with these questions and find a symbiotic balance where security protects the company while enabling agility producing a real competitive advantage.

On a more tactical level, what can you do to protect yourself against attacks like this? While there is no silver bullet, in this case, there is plenty that companies can do to lower their risk profile. Much of the advice they are offering will sound familiar to those who have experience.

Some practical takeaways

  • multi-factor on your critical third-party applications (where is your customer data?)
  • strong passwords
  • regularly perform access reviews and revoke unnecessary access and permissions
  • encrypt data communications within your own datacenter
  • patching – OS, applications, software library dependencies
  • if your server doesn’t need outbound access to the internet, make sure it can’t capture event log data and retain it for years

See a more comprehensive list from a16z here.

The initial compromise of the SolarWinds build process itself probably was preventable with the good security hygiene described above but it isn’t easy to check all these boxes with a limited budget and organizational influence.

This incident has shed new light on the management of third-party risk. Joel de la Garza highlights this challenge in the podcast, saying, “The hardest (security) problem to solve is third party risk.”

Companies can mitigate that risk in a myriad of ways. Some suggestions include:

  • maintaining an accurate and regularly updated list of vendors
  • regular validation of security settings in SaaS applications
  • reviewing SOC2 documents of vendors
  • vendor security questionnaires
  • regular API integration reviews

Vigilance here used to be optional. In the post SolarWinds hack era, it no longer is.

Here at Zilla, we are building a SaaS solution that facilitates good security hygiene.

We automate the complex task of assessing the security posture of all your cloud services and help you drive least-privilege via automated access reviews.