Nation-state actors and cyber criminals are launching increasingly sophisticated attacks that offer greater rewards with the least amount of work. By infecting widely used software, they are frequently able to affect a massive number of users and organizations and while going undetected for months. Nearly two months after the SolarWinds attack exposed government and corporate data, President Joe Biden is planning to release an executive order that is aimed at addressing the security gaps exposed by the attack — further signaling the need to strengthen supply chain defenses.
Recently, SolarWinds published a blog sharing details of the malicious code that was added to their Orion Platform Software in September 2019. This large scale supply chain attack reminds us of the importance of securing the entire technical ecosystem (i.e., development, testing, staging, etc.).
Cyber security efforts should encompass not only the production environment but, equally as importantly, the development, staging and testing environments. As most companies focus on the production environment, supply chain attackers focus on exploiting weaknesses found in a vendor’s development cycle. In addition, pen testers and compliance teams are often limited to assessing production controls. They may only touch on the change management process and possibly segregation of duties. However, if other technical or procedural controls are weak, it creates a strong opportunity for risk.
“Our concern is that right now similar processes may exist in software development environments at other companies throughout the world,” said SolarWinds CEO Sudhakar Ramakrishna. “The severity and complexity of this attack has taught us that more effectively combating similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills, insight, knowledge, and resources of all constituents.”
Securing the development is paramount, as supply chain attacks like SolarWinds can be carried from development to production and ultimately deployed across thousands of customers and millions of devices. The nation state attack posed a great danger for organizations because it was an update that was released, signed and certified, and laid dormant for weeks before deploying the attack. This application was included on the allow-list of many organizations — so antivirus, firewalls, and email security solutions were useless.
It is important to remember to take the time to secure and conduct 24 x 7 monitoring across all of your environments from development through production. Incorporating a managed, detection, and response (MDR) solution is key to securing and detecting suspicious activity throughout the software development lifecycle.
Learn more about MDR in our eBook: 5 Things to Consider When Choosing an MDR Provider
Product Marketing Manager | Pondurance
Monique is a Product Marketing Manager and has worked in cyber security roles for more than 5 years. Prior to joining Pondurance, Monique worked with Truyo powered by Intel®, specializing in data privacy rights automation and consent management and was a product and channel marketing specialist at SiteLock. Monique has a passion for cyber security and leveraging her knowledge to create better experiences for consumers and businesses throughout their customer journey. Outside of cyber security, Monique loves photography and taking pictures of the beautiful Arizona sunsets and landscape.