The intrusion into SolarWinds, FireEye, and multiple US government agencies continues to roil the cybersecurity world. In only a few days, a slew of additional details have emerged about the scope of the intrusions, with more surely to come.
Security vendors spend all their time talking about security but not in a way that’s useful right now. As we wrote in our prior blog, no vendor should turn what happened to these companies into a marketing opportunity. Let us repeat for emphasis: No vendor should turn what happened to these companies into a marketing opportunity. Other security vendors should also understand that this is not a time to throw stones at FireEye — a breach like this could happen to any vendor.
But security vendors do need to have a conversation with customers. Security leaders need answers.
Security vendors are notoriously closemouthed about attempted intrusions against them as a vendor. Despite a series of intrusions on vendors — RSA and Lockheed Martin, MeDoc, SolarWinds, and FireEye — it is virtually impossible to get a vendor to talk about what they deal with. And as the prior examples demonstrate, vendor intrusions are often a mechanism into their customers, as well. Here’s why this matters now:
If the threat actors went after FireEye, what other security vendors did they go after?
Does anyone doubt that other security vendors were on the list of potential targets?
End users should ask the following of their security vendors:
- Does the vendor use SolarWinds? If so, what specific products are in use?
- Does the vendor have any (third-parties) suppliers, partners, contractors, or outsourcers that use SolarWinds? If so, what specific products and versions are in use?
- If the vendor does use SolarWinds, did they detect any evidence of this activity? If they don’t use SolarWinds, have they checked to be thorough?
- For companies that aren’t using SolarWinds, how would those vendors thwart a similar intrusion? Does the vendor have plans to do a red team, purple team, or tabletop exercise to figure that out?
Some other interesting security vendor questions:
- The intrusions began in March. If someone reverses signatures, IoCs (indicators of compromise), and other detection rules, are they going to discover any that were created by a security vendor prior to this being public?
- If the vendor did see this, what is their notification process like for SolarWinds? What is their process for notification in situations like this for their vendors?
- What are the most successful intrusions against them that vendors have experienced? What did they do as a result? What changes were made?
This is an opportunity for vendors to offer transparency — and demonstrate empathy — by sharing that what happens to them also happens to their customers, their competitors, and their peers. FireEye has largely received community praise for the openness and transparency exhibited when announcing its breach. Sharing lessons learned, anti-patterns, and changes made as a result will help everyone get better.
Other vendors should learn this lesson and recognize that this is a community.