The SolarWinds incident was a wake-up call for most of the security professionals surveyed by DomainTools.
The SolarWinds breach has affected a host of government agencies and organizations around the world with a sophisticated attack that exploited vulnerabilities in the Orion network management software. The cybersecurity community, government agencies, and affected victims are still picking up the pieces and investigating the causes and effects of the hack.
SEE: Incident response policy (TechRepublic Premium)
Whether or not your organization was directly affected, your cybersecurity posture may shift as a result of the attack. A report released Tuesday by threat intelligence firm DomainTools looks at the ramifications of the breach among different organizations.
Based on a survey of 200 global security professionals and executives around the world, DomainTools’ report, The Impact of the SolarWinds Breach on Cybersecurity, found that 96% of the respondents were either slightly or highly concerned by the attack.
Some 19% were directly impacted by the SolarWinds incident, while 16% were still trying to determine if they were impacted. Among those that were impacted, 60% said they were still trying to figure out if they were actually breached, 29% said that their work tempo was artificially elevated even though they weren’t breached, 21% said that other organizations in their ecosystems were breached, and 21% said they were directly breached.
Analyzing their own security defenses, most of those surveyed expressed confidence in their visibility into security issues and information. Some 72% said they were fairly to very confident, 21% were only slightly confident, and 7% had no confidence at all.
State-sponsored attacks like the SolarWinds breach have raised alarm bells in both the private and public sectors. Such incidents show how nation states are able to marshal significant resources and skills to pull off major breaches throughout the world. Among the respondents, 81% said their organization places a high or moderate emphasis on protecting themselves against state-sponsored attacks.
Further, those surveyed were asked whether attributing the attack to a specific source is a factor in their response. Some 83% said that attribution played a very or fairly important role in responding to an attack.
Respondents cited four reasons attribution was important: 1) Attribution provides context around the kinds of tactics and indicators of compromise they need to find; 2) attribution fosters greater support from management toward resource allocation to investigate the incident; 3) attribution informs their responses based upon current threat modeling; and 4) attribution is a required output of their incident response processes.
As a result of the SolarWinds attack, 20% of the respondents said their security budgets would increase. The additional funding would go to several areas, including threat hunt tooling, incident response and forensics tooling, threat hunt staffing, and zero trust initiatives. Some 61% already have a threat hunting team, leaving 39% who have no such team in place.
Next, the SolarWinds hack will influence how many organizations manage their external vendors and supply chain partners, specifically in the area of security.
Among those surveyed, 47% said they would now require suppliers to follow their internal security standards and legally attest to that fact, 39% said they would implement increased network segmentation by isolating vendor software and appliances to a higher risk zone, 24% said they would set up Dynamic Application Security Testing and Static Application Security Testing scanning of vendor-supplied software before it’s used in their environments, and 19% said they would eliminate their reliance on vendors with ties to adversarial nations.
Finally, an incident like the SolarWinds attack shows that organizations need to be more proactive about their security defenses.
“The majority of respondents may have expressed confidence in the visibility of their networks, but the length of the SolarWinds intrusion suggests that visibility alone may not be enough,” the report said. “It needs to be paired with proactive security measures such as threat hunting to be able to spot the most elusive compromises. SolarWinds should be compelling evidence for security teams to win the argument for dedicated threat hunting resources.”