It’s a meme now to say “In these unprecedented times”, but it sure does fit doesn’t it? As we look back on 2020 and the “interesting times” we find ourselves living in, I think we should take a moment to reflect on resilience. As security professionals, we are humans first. People with families, friends, co-workers and the communities in which we live. With COVID-19 still continuing to ravage our communities globally, it is a time to take care of our families and communities first. As we go into the holidays, we can reflect on how we have managed to overcome the challenges from this past year –most of us tested in ways we haven’t been before. Surviving and perhaps thriving after the multiple crises of 2020 is a sign of resiliency – a term that is thrown around security loosely, but one we can practice in our personal lives. Being able to translate personal resiliency in the face of adversity into professional resiliency will be a challenge going into 2021. A challenge I personally look forward to.
I assumed the role of CEO at Fidelis Cybersecurity in October 2020. I left Accenture Security where I was Managing Director and Global Lead for platforms. It was a role I enjoyed and one I learned from very much. One of my biggest takeaways as a service provider is to focus on customer problems rather than on whatever product I could be selling. It is this customer focus I bring to Fidelis in a role I have served in before. I previously started and ran Invincea, a next gen endpoint security company until Sophos acquired Invincea in 2017. In other words, building, innovating and selling security products is indeed my “wheelhouse” and the chair I am most comfortable in, but one informed by my experiences serving clients in the Global 2000.
It was with this mindset I took on the role to lead Fidelis into 2021 and beyond. I inherited not only a great product set with deep technology built with over 15 years of R&D, but also a great team. One of the recurring themes I learned about Fidelis’s products is the deep level of technology we have built, but one with a poor level of understanding why this is needed by the market at large.
One of the leaders I worked for used to say we are here to do the best work of our careers. That comment stuck with me. Being in security for decades now, I think it is easy to be cynical both about the level of compromise that continues unabated and the vendor claims on the back of such continual compromise. Neither has diminished over time and it creates a certain level of cynicism in the field for buyers, users, and people who serve in the field.
But now is not that time to be cynical. What the SolarWinds software compromise means is that adversarial techniques have “jumped the shark” again and it demands a new commitment to fighting this threat. For those of us who have worked in US Government classified spaces, we will not be surprised at the level of sophistication from a foreign intelligence actor required to on one hand compromise the software supply chain of a major IT vendor and on the other the ability to execute surgical strikes against select targets.
What is new is that these attacks were successfully executed against premier US Government agencies undetected and countless other commercial firms who are only now beginning to grapple with what this all means.
Having been in cybersecurity since the mid-1990s, I can recall many crisis-defining moments in my career. Moonlight Maze, Code Red, Nimda, Stuxnet, OPM, Sony Pictures, and Saudi Aramco come to mind (and the Morris worm if you want to go way back). None of them compare in scope and sophistication to this attack. The closest would be Stuxnet in level of sophistication, but not in scope or scale of compromise. In other words, this is a career defining crisis moment that tops all the prior ones I’ve lived and worked through. How we respond to this will define us, not only at Fidelis, but all of us in the security profession. Are we ready to rise to the moment, or will our cynicism leave us flat on our feet?
Our imperative is to respond to this moment with the mission of finding and eradicating such threats off the network, and then putting in place mechanisms to detect and respond to sophisticated threats in the future before they cause harm. This is our career defining moment meaning either we rise to the moment and produce the best work of our careers or the moment defines us as unable to respond in kind.
The widespread nature of the SolarWinds (Sunburst) compromise has enterprises and government agencies asking, “what next?” once they have taken the immediate steps of eliminating the compromised code and perhaps even taking the servers offline as CISA recommended.
The questions enterprise leaders need to be asking are: was I compromised? Was additional malicious software installed in my network? Did the adversary gain persistence in the environment? Was data compromised or exfiltrated? If so, what? Why did my existing tooling and processes not detect the attack? How do I get in front of these attacks in the future? These questions are not restricted to just this incident, because we know the adversary changes tactics and techniques and will continue to hit the networks with different vectors.
The question in my mind is not so much how the adversary will get in (spear phishing, supply chain compromise, vulnerable server, insider threat, etc.), but how will you detect and respond to the threat once it is on the network.
The challenge for security teams is to detect and respond to the attacker prior to them causing harm. In the case of ransomware this can be within moments. In the case of data exfiltration, it can be months while the adversary discovers the network, identifies assets, escalates privilege, moves laterally, and leaks data out. All these behaviors are indicators of compromise and the techniques and methods are relatively well understood. Finding one and treating or triaging it in isolation, may lead you miss the larger attack campaign. Understanding how they may be tied together in a campaign may drive you to a broader investigation and response that stops the adversary from achieving their objective.
My sense of this attack is we are still in the very early stages of understanding the full extent of the compromise and the methods used by the adversary. Remember the adversary is persistent and will use different methods than the ones that are known and published. And in the process of getting a handle on the incident, I believe we will find other adversaries lurking, simply because security teams haven’t looked closely enough before, often managing alerts rather than finding the adversary that lurks in the noise. This event will create a lot of security work for teams already overwhelmed. Now is the time to extend security teams and help automate the process of finding and eliminating intruders on the network.
Recognizing that we are dealing with an adversary with nation state resources, it would be folly to go into this fight on your own. Rather we are all best served to find the right alliances to collectively fight the adversary. This means enterprises need to ally with other enterprises in similar verticals to share threat intelligence and best practices. Groups such as FS-ISAC, RH-ISAC and other similar groups make this possible. If you aren’t participating in your industry, national or regional group, now is the time to start participating. Extending the security team with an outside team of incident investigators makes good sense as well because more than likely your enterprise security team is overwhelmed with the daily firefights and alerts. An outside look can be especially helpful in uncovering this and other adversaries on the network. I have my own views on whom can help best but ask around and you’ll find some capable firms here, some regional providers can be very helpful.
Likewise, product solution providers can best serve their customers by forming alliances with other natural ecosystem partners where technical integrations of products can yield synergies in detecting adversaries that work across endpoints, network egress/ingress points and cloud services. Imagine vendors working together to collect and share telemetry and integrate response across the enterprise while providing customers the single integrated view of actionable incidents. Today this largely happens when the enterprise performs the integrations themselves. Product vendors should do this homework themselves and present integrated solution sets to customers. Alliances are one of the best ways to accomplish this.
At Fidelis we are forming such alliances and will be glad to take on new partnerships that best serve our customers.
If you’ve hung with me so far, you can tell at Fidelis we are serious about responding to the threat and rising to the challenge. In the coming weeks, we intend to publish a series of videos showing how you can detect observable behaviors that indicate compromise and what you can do to both detect and respond to these types of attacks in the future.
On a personal level, I hope to do the best work of my career at Fidelis, and I hope you will do the same wherever you are. If you are in the security profession, now is the time to rise to the challenge, and our colleagues across industry and government are counting on our best work.