More Money Won’t Prevent the Next SolarWinds - But Better Detection Strategies Will

The SolarWinds supply chain attacks aren’t out of the news yet - not by a longshot. Now is when we’re starting to see the U.S. government implement changes in response to the incident.

But is throwing more money at the problem a viable strategy? Let’s take a look at the latest moves by the FCC as an example.

On February 17, the Federal Communications Commission (FCC) voted to seek comment on multiple proposals that would change the rules of its Secure and Trusted Network Reimbursement Program.

Created by H.R.4998 by the 116th U.S. Congress in 2019, the Secure and Trusted Network Reimbursement Program empowers the FCC to provide funds to communications providers with two million or fewer customers for removing prohibited or harmful equipment and replacing it with more secure devices or services.

One of the proposals would broaden the pool of service providers that are eligible to receive those “rip and replace” funds. If approved, it would allow the FCC to provide funding to communications providers with up to 10 million subscribers.

Another proposal on which the FCC is seeking comment is to align the Reimbursement Program with July 2020 orders that designated Huawei Technologies Company and ZTE Corporation as national security threats. Were that to happen, the FCC could use its funds to help eligible service providers rip and replace equipment obtained on or before July 30, 2020.

The final proposal is to clarify the rules, eligibility and functions of the eligibility program in the event that reimbursements exceed the $1.895 billion appropriated by the Consolidated Appropriations Act of 2021.

Jessica Rosenworcel, acting chairwoman of the FCC, said that these efforts are part of the FCC’s effort to “revitalize its approach to network security because it is an essential part of our national security, our economic recovery, and our leadership in a post-pandemic world. The sooner we conclude this proceeding, the swifter we can start helping providers secure their networks,” Rosenworcel said, as quoted by MeriTalk

“But this is only the beginning. The damage from recent supply chain attacks, like the SolarWinds software breach, demonstrates the need for a coordinated, multifaceted, and strategic approach to protecting our networks from all threats. With this new appropriation from Congress, we have an opportunity to do just that.”

On the Need to Be Strategic

What stood out to me in Rosenworcel’s comments was the fact that she used the phrase “strategic approach.” This is important when we think about ripping and replacing technologies that we deem to be a security threat. In that context, the amount of money that we’re talking about isn’t important. 

It could be $2 billion or $250 billion or even $10 trillion. It doesn’t matter. What matters is how we spend the money. The U.S. government has already spent trillions of dollars on improving its digital security posture over the last 20 years. Adding more of the same on top of all that spending won’t do any good.

I’m not just talking about the government, either. The SolarWinds supply chain attacks affected more than just government entities, after all. Even security firms fell victim to the attack, a reality which confirms the advantage that digital attackers enjoy in every sector. This points to the need to do something different.

Now, more than ever, we have the opportunity to focus on innovation and advancing the development of more effective detection capabilities rather than just deploying different iterations of the same old tired toolkit. We need to look beyond tools that only leverage retrospective Indicators of Compromise (IOCs), as this artifact-based approach obviously failed to detect the SolarWinds attacks. 

In an age where sophisticated attackers create unique attack sequences tailored to individual targets, we can no longer expect the IOC artifacts from one attack detected within one organization’s environment to be an effective means to detect and prevent advanced attacks in another organization’s environment. 

Instead, we need to look to behavior-based approaches that can detect the rare and advantageous chains of behavior that created the foundation for the SolarWinds attacks. More specifically, we need to shift away from our reliance on artifacts and move towards leveraging Indicators of Behavior (IOBs), the more subtle chains of behavior that can surface an advanced attack long before it can escalate to a major security event. With this operation-centric approach, we can defend ourselves against novel attack campaigns regardless of whether someone has seen them unfold somewhere else.

Ultimately, the U.S. government can help to drive the shift to behavioral detection by encouraging innovation and by working with the private sector to build the next generation of behavior-based solutions. Only through this level of cross-sector collaboration can we make defenders the ones whom we expect to win.

Cybereason’s platform is one of those solutions that’s equipped to defend organizations against malicious activity such as the SolarWinds supply chain attack. It takes an operation-centric approach to security that correlates all of the elements of an attack chain, especially those behaviors that when observed in isolation would appear to be benign, but when manifested in relation to one another present a distinct advantage to an attacker. 

Behavior-based detections empower security professionals to prioritize what’s actually important so that they can commit their time to addressing potential security issues instead of combing through uncorrelated alerts that lack context and piecing together artifacts from an attack after the fact. 

Indicators of Behavior are the key to detecting attacks earlier and remediating against them faster, and solutions that leverage this paradigm shifting approach are already available - just ask us how your organization can benefit.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry