When a commercial jet crashes, federal aviation investigators rush to the scene and try to figure out how and why. Their findings are meant to inform the public and the airline industry—and to avoid similar crashes, whether from criminal intent, human error, or technical malfunction.
But when it comes to cyberattacks, no such agency exists to perform similar reviews and share critical information. That’s about to change. In the wake of the SolarWinds attack—in which hackers breached some 300 companies and nine federal agencies, with a cleanup cost of some $100 billion—the Biden administration plans to create a cybersecurity incident review board.
Under a soon-to-be-issued executive order, government software contractors would have to quickly report cyber breaches to a new entity within the Department of Homeland Security. That agency would be similar to the National Transportation Safety Board (NTSB), which investigates civil aviation and other accidents and makes safety recommendations.
The goal of the federal directive, which is expected to include new rules for meeting software security standards, is to help the government detect and respond to cybersecurity incidents. It is also meant to promote supply chain security and push federal contractors to improve their defenses.
But the new requirements for federal contractors are expected to have a much broader impact. Security experts say they will cascade through corporate boardrooms and executive suites as enterprises large and small seek to adopt new security defenses, reduce risk, avoid costly disruptions, and become more transparent to win business and gain customer confidence.
“The government’s approach will likely galvanize the private sector to adopt similar reporting requirements,” says Chris Hallenbeck, chief information security officer (CISO) for the Americas at Tanium. “What company wants to be the one that’s less transparent?”
Indeed, CISOs today are taking a proactive approach to strengthening their businesses and their industries. They are focusing on three crucial areas: stronger controls over software development, increased visibility across their enterprise networks, and improved information sharing.
What’s in your software?
Just like the list of ingredients on a food package, a software vendor’s software bill of materials (SBOM) must clearly and accurately inventory each component and show where it comes from. This is a crucial part of supply chain management. It helps the vendor make sure that the software components are up-to-date and let’s the buyer perform vulnerability analysis to evaluate software risk.
It’s just too easy to integrate software from unknown and possibly malicious sources.
“If I ask a software supplier to produce an SBOM and they seem unable to, it will make me question their software development practices,” said Sounil Yu, CISO and head of research at JupiterOne. “Simply knowing that they can produce an SBOM easily gives me confidence that their software development practices are modern or mature enough to counter a wide range of common issues related to vulnerable or poorly maintained software.”
As companies leverage code repositories like the ones on software collaboration platform GitHub, validating the source and veracity of code has grown in importance. “It’s just too easy to integrate software from unknown and possibly malicious sources,” says Frank Dickson, a program vice president who covers cybersecurity for market research firm and consultancy IDC.
While organizations will have a better sense of the software that makes up their technology from a more detailed SBOM, those details could also add a “flood of new data and noise, and not all of it will be actionable,” says David Wolpoff, co-founder and chief technology officer of Randori, a security company that performs adversarial attacks to help customers locate vulnerabilities.
If they haven’t already done so, government contractors must prepare for the complexity that stronger SBOM requirements will add to the federal acquisition process. But, ultimately, they should benefit from a smoother process, says Window Snyder, a former CISO at Square, Inc., and the founder and CEO of computer network security company Thistle Technologies.
A government-required SBOM “could be quite helpful by spelling out what needs to be done for patch and vulnerability management,” she says. “It will help security teams address the not-so-important items that don’t make the tech press, but that they still want to address. If it works well, through [automation], it can measurably reduce patch management from 30 days to 15 days.”
You only manage what you see
Under the expected rules of the forthcoming executive order, government software contractors must swiftly notify the government if they identify a breach or other security incident. But to meet that requirement, vendors will have to improve visibility across their networks and assets.
As the industry adage goes: You can’t manage what you can’t see.
At an operational level, visibility means gaining a comprehensive view of all computer and data assets within a company’s IT environment. Visibility also means having insight into which endpoints or devices are vulnerable at a specific moment in time so the security team can make informed remediation decisions. With greater visibility, organizations can more effectively manage a breach and stay confident in the quality of their regulatory reporting data.
What we need to do is increase the security of an organization to make a breach less likely in the first place.
But gaining visibility remains a challenge, particularly after the pandemic expanded the attack surface by increasing the number of endpoints and assets they must protect. A 2020 Tanium survey of 750 IT decision-makers found that nearly all—some 94%—have discovered endpoints that were previously unknown, a startling lack of visibility that could lead to compliance violations.
Tanium’s Hallenbeck would like the new executive order to focus more on improving security before an attack occurs rather than after the fact. “What we need to do is increase the security of an organization to make a breach less likely in the first place,” he said, adding that when companies have visibility into their IT environments, they can be more proactive and productive.
To create good visibility, security teams must develop a threat model of their organization’s risk to exposure. That model must map to high-value assets and critical business functions. In addition, security and IT teams must be able to answer questions about where data is stored, which operating systems are in play, and if those systems use cloud services or on-prem servers and network infrastructure. Without that information, a business won’t have the visibility to support good staffing and tooling decisions, making it more vulnerable to a breach.
“Once the company understands its business workflows,” says Chris Morales, CISO at security, network, and IT operations provider Netenrich, “then it can deliver visibility to ensure the entire workflow is monitored for the type of attacker behaviors that can or will occur.”
Prepare to share
The timeline for notifying the government of a breach is expected to be 72 hours, much like the European Union’s General Data Protection Regulation (GDPR). However, Morales believes the software industry could and should act “within minutes” to critical threats with a high impact.
“Security is a race between defender and attacker,” he says, where response speed is “the most critical aspect of containing a breach.” The defender must detect and respond before the attacker reaches its target. “A delayed notification,” he adds, just slows down the good guys.
Even if notification is done well and done fast, the government faces hurdles in trying to create a cyber equivalent of NTSB. To do that, it must convince private companies with lots of intellectual property on the line to share information.
Although the federal Cybersecurity & Infrastructure Security Agency (CISA) has become a strong advocate for both the private and public sector, companies have complained that information sharing is a one-way street, a challenge the government has to overcome by creating bidirectional flow.
“The relationship is good, but transparency is also important,” said Joseph Carson, advisory CISO at ThycoticCentrify, which provides privileged access management solutions. “CISA has become more involved and proactive, and that’s good, an indication that cybersecurity works best when you can prevent the attacks rather than always come after the fact to clean them up.”
Among the best practices security experts recommend for sharing information on incidents:
- View every incident as an opportunity to improve.
- Avoid blame and focus on systemic weaknesses and root causes.
- Encourage and reward sharing of effective postmortems.
Conducting blameless postmortems on all types of incidents, says Sounil Yu of JupiterOne, prepares an organization to handle critical security incidents. “Security is just one type of incident,” he says. “If an organization adopts the practices of blameless postmortems, they will likely be well prepared to meet whatever requirements come out of the [executive order].”
Blameless postmortems also ensure that lessons learned from an incident aren’t forgotten. They also provide an opportunity to incorporate those lessons into future software designs. “It’s a great investment in enterprise survival,” says Yu. As a by-product, blameless postmortems prepare organizations today for the future of a cyber NTSB-style review agency. Such an agency, dedicated to blameless postmortems and tightly focused on getting to the bottom of what happened during a major breach, could improve security within organizations and throughout the supply chain.