Lessons from the SolarWinds attack: How to protect your business

By the time it was discovered in December, the SolarWinds cyber attack had evaded the security defenses of and penetrated at least 18,000 government agencies,…

Security Center of Excellence profile picture
Security Center of Excellence

March 25, 20215 minute read

By the time it was discovered in December, the SolarWinds cyber attack had evaded the security defenses of and penetrated at least 18,000 government agencies, Fortune 500 companies and other organizations. “The attack was unprecedented in audacity and scope,” the CBS news program 60 Minutes reported.

Earlier this month, Gartner published their Top 10 Lessons Learned From the SolarWinds Attack with several lessons for businesses impacted by the software supply chain hack—and those that want to avoid falling victim to similar attacks in the future (Gartner subscription required). The key takeaway? You will be breached. In fact, an undetected attack might be under way even now. So every organization must be ready to detect and respond to breaches quickly.

Building on those SolarWinds lessons, here are some insights from OpenText’s security experts on how to protect your business from the on-going fallout from SolarWinds—and the inevitable future security challenges.

Endpoint detection and response is a must

“Endpoint detection and response (EDR) tools are now a mandatory security control,” Gartner analyst Peter Firstbrook writes. OpenText has made EDR a pillar of our Cyber Resilience strategy through our OpenText™ EnCase™ Endpoint Security solution as well as our portfolio of BrightCloud Threat Intelligence services. And we’ve identified five critical enablers for endpoint security that every organization should have in place:

  1. Threat hunting and threat intelligence built on artificial intelligence and machine learning
  2. Comprehensive detection with real-time continuous monitoring
  3. A simplified incident response infrastructure that’s capable of detecting attacks, containing damage and restoring systems and data
  4. Agile, integrated and automated security technology
  5. Dynamic remediation strategies designed to quickly return business operations to a trusted state

OpenText delivers all these capabilities. In fact, our latest release brings even more access and visibility to off-network endpoints, along with expanded investigation capabilities, more efficient continuous monitoring and smarter threat detection.

Priorities include anomaly monitoring and directory hygiene

The SolarWinds hack went undetected for months and was only discovered while the security company FireEye was investigating their own systems for a hack. The discovery underscores the importance of anomaly monitoring and directory hygiene, both identified as priorities by Gartner.

OpenText Security strongly recommends continuous monitoring across operations and the security supply chain, including endpoints. That also means investigating and responding when you spot unusual activity, whether it’s repeated failed logins, unusual web traffic patterns, suspicious IP addresses or something else. For example, the SolarWinds attack might have been spotted earlier via investigation of associated IP addresses that had previously been classified as high risk by BrightCloud Threat Intelligence.

Our latest EnCase update features more than 400 new fields in the anomaly detection builder, as well as many new rules designed to detect tactics, techniques and procedures (TTPs) using the MITRE ATT&CK® framework.

Focus on DevSecOps principles

Another lesson to take from the SolarWinds attack is that security is everybody’s business and must be built into everything—not just corporate IT but the developer environment as well.

As Gartner noted, developers are “a key target of advanced attackers and can no longer be excluded from endpoint protection policies,” and the developer pipeline needs to be tested for vulnerabilities. This is DevSecOps thinking and something we feel strongly about at OpenText.

In practice, this means adopting a Zero Trust mindset and a defense-in-depth approach to security. The fundamentals here include hardened defenses, forensic-grade detection and rapid response/recovery. It’s about cyber resilience as much as cyber security. What’s the difference? As this blog post from last year put it, “If you want to keep them out, you need cyber security, but resilience is all about what you do when they’re in, because you know they will get in.”

You can learn more about cyber resilience, and what that will look like going forward, in this white paper by OpenText CEO and CTO Mark J. Barrenechea.

It always pays to search for security gaps

Every organization should look for gaps in its security stack. For example, an existing product might lack the right capabilities. Or you might not have the right tools to, say, manage privileged access or machine identities. Or some area of security might be neglected completely. As the pandemic has so clearly illustrated, the environment you’re doing business in today isn’t necessarily the same one you operated in a year ago.

Circumstances change. New regulations come into effect. Businesses evolve. That’s why OpenText Security recommends conducting a Risk Assessment to make sure your organization is as prepared as it can be in the current environment.

Learn more

The next cyber attack could be in the planning stages even now. A breach may already have happened, with an attacker residing inside your system. It’s vital to ready your defenses everywhere: across supply chains, on your networks, in the cloud and more. OpenText Professional Services can work with you to help you understand your current security environment, identify gaps and chart a path toward improved cyber resilience.

Share this post

Share this post to x. Share to linkedin. Mail to
Security Center of Excellence avatar image

Security Center of Excellence

See all posts

More from the author

Threat alerts

Threat alerts

December 2021 December 14, 2021: Log4j Summary: Top US cybersecurity officials have warned of the zero-day vulnerability found in the Java logging library Apache Log4j….

1 minute read

The HAFNIUM Attack on the on-premises Microsoft Exchange Server

The HAFNIUM Attack on the on-premises Microsoft Exchange Server

On March 2, Microsoft announced that its on-premises Exchange Server had experienced multiple 0-day exploits. Microsoft commented: “In the attacks observed, the threat actor used…

3 minute read

To do, know and be… ask, why not me!

To do, know and be… ask, why not me!

Authored by Maureen Kaplan, VP Sales, OpenText Security It was the response to her childhood ‘declarations of I can’t’ that changed Lieutenant General (ret) Nadja West’s…

4 minute read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.