CDOTrends

Security Vendors: It Is Time To Come Clean About Intrusions

By Jeff Pollard and Sandy Carielli, Forrester on December 20, 2020
Image credit: iStockphoto/wildpixel

The intrusion into SolarWinds, FireEye, and multiple U.S. government agencies continues to roil the cybersecurity world. In only a few days, a slew of additional details has emerged about the scope of the intrusions, with more surely to come.

Security vendors spend all their time talking about security but not in a way that’s useful right now. As we wrote in our previous blog, no vendor should turn what happened to these companies into a marketing opportunity. Let us repeat for emphasis: No vendor should turn what happened to these companies into a marketing opportunity. Other security vendors should also understand that this is not a time to throw stones at FireEye — a breach like this could happen to any vendor.

But security vendors do need to have a conversation with customers. Security leaders need answers.

Related

Security vendors are notoriously closemouthed about attempted intrusions against them as a vendor. Despite a series of intrusions on vendors — RSA and Lockheed MartinMeDocSolarWinds, and FireEye — it is virtually impossible to get a vendor to talk about what they deal with. And as the previous examples demonstrate, vendor intrusions are often a mechanism into their customers, as well. Here’s why this matters now:

  • If the threat actors went after FireEye, what other security vendors did they go after?
  • Does anyone doubt that other security vendors were on the list of potential targets?

End users should ask the following of their security vendors:

  • Does the vendor use SolarWinds? If so, what specific products are in use?
  • Does the vendor have any (third-parties) suppliers, partners, contractors, or outsourcers that use SolarWinds? If so, what specific products and versions are in use?
  • If the vendor does use SolarWinds, did they detect any evidence of this activity? If they don’t use SolarWinds, have they checked to be thorough?
  • For companies that aren’t using SolarWinds, how would those vendors thwart a similar intrusion? Does the vendor have plans to do a red team, purple team, or tabletop exercise to figure that out?

Some other interesting security vendor questions:

  • The intrusions began in March. If someone reverses signatures, IoCs (indicators of compromise), and other detection rules, are they going to discover any that were created by a security vendor prior to this being public?
  • If the vendor did see this, what is their notification process like for SolarWinds? What is their process for notification in situations like this for their vendors?
  • What are the most successful intrusions against them that vendors have experienced? What did they do as a result? What changes were made?

This is an opportunity for vendors to offer transparency — and demonstrate empathy — by sharing that what happens to them also happens to their customers, competitors, and peers. FireEye has largely received community praise for the openness and transparency exhibited when announcing its breach. Sharing lessons learned, anti-patterns, and changes made as a result will help everyone get better.

Other vendors should learn this lesson and recognize that this is a community.

The original Forrester blog can be found here. Jeff Pollard, vice president and principal analyst, and Sandy Carielli, principal analyst, wrote this article.

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/wildpixel

Related Articles

Related Whitepapers

2017 - 2021 © CDOTrends