After the SolarWinds hack, we need contact tracing for our data
The ramifications of the SolarWinds hack will plague affected organizations for months, if not years.
Since the December revelation that thousands of organizations may have been compromised by a SolarWinds software update containing Russian malware, security experts have worked overtime to identify and remediate any breach. This has meant everything from updating the infected SolarWinds software (or removing it entirely), to checking data logs to detect any intrusion or lateral movement across a company’s IT environment, to even perhaps executing full third-party software code reviews.
While the attack on SolarWinds software is arguably the most significant state-sponsored hack we’ve seen in years, it’s more than an isolated incident. It is emblematic of a constant reality of the digital era: We’re all likely to get hacked at some point. Our ability to respond determines our ability to operate. Digital security is now a broad governance imperative.
Organizations of all types must be able to defend against attacks. Yet 2020 research from the Ponemon Institute, conducted in partnership with IBM, found that on average it takes a company 207 days to identify that a breach has occurred, and another 73 days to contain it.
Whether a cyberattack is motivated toward sabotage or data theft, a victim’s fundamental questions are, “Who has accessed our data? Which data, when, and why?” In other words, the ability to trace all contact with sensitive data is vital. But most companies today cannot do this.
Contact tracing is an epidemiological technique that we’ve all heard a lot about in the past year. Because COVID-19 is spread by human contact, we look at where an infected person has been, and whose paths they’ve crossed, during the infectious period. On the human scale, we’ve seen mixed results worldwide. But applied to digital systems, contact tracing could become a powerful security technique.
This idea is not new. A concept called Sightings has been gaining traction in the security community, largely at the academic level, for the past few years. The idea is for organizations to be able to share details of how they were attacked and what was targeted—the who, what, and when—as quickly as possible with other organizations.
This concept could help organizations identify breaches sooner and remediate faster and more effectively. Through sharing, attack techniques could be more thoroughly understood, and with the right reporting mechanism, the resulting threat intelligence could be shared to help more organizations avoid a breach in the first place. MITRE, a leading not-for-profit research organization, is working on incorporating Sightings concepts into a security reporting process that would let breach victims share appropriate data in a secure, anonymized way to benefit the wider community.
Beyond this threat intelligence application, organizations could use this sort of contact tracing approach for their own internal investigations. Data contact tracing can dramatically reduce the time it takes to discover how far into their networks an attacker has penetrated, and identify where related systems in their supply chains, customers, and partner networks have also been compromised.
While remediation of compromised systems will vary based on the specific hack, data contact tracing could dramatically shrink the “dwell time”—the period between detection of an attack or compromised system and notification to the world. With the right technologies and techniques, detection could be measured in hours, if not minutes, as opposed to months. Similar to sharing virus data between governments, sharing data between organizations could help stamp out major threats, including ransomware and nation-state attacks.
The world’s scientific community did astonishing work in 2020, compressing what’s typically an eight-year process into just 10 months to develop new COVID-19 vaccines. Now we need a similar marshaling of commitment and resources for data contact tracing, to improve breach response and reporting actionable threat intelligence to the wider IT community.
While such a vision would require broad cooperation across multiple industries and sectors, the first steps are ones that each company can take for itself immediately and begin with a few simple questions. Those questions include: Within our organizations, can we see how and when every data file is touched? Can we identify the digital trails that data users, authorized or not, leave through our systems? Can we ensure that our software supply chains are sound, and that we are aware of the source and history of every line of code contributed by our developers? When a breach or other anomalous activity is discovered, how quickly can we trace the behavior and identify where access occurred and what data has been compromised?
The technology exists to contact-trace our data and to automate the real-time extraction of insights. It’s used for many things today, from managing IT, software development, and operations to improving customer experience. My own company is involved in helping clients with efforts like these. If we can take smart action on those insights in real time, we should be able to put the same focus and velocity behind protecting our data.
Doug Merritt is the president and CEO of Splunk. Previously, he held senior leadership roles across a wide range of disciplines, including product, sales, marketing, and HR, for companies including Cisco, SAP, and PeopleSoft.