A Modern CISO’s response to Sunburst

Anita (a fictitious character) is a CISO for a global financial institution. With more than 20 years in enterprise cyber security, Anita considers herself a modern CISO. Anita is a leader who views Cyber as a strategic imperative for the bank, a business enabler, and a platform to enable the bank’s digital future. Anita views her role as a partner for the business, and as a partner her mandate is to establish Trust, Security, and Resiliency. Digital Trust will allow the bank to accelerate adoption of new digital platform and services, Security will ensure Anita is able to address modern/future threats, and Resiliency will provide the “shock absorbers” that the enterprise needs to address the next crisis (whether a cyber threat, environmental disaster, or pandemic). She shared a mission based on her group’s ability to support the next generation of Digital Banking:

MicroFocus

When news of the (SolarWinds) Sunburst hit the global stage, Anita observed a familiar pattern within both the media and the cyber community of an instant large-scale reaction. From her experience, Anita knew that Sunburst was just the tip of the iceberg of a systemic issue with supply chain and the need to have a consistent view on securing the entire Digital Value and Supply Chain. That is value chain on how the bank supports its commitment to its customers, market and stakeholders and digital value chain on how digital assets (either software, hardware or even carbon (people)) are introduced into the enterprise, how they affect other platforms, and how they can introduce exposure to the bank.

Anita knew that this was an exigency moment. One that will define the robustness of the Cyber Resiliency program that she built and whether the process, structure, and capability she built would rise to the occasion.

Anita’s mission was simple. The mission was to establish a repeatable and robust Digital Supply Chain Risk Management program. A program that would increase visibility through a complex environment, one that would secure the chain, establish trust with the market, and one that would enable the bank to grow and offer new products and services to its customers.

Anita, using her consulting past, broke down her activity into four specific mandates:

1. Objective 1 – Assess: Take stock of the event. Anita as a seasoned cyber leader knew this was not the time for hyperbolic reaction. She knew this was a defining moment for the role cyber plays in the bank’s future of being a trusted brand. She laid out a clearly established list of problems.
2. Objective 2 – Strategize: Define a clear strategy that is well understood from the Board (executive) to the operational (technical teams) defining how cyber is going to establish trust, security, and enterprise resiliency through a structured program.
3. Objective 3 – Execute: Execute on the tactical and strategic outcomes defined in the assess and strategize phases with a clearly defined tactical (within 30 days), mid-term (90 days), and long-term sustainment plan. The goal is to show progression in assurance level.
4. Objective 4 – Measure: What gets measured gets done. Anita instituted a clearly defined target that was used to steer her team toward a directional outcome and provide a clearly defined assurance level to the Board based on the mission to establish trust, security, and resiliency.

Objective 1 – Assess

The first step that Anita took was to assess and clearly communicate the constraints, assumptions, and guiding principles for the response process. Some of the considerations included:

• Establish Trust: Anita knew that her role was not just to secure the organization, but to expedite trust in the enterprise by assuring senior leadership, the board, and stakeholders of the bank that they had a clearly defined plan, were executing to the plan, communicating progress, and measuring success. Establishing trust was essential for driving the bank’s market strategy, ensuring customer confidence, and enabling scale/velocity of digital transformation. Anita knew that the way her team addressed this large-scale response would become a benchmark for establishing and maintaining sustainable trust.
• Respond but Be Strategic: Anita knows that the key to a sustainable, holistic, and robust enterprise security program is to take a measured, responsive but long-term view to a complex challenge. She oversees a complex, diverse, and highly nuanced global value chain, with a myriad of digital platforms, diverse development teams, complex channels and workloads that extends to micro services, containers, and elastic workloads.
• See the Big Picture: Anita knows that this challenge is bigger and far more expansive than just SolarWinds. Focusing merely on just SolarWinds would be a knee jerk reaction, and Anita wanted her team to see the big picture.

In June 2018, a GitHub Gentoo Linux distribution was compromised, and backdoors were introduced. In March 2019 RubyGem Gems bootstrap-sass was backdoored and downloaded 28 million times. What is more concerning is more that recently Anita’s Threat Intelligence determined that adversaries are exploiting libraries through code referral injection, which itself could bypass malicious discovery processes (e.g., NetBeans IDE). Anita knows that modern current and future adversaries are not going to wait for downstream exploits (exploration and exploitation of zero days, which is becoming increasingly difficult) but will move to upstream development paths where they’ll go after popular OSS and NPM development libraries (including GitHub). So even though what happened to SolarWinds was alarming, it was just one instance of what could be a widespread challenge the industry has to face.

On December 31st, 2020, Microsoft issued a blog that indicated their source repo’s were “read” by likely threat actors. This was an indication that this may be a bigger challenge and that, even though Microsoft was affected, Anita knew that this could potentially introduce exposure at every level of the enterprise. From Smart TVs (that could compromise confidential meetings) to BMS (Building Management Systems) to even the edge cloud Hyper Visor Management systems, the team needed to think of a multi-layered response to this challenge.

• Measured: Being measured in her response was key to ensure operational continuity and business performance. First and foremost, as the organization responds to the remediation activity, what was the impact to business operations and service continuity, and what could be done to reduce enterprise friction? Anita suspected that this event was symptomatic of challenges every organization has. She needed to get to the root of the problem and not just address the symptoms.
• Relevant: Considering the transformation of the enterprise due to Covid-19, the supply chain landscape has become far more complex. Vendors that typically were in the bank’s call centers were now working from home and, in some instances, BYOB was approved for specific users. Anita’s team would have to develop a program that integrates Attack Surface Management with Supply Chain Risk Management.
• Understand the Impact to the Business: Some key considerations come to mind:
  • Exposure Impact: What is the exposure to the business? The NOMS (Network Operations Management) network rides on an Out of Band Management Network. Could it affect other sensitive parts of our business such as the core banking applications, payment processors, regulatory controls, and similar systems? Could the adversary have infiltrated the development repositories introducing a much wider and entrenched exposure to the business?
  • Response Impact: How will the response impact the business? Can I ensure there is limited friction introduced to the business?
  • Compromise Assessment and Impact: Trust and confidence are key to the way the bank operates and are linked to its mission and purpose. Developing a quick strategy to assess the compromise was essential for maintaining trust and confidence. How would this impact Anita’s communications plan, engagement with senior stakeholders, the board, general counsel, suppliers, and business partners?
  • Third-Party Impact: How will she find out if any material third parties that the bank relied on were impacted by the compromise, and what channels of communication does the bank have with them? Do these third parties hold any of the bank’s data (for example, holding and processing cardholder data, account holder PII data to provide services, such as printing checks, issuing cards, etc.)? If so, is there a potential that the bank’s data could have leaked through a compromise via an affected third party?
  • Operational Impact: Assess the risk of the immediate impact while looking beyond the incident. Anita realized that her actions and the actions of her team required balance, and the key was to secure the enterprise in a manner that reduced friction and impact.

When news of the development lifecycle weakness (referred to as Supply Chain) saturated the cyber air waves, Anita knew that her team needed to “T-shape” her response.

Objective 2 – Strategize

Anita knew that the simplicity and pragmatism of a well understand plan were paramount to addressing the long-term implication of what could be a systemic issue for the industry. The program required clarity on the near term but also a strategic response to the risks introduced by Digital Supply Chain.

This included a structure process to respond to the initial exposure, secure the enterprise, and then institutionalize a robust operational model to secure the Digital Supply Chain.

MicroFocus

Objective 3 – Execute

Overall Game Plan

For the entire program approach, Anita utilized a Cyber Resiliency Assurance Level (CRAL) metrics program. This program was jointly developed with CyberRes to provide assurance to the board on the level of visibility (detect), trust (evolve), and security (protect) in the roll-out plan. Using this clearly defined measurement capability, she could inform the board and senior leadership on the level of confidence in the new Enterprise Digital Integrated Protection program to secure the business.

Anita’s three-point plan was based on a phased approach:

• Phase A – Respond: Within 30 days respond to incident (SolarWinds Sunburst) in a systematic manner to ensure that the board is confident in the structure, precision, and business alignment of the response.
• Phase B – Secure: Within the next 90 days, systemically and verifiably (measured through the CRAL methodology) secure the organization from direct and related (adjacent) risk.
• Phase C – Operate: Within two years have a repeatable and robust operational capability to drive high CRAL trust and assurance in the global enterprise digital supply chain.

MicroFocus

Phase A – Respond (30-day tactical response plan)

Knowing this was a far more expansive challenge, Anita knew that she had to tactically respond to the specific “Call to Action” to gain trust, but also develop the building blocks for a much more strategic program. She knew that this was an advanced adversary using counter-intelligence techniques. She suspected that the actor has likely moved on, but she needed to “clean up” the enterprise to ensure she maintains trust and due diligence.

Anita’s team developed a five-point plan and checklist for the tactical response plan. (Editorial note: The checklist can be downloaded by clicking on the link and can be used to assess your own response plan).

MicroFocus

Phase B – Secure (90-day plan)

As part of the 90-day plan, Anita directed her team on a mid-term four-point action plan. The first is to establish a sound program, second is to perform ongoing classification, third to treat the risk, and lastly to report effectiveness:

MicrFocus

Phase C – Operate (two-year plan and sustainment plan)

Based on the activities in Phases A and B, Anita plans to develop a sustainment and operational plan to run a repeatable and robust Enterprise Digital Integrated Protection Lifecycle under her Cyber Resiliency transformation plan.

Objective 4 – Measure

Anita knew that they key to establishing trust and confidence was to introduce a verifiable measurement program. A clearly defined metric program will not only provide a clear measure of assurance to the board (CRAL level), but will also provide her team with manageable success factors that will be used for a progression journey (Click here to get more information on a the CRAL progression journey).

She introduced a CRAL Key Risk Indicator plan. As indicated in her commitment to the board she developed a performance plan to ensure she can back and support her composite Assurance Level (e.g., to get to 45% CRAL within three months and 80% within two years.

Results

With a clearly defined plan that is both strategic and able to address the immediate need to respond, Anita has accomplished the following:

1. Increased Assurance Level: Using the CRAL methodology was able to objectively and consistently scale out the use of an Assurance Level program for introduction of Digital assets into the enterprise from the edge (cloud), SDDC (Software-defined Data Center), remote workforce, third party, BMS, sensitive locations/offices, ATM environment, Retail Banking, and other parts of the enterprise. The program included clear measures to increase visibility, secure the supply chain, establish trust, and enable the bank (business).
2. Leadership Support: With a clearly defined business plan and an approach tied to securing and enabling the business, Anita was able to gain support from the board and a commitment to allocate investments.
3. Team Alignment: Was able to organize and align the global Cybersecurity team around a consistent, structured, and sustainable model.
4. Extended Enterprise Support: Through a clearly defined measurement plans, each platform group and Line of Business had instant access to their CRAL assurance score for supply chain. Their ability to incorporate their digital footprint into the DIP provided enhanced Supply Chain Risk Management coverage.