While the days, weeks and months after high-profile cyberattacks on SolarWinds, Kaseya and Colonial Pipeline were critical, CISOs that worked at these organizations during or after the incidents said they focused on the years ahead while rebuilding security into processes across the companies, regaining trust with customers and attempting to better protect against future attacks.
At Mandiant’s mWise conference on Tuesday, Jason Manar, who worked at the FBI supervising cyber and counterintelligence programs before joining Kaseya as CISO months after the company’s July 2021 cyberattack, said one challenge was creating a security-focused culture that lasted beyond the incident response phase of attacks. While at the FBI, he said he would see the natural progression of security going from a top priority for companies right after an attack, to eventually “dipping off.”
“Understanding that there’s a human nature to just wane after a security event, it’s my job as CISO to ensure it’s top of mind and ensure that they understand – they being everyone in the organization – that we will never be done securing the organization,” said Manar. “This is a living, breathing task that has to be breathed into everything we do in a security-first mindset and culture.”
For Manar, that meant making key investments, like developing an in-house offensive security team that would fully understand the product and could “bang at that product every single day” in order to make sure security would continue to be prioritized long after the impacts of the cyberattack dissipated.
Other companies have completely revamped their processes to build security from the ground up. In the months after the SolarWinds supply-chain attack was first publicly disclosed in December 2020, Tim Brown, CISO at SolarWinds, focused on building out a security program aimed at better securing software development and the environments that the code was built in. Because attackers targeted a transient virtual machine that was part of the build process, the first step of this “secure by design” program was making sure that source code matched what was ultimately produced – and doing this required an overhaul of the entire build system, he said.
“We start with the source code, go through, get a product, we decompile that product and check it back to source code,” he said. “Step two was to create a whole new build system external to our environment, and make it all ephemeral – so short lived – and make it all in code. Step three was a multiple build pipeline, so we build multiple times, and we have a developer pipeline, a staging pipeline and a production pipeline, each one having fewer and fewer people having to touch it. We then connect these and before we ship we do the three builds, and we compare the results between them. You now need collusion among different people to affect our build.”
But the plan also required widespread organizational and operational changes across various teams in the organization. Brown said the company needed to look at how engineering could “be exemplary instead of just building code,” and make changes from a security perspective, building out a full-time (rather than previously part-time) red team.
“All of these are encompassed by secure by design, and what we’ve been doing is talking about that with other companies and educate others about how they can get better,” he said.
A critical part of driving this security-focused mindset shift is making sure that all departments, teams and employees are involved, the panel of CISOs agreed. When Brown instructed a team of 400 engineers they needed to spend six months focusing on new build systems for 50 products, rather than building in new features, “motivation at the beginning was easy.”
“They were mad, somebody broke into their home and changed their code,” he said. “It started waning a bit – and six months was the max we were going to get – but a focus on security for that long gave us a great baseline to move forward from.”
However, keeping these “baseline” security efforts going beyond the months following immediate incident response requires the continual prioritization of security from different teams across the organization, whether that’s the receptionists or the board of directors, emphasized Manar.
“It is [about] having a robust education for the entirety of the organization so they understand – from a sales perspective, from the receptionist – everyone understands the risks associated with their job functions,” said Manar.