Learnings for SaaS Companies from the SolarWinds’ Hack Incident
What is SolarWinds Episode?
The end of 2020 saw the biggest cybersecurity attack on the USA called the “Sunburst attack” which was malware spread through SolarWinds’ Orion product. The haunting part was, it was discovered only several months later.
Extensive Damage, Like Never Before
Initial estimates pegged the number as 18,000 enterprise customers that got affected by this cyber-attack. However, the estimate quickly jumped to well over 33,000 enterprises, considering the widespread use of this product among many enterprises and government agencies. The victims were from almost every industry, including the Government & Cybersecurity services space.
A Seismic Security Event — An Equivalent of SaaS 9/11
Just the sheer size and extent of malice makes it an equivalent of SaaS 9/11. Even the tech giants like Microsoft were burned by this seismic event. Just like the 9/11 event got etched in the public psyche as it was targeted on an iconic World Trade Center in New York City, hackers targeted an iconic product- SolarWinds, to inflict widespread damage and paralyze enterprise computing. The impact of this attack on the SaaS industry is so profound, that enterprises started applying stricter security scrutiny on SaaS products like never before (just as the 9/11 event changed air travel security checks) and SaaS vendors find themselves in a tighter spot of being probed more extensively on their security architecture, internal security policies & security certifications by their clients.
How Did It Unravel?
Orion is a popular product of SolarWinds for infrastructure monitoring and management. The hackers managed to impersonate the organization’s existing users and accounts, including highly privileged accounts and injected malicious code into their software system, which later got pushed to Orion’s clients with the periodic software update patch. The breach impacted data and networks of SolarWinds customers and also potentially their customers and partners as well (cascading supply chain). The ingenious attack managed to avoid detection and was orchestrated through a backdoor, on a system that in turn had access to the organization’s networks, data and resources, thereby avoiding detection. This scenario rhymes so closely for many SaaS companies for their extensive use of APIs which could potentially expose clients’ through backdoors.
A New Normal — Increased Scrutiny for SaaS Providers
Since its advent as a business model, no other event posed as much threat to SaaS as this episode. Organizations, big or small, suddenly woke up to the possibility of hacks coming through SaaS products. While it is unlikely to slow/reverse the SaaS adoption, it has dramatically raised the bar for the security posture desired in SaaS products. Traditionally, SaaS products derived success from their focus on functionality, user experience, and pricing models. Post-SolarWinds episode, another dimension that has taken as much importance — security posture. Enterprises and government agencies realizing that firewalls and tools alone do not protect them. They are starting to seek out vulnerabilities and fortify their systems, and they expect their vendors to do the same.
What Should SaaS Companies Do?
- Security journey is a marathon. Its best to make it a part of the organization’s core values. Foster security teams, by identifying people that are naturally passionate about security. Internal red teams and team exercises like bug-bounty programs can go a long way.
- Institute Penetrating Testing of your products as frequently as possible (at the very minimum, quarterly security audits with external cybersecurity experts). This is not a overhead to carry for checking some boxes, but a critically necessary initiative to protect your organization from existential threats.
- Secure coding and security architecture should be the backbone of your product design. Considering that, these days, developers extensively import codes from outside sources, you should include source code analysis as a part of your security audits.
- In an ideal world, SaaS companies should embrace DevSecOps, so that every new release of the products meets set security benchmarks. Granted, its easier said than than done, it will be a long journey for the most. Make a beginning sooner than later.
- Adopt a security certification that makes the most sense for your industry, from a myriad of standards like ISO27001, GDPR, PCI DSS, SOC2, HIPAA, FedRAMP, etc. These initiatives will require wider involvement from across the organization, and help instill behavioral discipline, a sense of direction, and well-defined processes and procedures. Most of the security certifications need periodic audits to stay in compliance… which will help keep wheels on track.
- Have an Incident Response Plan. It is wise to develop the mindset of ‘not if, but when’ for security incidents and plans to handle them.
- Include security training (workshops, boot camps,..) in your training activity for employees and clients. Market research shows that most developers, while may be very good at what they do, but seem to lack cybersecurity skills, and could benefit a lot from developer training programs.
This article was originally posted on our company blog.