The SolarWinds Orion supply chain hack has caused several organizations to re-think their future relationships with vendors regardless of whether they used the network monitoring suite, a new survey suggests.
“Vendor and supply chain relationships are likely to undergo lasting changes as new partnerships will be placed under higher levels of scrutiny than before,” said DomainTools, which released the survey of 200 security, IT leaders and corporate executives on Tuesday.
Just over 47 per cent of 200 respondents said from now on, they will require suppliers to follow their firm’s security standards — and legally attest to that.
Just under 40 per cent said their organization will implement increased network segmentation, isolating vendor software and appliances to a higher risk zone; just over 24 per cent said they will implement dynamic application security testing (DAST) and static application security testing (SAST) of vendor-supplied software before it’s used in their environment. Roughly 19 per cent said they will eliminate reliance on vendors with ties to adversarial nations, and just over 17 per cent said they will reduce their reliance on external vendors.
Just over 27 per cent said the attack won’t change their firm’s approach to managing vendors. Nearly 20 per cent of respondents said the SolarWinds event directly impacted their organization,
The survey polled 200 global security professionals and executives in February from a range of industries. Just over half described themselves as a security researcher or analyst, with another 6.5 per cent saying they were threat hunters; 19 per cent held the title of IT manager, and 14 per cent were either in the C-suite or vice-presidents.
SolarWinds believes approximately 18,000 users of Orion downloaded an infected update that installed a backdoor. Of those, a much smaller number were actually hacked. One estimate is that in the U.S., 100 public and private sector organizations suffered a breach of security controls.
Asked how the SolarWinds hack impacted their organization’s current vendor outsourcing strategy, just over 43 per cent of respondents said no active changes planned and that they are confident in their current vendors. Just over 37 per cent said they are asking vendors for more detailed security standards as part of renewals.
Just over 34 per cent said they are re-evaluating their current vendors with a heavier weight on security. Almost 15 per cent said they are actively changing vendors due to security posture changes. And just over 11 per cent said they are bringing some outsourced vendor work back internally due to security concerns.
Just over eight per cent said they are increasing the use of vendors and outsourcing.
Almost 21 per cent said they were very confident with their visibility into security information or internal processes, with another 50 per cent saying they were fairly confident.
The U.S. has said the attackers who got into the SolarWinds Orion update mechanism were “likely” from Russia. In response, the survey asked respondents how much of an emphasis their organization places on defending against state-sponsored attacks. Just over 44 per cent said high, almost 37 per cent said moderate and almost 19 per cent said low.
Eighty-two per cent said attribution is very or fairly important in attacks. Sixty-one per cent agreed attribution provides context around the types of indicators of compromise IT needs to look for, while 45 per cent agreed attribution helps get more support from management for resources when investigating an incident.