Blaming GRU for hacking SolarWinds is like blaming rain for being wet. The actual target of "vigorous response" should be arrogant and incompetent software vendors who win gov tenders by declaring all kinds of security compliance yet cannot deliver on the very basics.
@kravietz
That article reads like something you'd see on RT, but your point I totally agree with. A lot of these enterprise "network security companies" are more expert at leveraging relationships than they are at actually making a compelling security product.
@cjd
Leveraging relationships pays the bills. Shareholders don't care about making a compelling security product, they care about revenue. Hopefully this will put a dent in revenue...
@Senicar
Yes, I think that's where we're going. I've noticed a lot of Fluff Security has gone away over the past 10 years, useless anti-virus and checkbox items, hardware firewalls, etc. As the game gets harder the players level up...
@cjd
People are getting more security conscious (see: the rise of personal VPNs) but there's still big money in checkbox security and hardware firewalls. I still see orgs shell out cash to certify compliance, with a disfunctional vulnerability management program (and other basics). I think for incidents like this one, governments will need to start demanding more of their contractors.
They already do. I've been working for very large organisations in both public and private sector, and on both sides - so as someone who hires suppliers, and someone who is a supplier. The amount of due dilligence and compliance forms you have to fill in each time is massive. The problem is that even if the supplier is total crap in terms of security but business really wants them, they're just going to "accept risk" and job done.
