Detecting and stopping the next SolarWinds attack requires a unified view across organizations’ entire attack surface, according to the CEOs of Splunk and Mandiant.

Gaps in visibility allow attackers to breach companies’ networks — and then hang out inside the perimeter, like we saw with the SolarWinds implant, they said. To help organizations better defend themselves against threats, Mandiant and Splunk also announced a new partnership that combines Mandiant’s threat intelligence, security stack validation, and incident response with Splunk’s data analytics.

“If you can stop all breaches Mandiant’s aware of, you’re pretty much stopping all the breaches,” Mandiant CEO Kevin Mandia said during a panel discussion at Splunk’s .conf21 event. “I don’t think you bring the risk down to zero, but at least you’ve taken every step you really can take to defend your networks.”

Mandiant, which was still FireEye at that point, discovered the SolarWinds attack in December 2020. But the Russian state-sponsored hackers likely gained access to the software provider’s environment almost a year earlier.

After the attackers broke into SolarWinds, they inserted malware into the vendor’s Orion software update that was pushed to about 18,000 customers beginning in March 2019. This allowed them to remain in organizations’ environments for months without being detected. Threat researchers now believe the Russian attackers compromised about 100 private corporations and nine federal agencies’ networks.

“So what happened for nine months? Well, here’s what happened,” Mandia said at .conf21. “Nobody had all the signals in one place … they didn’t have a full view of the whole battlespace.”

While some firewall vendors observed a network security event, or domain name systems (DNS) monitoring tools noticed strange DNS lookups coming from SolarWinds servers, threat hunters didn’t have a comprehensive view across the entire IT environment, he added.

“We didn’t have all the data in one place, all the signals that are relevant from network devices from appliances from your security endpoint software,” Mandiant said. “It all needs to be together because you need it in aggregate to make thoughtful conclusions. Implants are hard to find if you’re only looking at part of the signal.”

As part of the new Splunk-Mandiant partnership, Mandiant Security Validation customers can access their validation data directly in the Splunk platform via the Mandiant Advantage app. Additionally, the Mandiant Advantage app, which connects to Mandiant’s Threat Intelligence, Incident Response, and Security Validation services, is available to Splunk customers.

Mandiant Security Validation taps into the vendor's real-time threat intelligence and automates a testing program to see if an organization’s security controls can detect and prevent threat actors’ tactics, techniques, and procedures.

“The top question I get in the boardroom really comes down to board directors and even CEOs saying, ‘How good are we at security?’ Well, let’s test it by shooting real bullets,” Mandia said.

When combined with Splunk’s analytics and automation, Mandiant Security Validation allows customers to continuously validate and measure the effectiveness of their cybersecurity controls and helps security teams identify duplicate or outdated security tools and areas where they need to invest, the partners say.

“Being close to a group like Mandiant who is visiting hundreds, thousands of customers, and is able to look at what are the different signals that we’re seeing across this large community of different customers is key,” Splunk CEO Doug Merritt said during the panel discussion with Mandia.

Integrating Mandiant’s threat intelligence and incident response learnings directly into Splunk’s products will provide customers better visibility into their security readiness, he added.

“How thorough are you right now on your security landscape based on all the collective wisdom that Mandiant has collected and continues to update on a consistent basis? And then what should you be doing to up your game? With Mandiant as the human glue, that constant iteration loop of updates and more refined intelligence and actions, I think we’re going to see a nice flywheel on how do we detect a SolarWinds-type thing much more quickly than nine months,” Merritt said.