In  March of this year, Cybersecurity & Infrastructure Security Acting Director testified to congress on the SolarWind attacks on federal agency computers and infrastructures. Chiefly among congresses concerns were what happened and why didn’t the cybersecurity investments of the last decade stop it? First, let us take a look in laymen’s terms at what happened.

Experts are calling this a supply chain attack because the breach came from a trusted software supplier who routinely installed software patches and updates. It was through one of these updates that malicious code was installed on tens of thousands of computers. The bad actor was then able to choose which of the computers they wanted to exploit which ended up being about 50 high-value targets which included Microsoft.

So why didn’t the existing cyber defense spot and find this malicious code? There are two reasons; first, the attack was very sophisticated in that it deployed the code at the last minute and hid it in a way that was extremely difficult to spot. Secondly, it came from a trusted source that bypassed traditional virus protection programs that act like perimeter defenses. These traditional defense scan code and programs as they are installed and stop what they know to be malicious. Think of a guard at the door.

What are federal agencies doing to protect their IT infrastructure and stop this type of attack in the future? They are transitioning from the old type of anti-virus programs that act like perimeter defense and moving to endpoint incident detection and response agents. These sophisticated agents no longer scan programs and code at the perimeter. Instead, they protect endpoints across the network and look for behaviors that are deemed suspicious. One example that these new agents can spot is when a piece of code attempts to increase its privileges from a user to an admin, this is just one example of suspicious behavior they are watching for. It’s appropriate to think of these agents as a security system with sophisticated sensors all over and not just at the perimeter.

Should small businesses follow the government’s lead and upgrade to this new type of cybersecurity protection? Of the recent cyberattack victims, only 27% were government or government contractor machines and over 80% of the SolarWinds affected computers were in the United States. This shows that small businesses in the United States continue to be highly targeted. Owners should understand this threat and what steps are available to mitigate new threats that follow this same pattern.