SolarWinds, a trusted provider of IT management software that was rather unknown outside of IT circles, became a household name after it disclosed in December that advanced threat actors compromised certain versions of its Orion platform and carried out attacks against the U.S. government and other private sector technology companies.
The company, along with other technology giants like Microsoft, cybersecurity firms FireEye and Volexity and others have been releasing information as they learn more about the intrusion, the level of sophistication with which the alleged Russian hackers operated, and how the tech industry can better prevent bad actors from using our own tools against us.
Tim Brown, the vice president of security for SolarWinds, met with My TechDecisions for a video interview about what the company is doing in the aftermath of the attacks being disclosed, what the IT community should take away from the incident, how end users can take their own measures to make sure their vendors are secure.
What the last few months have been like for SolarWinds
The company has since launched a Secure by Design campaign that aims to better secure the company’s own IT environment, including stronger endpoint protections, better data loss prevention, expanding security operations, tighter firewall policies, zero trust and least privilege access policies and more monitoring of third-party vendors.
That’s on top of making sure their customers are upgrading to the latest versions of the software and making sure those builds are safe, Brown says.
In the build supply chain, the company is implementing a two-way build process, which Brown describes as a way to verify that nothing malicious has found its way into SolarWinds products.
“We now build from source code control through our build process to product,” Brown says. “Then we go backwards, and we install the product, decompile the product and link it all the way back to source.”
The company has been meeting with CrowdStrike and auditing firm KPMG nearly every day to go over new findings of the investigation, which includes things in the company’s own environment that need to be tightened down.
“We’ve instrumented everything and got great visibility across the entire environment,” Brown says.
According to Brown, the company has upgraded “thousands” of customers to the latest version of the software, but other customers don’t have Orion connected to the internet and therefore weren’t at risk of a further intrusion by the threat actors.
Overall, customers have been supportive and aren’t casting blame. Many of SolarWinds’ customers are in the tech industry themselves and are fully aware that a cyberattack of this magnitude can happen to anyone.
In fact, we’re seeing this in real time with the Microsoft Exchange Server attacks.
“So this supply chain issue is one that they’re very concerned about,” Brown says. “What safeguards they can put into place? That’s one of the things that we’ve really been trying to help them with.”
How this incident is changing the IT industry
According to Brown, the incident has taught the company and the IT community that nobody is immune to cyberattacks and everyone must stay as vigilant as possible. That includes protecting the software build environment and doing things you never thought necessary.
For example, the company is in the process of building its next generation build process and build model that will include an off-site clean room, a lab environment and a development environment, and no one person or service will have access to all three.
“So therefore, within a build window, you would need to compromise all three accounts, all three services, you would have to do it in a period of time, and you would have to collude across all of those to be able to have binary compatible releases being the same,” Brown says.
This helps implement a zero-trust model in the software build environment in which no one person can do anything nefarious.
My TechDecisions Podcast Episode 111: Responding to the SolarWinds Orion Compromise
Another key is automation, Brown says, explaining that perhaps too many processes have been automated for efficiency’s sake, particularly in recent years and in 2020 as business adopted new technology to help them get through the pandemic.
“Automation is great, but it doesn’t necessarily check or see that something may have occurred that wasn’t supposed to occur,” Brown says. “It’s just doing it’s job.”
Going forward, software providers will need to be more transparent and welcome inspection and audits. However, many audit firms don’t have the skills and expertise to be able to examine a software development cycle. However, that is likely to change.
“We think they will, and we think that will be a big component to the future,” Brown says.
In preparation for an external audit, the company is conducting its own internal audit so that information will be readily available in a consumable form.
“When that audit occurs and when new regulation occurs, we should all be preparing for that because I believe that will be on the horizon,” Brown says.
The role end users can play in software supply chain security
Now when procuring new software or solutions, organizations should come armed with a long list of questions about not just the security of the product, but the company’s build process.
To some extent, that was already happening, as customers are digging into detail about how software is developed and how a vendor’s own infrastructure is secured. What’s changing, according to Brown, is that the answers to those questions must be as detailed as possible.
“The expectation now is not just standard, stock answers – it is actually very thoughtful answers and more transparent answers,” Brown says. “That will be a change for the industry.”
In the same vein, there has been talk of a software bill of materials so users can easily identify all of the components in a piece of software.
However, with the rapid pace of digital transformation over the last year, IT professionals are already stretched thin, and many internal IT departments don’t have the necessary skills to look through those products and identify potential issues.
Brown suspects that there will be a certification applied to software vendors that would help IT departments better evaluate the security and capabilities of the software.
More cooperation is needed
The incident, along with the Exchange Server compromises, is leading to new calls for information sharing and possible legislation that mandates the reporting of a cyber incident.
In this example, however, Brown believes the company and its partners have done a good job of sharing information and being transparent about the attacks. Along with SolarWinds, Microsoft, FireEye, CrowdStrike and other firms have worked together to share what they know about the incident so IT security professionals everywhere can defend themselves against this sophisticated threat actor.
He pointed specifically to the U.S. Cybersecurity and Infrastructure Agency (CISA), which he said has acted as a good coordinator and amplifier of information.
“I think this is an example of how we can work better together and really help safeguard things,” Brown says.
Through all of the negative press and finger-pointing, Brown wants SolarWinds to be an example of how a company conducts itself after a major incident like this. The company is owning the fact that it happened despite what Brown calls “a very reasonable security program” in place, but not one capable of defending against a 1,000-person nation-state threat actor.
The company hopes its transparency and willingness to share information will help show other organizations implicated in a major cybersecurity incident how to recover from a similar event.
“The way we come out of it is being exemplary,” Brown says. “And that’s what we’ve done for the last few months.”