SolarWinds ready to move past breach and help customers manage theirs
SolarWinds is ready to move past the "cyber incident", having spent the past year bolstering its build model and processes to better mitigate future cybersecurity breaches. It also has expanded its systems monitoring capabilities as part of efforts to help customers better manage the complexities of hybrid cloud environments.
Mention SolarWinds and most would recall a colossal security breach that triggered when a malware-laced update for the vendor's Orion network monitoring platform was sent to customers. Thousands of companies received the Orion update containing the malicious code Sunburst, including US government agencies, Microsoft, Malwarebytes, and FireEye, which first raised the alarm in December 2020.
Acknowledging that 2021 was a tough year, SolarWinds' president and CEO Sudhakar Ramakrishna told ZDNet that the company spent the time and investment assessing what it needed to do to beef up its infrastructure and processes.
In January 2021, with Ramakrishna then newly on board, SolarWinds brought in Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency, and former Facebook chief security officer Alex Stamos to help improve its security posture.
Over the past year, Krebs and Stamos engaged governments and regulators and put in place best practices to drive the vendor's focus on being "secure by design", Ramakrishna said in an interview. While SolarWinds already had capabilities in this aspect prior to the breach, more were added across all elements of security, he said.
Efforts were centred on three key areas around its infrastructure, which included its cloud assets and applications, software build, and processes.
The focus here was to reduce the threat window that a security incident could occur and alter the threat surface on which an attack could be launched, he explained. A new build process then was implemented to address these two objectives, he said, adding that the goal was not to provide a fixed target for attackers to target by creating dynamic, rather than static, processes.
In this "next-generation build system", SolarWinds subscribes to four pillars that looked to support "secure by design" software development principles to boost its resiliency against future attacks. These encompass "ephemeral operations", amongst others, in which resources are produced on-demand and dismantled when tasks are completed, making it more difficult for threat actors to establish a base on systems.
The vendor also adopts a "build in parallel" principle where it creates multiple secured duplicates of its new build system and builds all artifacts in parallel, across all systems at the same time. This establishes a basis for integrity checks and "consensus-attested builds".
Apart from assessing the resilience of its systems, SolarWinds also spent the past year pumping in investments to expand its operations two key regions, Asia-Pacific and EMEA, said Ramakrishna, who was in Singapore this week.
In addition, it worked to "evolve" its product offerings to support customers' digital transformation and changing needs, especially as more adopted multi-cloud environments, he said. In this aspect, the vendor looked to beef up its product capabilities across automation, observation, visualisation, and remediation.
Describing 2021 as a "tough" as it coped with the aftermath of the "cyber incident", the SolarWinds CEO said the year also was "rewarding" as the vendor was able to focus on bolstering its build systems and processes as well as make the investments it did.
And while it remained associated with the security breach, he said SolarWinds also should be associated with how it handled and dealt with the breach and emerged from it.
He noted that security incidents were "here to stay", pointing to others that had followed since SolarWinds' own breach, such as Kaseya, US Colonial Pipeline, Log4j, and more recently Okta.
Deeper observability needed to manage complex hybrid environments
Rather than roll over and play victim, though, Ramakrishna said companies needed to learn from such attacks and continuously worked to better mitigate their impact.
This was particularly critical amidst significant changes in IT environments, as organisations adopted hybrid work and were more dependent on cloud services, he said.
As their ecosystems widened, they now had to deal with different environments with different security postures and different connectivity profiles, he noted. Security challenges were amplified along with demands on performance and the ability to identify and remediate issues, he added.
It drove SolarWinds to pull together its monitoring capabilities and extend them to support such security requirements, he said. This included the need for deeper observability or "observation", as he coined it, with a comprehensive system that could look at data across all entities including networks, databases, applications, users, and systems. Organisations then would be able to detect issues faster and remediate.
In reiterating the need for security by design, Ramakrishna also underscored the importance of adopting a zero trust framework as well as the need for better collaboration between private and public sectors.
"No company, regardless of how many resources you have or how smart and dedicated you are, will be able to thwart nation-state attacks," he said, stressing the difficulty of defending against such threats. "The best way I know [that] needs to be done is for vendors like us to share information and not be shy to share when we've been breached. Like any crisis situation, the faster we announce, the faster we accept help, the faster we resolve issues."
In addition, he urged governments to proactively share threat intelligence with the private sector so the industry could be more vigilance against potential attacks.
While there currently was not enough of such exchange of information, he expressed optimism this would improve over time as there already was "collective will" to start doing so. "Threat intelligence should never be used as a competitive advantage," he added. "We should compete hard on the value we deliver to customers, [but] not on holding back information from your competition with regards to threat intelligence."
Governments also had a role to play in how victims of cybersecurity breaches were perceived, he said, noting that victim-shaming would discourage companies from coming forward. An "environment of understanding" for those that complied would speed up resolution in the event of a security incident, he added.
Asked about his priorities moving forward, Ramakrishna pointed again to SolarWinds' significant investment to drive its expansion plans in Asia-Pacific, which he said could be its fastest growing region.
He declined to break down the vendor's growth and investment numbers by region, but said it recently established offices in South Korea and expanded its presence in Japan as well as Asean and ANZ.
In its first quarter 2022 earnings report last week, SolarWinds reported revenues of $177 million, up 2% year-on-year. Subscription revenue grew 37% year-on-year to hit $38.7 million, with adjusted EBITDA clocking in at $69 million. For the year, it forecasted revenue to range from $730 million to $750 million, on a year-on-year growth of between 2% and 4%.
According to Ramakrishna, the vendor's customer renewal rates prior to the breach had hovered in the low- to mid-90s, but dipped to the 80s in 2021 following the December 2020 cyber incident. Numbers since had climbed back up to 91% in the first quarter of this year, he said.
RELATED COVERAGE
- SolarWinds releases security advisory after Microsoft says customers 'targeted' through vulnerability
- SolarWinds: US and UK blame Russian intelligence service hackers for major cyberattack
- SolarWinds hack analysis reveals 56% boost in command server footprint
- Singapore assessing WhatsApp privacy policy change, not 'adversely affected' in SolarWinds breach
- APAC firms need to build trust, brace for more third-party attacks