Reflections from SolarWinds CISO

By Amit Roy Choudhury

Security by design and incorporating sustainability are the way forward in cybersecurity.

Resilience has been the main theme of this year’s Singapore International Cyber Week (SICW) and GovWare events. Public officials and cyber experts gathered to discuss how to build resiliency into networks in a way that not only prevents breaches but also ensures that breaches, when they occur, can be rapidly contained.

With the level of automation and digitalisation increasing exponentially due to Covid-19, the number and sophistication of cyberattacks have increased substantially. But one malicious attack changed the paradigm in terms of cybersecurity perceptions: the hack on high profile US IT company, SolarWinds, that was first reported in December 2020.

Tim Brown, Chief Information Security Officer (CISO) of SolarWinds, shared his company’s experience with the hack and more importantly the lessons that have been learnt from it. However, before going into that, it would be useful to have a look at what exactly happened in the SolarWinds case.

The SolarWinds hack


The company provides system management tools for network and infrastructure monitoring and other services for several hundred thousand organisations around the world. One of the company’s most iconic products is an IT performance system called Orion.

Hackers - Brown says they were Russian government-backed - targeted SolarWinds by deploying malicious code into different builds of the Orion software. A forensic examination shows that the hackers may have penetrated the Orion platform as far back as September 2019 and it was nearly 14 months before the first alert went out.

The Orion software, being an IT monitoring tool, has deep access to a customer’s log and system performance data and hence it is a lucrative target for hackers.

Around the time the breach was discovered, more than 30,000 organisations had the Orion platform on their network to manage their IT resources. As a result, the hack compromised the data, networks and systems of thousands of organisations when SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software.

The hackers used a method of attack known as a supply chain. This is a type of cyberattack in which criminals target software vendors or IT services companies to infect their clients rather than try to insert malicious code into an organisation’s network directly.

In hindsight, many cybersecurity experts feel that the Orion platform was the perfect target for a supply chain attack. All the hackers had to do was install the malicious code into a new batch of software distributed by SolarWinds as an update or patch to pre-installed software.

Changes for the better

During his presentation, Brown said that one of the good things to come out of the incident has been that a lot of changes have taken place in the industry, technology and government regulations on software development.

SolarWinds, along with several other companies, are placing a focus on security by design, he highlighted. “In short, build security everywhere in an environment,” he said.

Attackers in future will be very thoughtful and structured and the defence needs to think about how the adversaries work hard and collaborate, Brown warned. “We need to do the same.”

The attack on his company was a “determined, patient, and labour-intensive attack by an outside nation-state”, he noted. “We expect to see more sophisticated attacks in future.”

“We're hoping all software vendors are looking to raise their bar, as well as customers looking to raise their expectations from software providers,” Brown added.

How to achieve security by design

In this new paradigm, there is a need to involve everyone across the environment in cybersecurity to implement security by design, said the SolarWinds CISO. “You need to use the tools, techniques, procedures, and people. So that means training and education for people. It also means Red teaming (ethical hacking) and it means treating administrators at a different level than treating regular users.”

Another aspect of security by design is checking the algorithms that go into building a product – “we build a lot of products and that was the insertion point of the malware”.

The way forward is updating the access to systems and reaching “assume breach process, and procedure”, he added.

New regulations

Following the breach, several things have changed, Brown noted. The US government issued an executive order surrounding how software is built-in. It specified frameworks for building software, and defined things like requirement of a software bill of materials, he explained.

“The government is putting their money behind these efforts, saying that, if you're not a vendor that is following these best practices, and you're not being transparent about how you're developing software, we won't buy your software,” he added.
Companies are also starting to be more prescriptive on what they're doing and what they're asking from their software vendors, Brown observed.

Securing the entire chain


For security by design, there is a need to look at the infrastructure across the entire environment as the infrastructure itself is changing, Brown added.

“We all have some assets on-premise or some assets in the cloud. We have endpoints that have become extremely important identities that we're trying to centralise into a single source of truth. So, it's important to take that into account as we go forward to build the next generation of software that is auditable, accountable, and beyond enterprise-grade,” he said.

Brown added SolarWinds has changed the way it develops software. It is now building in three places: a security pipeline, a dev pipeline, and a test pipeline. “No one person has access to all three,” he highlighted.

“In future, if any intruder wants to affect our builds, they would need to get collusion between those three. There are a lot of audits in those areas that make sure that only the right people have access to the environments, and there is a tremendous amount of forensic analysis of the environment,” he said.

Trust will be important

Trust will be a very important factor as we look at how “we can create a secure and resilient environment”, said Brown. How can companies build trust by design?

They should start with ensuring their data is correct, tamper-resistant and can be fully trusted. “It is very important that everything we do makes sure that the code that is provided is trusted,” he noted.

Firms need to be able to “measure security” and make sure that either the vendors they engage or the products they provide to their companies are secure, he said.

They also need to be able to empirically prove that they have security in place with the necessary regulatory compliance, he added.

Sustainability, diversity & inclusion

During his presentation, Brown highlighted that sustainability as an important component of trust. Diversity, inclusion, and environmental stability are just as important to the trustworthiness of a company as security and regulatory compliance, he said.

“It is a shift in how the world is thinking about trusting a company and doing business with it,” he noted.

As his concluding thoughts, the SolarWinds official noted that it is very important for organisations, who are evaluating solutions for use in their organisation, to set the bar higher. “They need to ask the hard questions, and look for answers before giving blanket trust to a service provider, be it software or hardware.

“We need to use the SolarWinds hacking episode to improve the world and that's really what we're hoping to,” he added.

Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.