Connect with us
ANE Scholarship
Categories:
X

Technology

The CISO of SolarWinds on the legacy and lessons of Sunburst: “You earn respect by admitting what happened.”

Published

on

The CISO of SolarWinds on the legacy and lessons of Sunburst: "You earn respect by admitting what happened."
Share this post:

Security chief counts new build system and greater intel sharing among positive legacies of watershed cyber-attack.

From the infamous NotPetya campaign to the CCleaner backdoor, watershed infosec moments are not infrequent, but the SolarWinds supply chain attack stands out as particularly consequential.

The so-called ‘Sunburst’ attack, which leveraged a backdoor implanted in a software update for IT performance monitoring system Orion, gave attackers access to 18,000 SolarWinds customers in 2020. Among them were Microsoft, NASA, security firm FireEye, and the US justice and state departments.

A hugely stressful experience for those affected, not least the man tasked with leading SolarWinds’ incident response. However, as the Texas-headquartered company’s chief information security officer (CISO) Tim Brown tells Daily Swig, the aftermath has not been without salutary benefits.

He believes the advantages have accrued not just to SolarWinds itself – through a pivot to an organization-wide ‘secure by design’ paradigm – but attitudes to cyber-resilience in general, too.

‘Out of a movie’

“Many people believed that a nation-state attack of this level – being very patient, very stealthy, very quiet, very mission-centric – was [like something] out of a movie, that this was not real,” says Brown, who joined SolarWinds in 2017 as vice president of security.

But the attack, which was attributed to Russian state-linked hacking group APT29 (aka Cozy Bear or Nobelium), was all too real – and many organizations were ready to heed the lessons.

“This is what you need to be defending against – and not just from nation states,” says Brown. “The cybercriminal types, the ransomware types, are looking at [Sunburst] saying, ‘well, if I invest $5 million, I get $50 million – that’s a good return on my investment’.

“CISOs around the world thanked me for helping with their budget, because their boards asked: ‘Could this happen to us’?

And of course, the CISO says: ‘Yes, we need to invest here, here, and here’. So we actually injected a lot of security into the overall ecosystem.”

The incident has galvanized the US government, too. A flurry of initiatives, including an overhaul of government software procurement practices and a mobilization plan for securing the software supply chain, have drawn cautious approval from the likes of Randori’s Aaron Portnoy and Sonatype’s Brian Fox.

Further large-scale supply chain attacks against Codecov and Kaseya VSA, and the vulnerability in near-ubiquitous open source library Log4j, have only served to keep complacency at bay.

‘Human side’

Brown, who has previously been chief technology officer (CTO) at Dell, says that with the technical details of Sunburst now “well understood”, people now “want to know what was it like from the inside, for me personally – what’s it really like behind the scenes?”

Arguably this interest in the “human side” partly reflects an anxiety that no organization, no matter how secure, is entirely immune from such sophisticated, targeted, and stealthy attacks.

“It’s not an easy job,” says Brown. “I think we have a duty not to hide, a duty to explain risk in business terms, and elevate our risk posture to that. That helps us manage our own stress and manage risk for the company, but also just put it into the right context for everyone.”

Vendors like SolarWinds, whose network and infrastructure monitoring tools often require privileged access to sensitive data, can afford to have only a small risk appetite.

“What people need to understand is where they fit within critical streams, critical infrastructure, and supply chains,” says Brown. “Based on that, you can define your risk tolerance.

“So if your component is fenced off at the bottom of the ocean and takes an input and an output, and that’s all you do, the level of risk that you’re facing is pretty minimal, right? But if you’re sitting in the middle of a nuclear power plant, then your risk ends up being much higher.”

Ephemeral build environments

SolarWinds’ post-Sunburst revamp “has engineering implications, security implications, process and procedure implications”, says Brown. “Think of it as an umbrella to put security inside of our thought process early as possible in the process for everything that we do.”

SolarWinds has, among other things, given most employees YubiKeys and now has three security operations centers (SOCs) to gain visibility across the environment.

Central to the overhaul is a new software development process unveiled in June, underpinned by four principles. These include ephemeral build environments that self-destruct after completing specific tasks, meaning “you don’t have something static that can be attacked”.

SolarWinds has overhauled its software development process according to secure-by-design principles

SolarWinds has overhauled its software development process according to secure-by-design principles

The second pillar is deterministically constructed products from which by-products will always have identical, secure components.

Brown explains that two identical builds are, ordinarily, not binarily compatible because of divergent times, but SolarWinds has achieved deterministic builds that can be compared binarily.

The third pillar is around creating multiple build pipelines – a fast developer build, security build, and slower validation build – in parallel.

“I compare the results for assurance that nothing changed in that pipeline or associated supply chain,” Brown explains. “No one person has access to all three. We would need collusion between multiple people to affect the build system.”

The final pillar involves tracking software build steps for complete traceability and permanent proof of record.

Sharing is caring

SolarWinds is open sourcing components of its new build system in the professed spirit of sharing best practices.

“Our adversaries collaborate well, they have no problem sharing,” he notes, but says Sunburst has encouraged both more government-sponsored sharing and “grassroots sharing between private and private [entities]”.

This notably includes sharing insights on what attackers are “doing to go after certain industries”, he says, citing the contributions of industry-specific ISACs approvingly.

Microsoft, Fire Eye’s Mandiant, and numerous security researchers “pushed the envelope of what gets shared” following Sunburst.

He also credits the US Cybersecurity and Infrastructure Security Agency (CISA) with “amplifying the truth without ulterior motives”, while the UK’s NCSC “helped people understand the risks that they face and what they should do.”

‘Owning what happened’

Brown’s own experience of talking to thousands of customers in the wake of the attack has, meanwhile, advertised the importance of an empathetic approach to customer engagement.

“It’s important to be open and transparent and answer their questions,” he says.

“We had a pretty bad few months, but our customers did too. It was Christmas and thousands of customers and IT departments around the world had to figure out if it was affecting them. So never forget your customers, never forget their pain.”

Empathy plus transparency have underpinned SolarWinds’ reputational recovery, according to Brown.

“No one had ever really been as open, transparent, and forthcoming from an incident,” he claims. “One of the biggest lessons we can show the industry is that you get respect from owning what happened and then recover. You don’t need to hide.”

Nevertheless, media coverage was unavoidably damaging in the short to medium term, he concedes. “For the first few months, in general the CISOs at larger companies and governments were like, ‘This can happen to anybody, we understand [this was a] sophisticated actor. Thank you for owning [the situation]’.

“The press took a lot longer,” he adds. “Bad news tends to sell. But if your guiding light is helping the customers, then eventually it turns around, to the point of people recognizing that you are doing a good response.”

As well as being “open, honest, and humble” in the wake of incidents, concludes Brown, vendors must not overlook the importance of building “great products that customers love” – otherwise it’s easy for them to switch products, “no matter what you do”.

 


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment

Snapchat enables parents to keep an eye on who their kids are messaging on the platform
Technology4 hours ago

Snapchat enables parents to keep an eye on who their kids are messaging on the platform

Former Super Eagles assistant coach takes over as manager of Danish team Jammerbugt
Sports4 hours ago

Former Super Eagles assistant coach takes over as manager of Danish team Jammerbugt

Alex Iwobi: "We were unfortunate" Everton can compete against any team
Sports5 hours ago

Alex Iwobi: “We were unfortunate” Everton can compete against any team

The DG exhorts NYSC members to accept postings in good faith
News5 hours ago

The DG exhorts NYSC members to accept postings in good faith

Students urge the FG once more to abide by the demands of ASUU
Education5 hours ago

Students urge the FG once more to abide by the demands of ASUU

IG orders a comprehensive review of the Intelligence Units and expresses displeasure with police brutality and extortion
News5 hours ago

IG orders a comprehensive review of the Intelligence Units and expresses displeasure with police brutality and extortion

Buhari celebrates Ngige as he turns 70
News5 hours ago

Buhari celebrates Ngige as he turns 70

News11 hours ago

Troops strike the Boko Haram commander and 27 others in Borno

Director of "Blood Sisters" Biyi Bandele passes away at 54
Entertainment11 hours ago

Director of “Blood Sisters” Biyi Bandele passes away at 54

Entertainment11 hours ago

Davido posts a screenshot of himself and Chioma on a video conversation with the caption, “My gist partner.”

Dame Olivia Newton-John, a star of Grease, passes away at age 73
Entertainment11 hours ago

Dame Olivia Newton-John, a star of Grease, passes away at age 73

The Comanche warrior paint's significance is explained by Prey star Amber Midthunder
Entertainment11 hours ago

The Comanche warrior paint’s significance is explained by Prey star Amber Midthunder

Hold Me Closer, a collaboration song between Britney Spears and Sir Elton John, making the singer's first single to be released since 2016
Entertainment12 hours ago

Hold Me Closer, a collaboration song between Britney Spears and Sir Elton John, making the singer’s first single to be released since 2016

Your daily horoscope for Monday, July 25, 2022
Horoscope12 hours ago

Your daily horoscope for Tuesday, August 9, 2022

BBNaija S7: Phyna, Bryann, Groovy, Ilebaye, and Khalid are up for eviction
Entertainment21 hours ago

BBNaija S7: Phyna, Bryann, Groovy, Ilebaye, and Khalid are up for eviction

Entertainment21 hours ago

“I’m sorry for all the embarrassment I’ve caused my wife, my kids, my mother and all our families,” – Two Face Idibia

How and when to view the best meteor shower of the year, the Perseids meteor shower, in 2022
Technology21 hours ago

How and when to view the best meteor shower of the year, the Perseids meteor shower, in 2022

Technology21 hours ago

Apple allegedly instructs suppliers to avoid labeling shipments to China with “Made in Taiwan”

Sports22 hours ago

Super Eagles hero celebrates Premier League accomplishment as “Dream Turns Reality”

Frenkie de Jong makes Chelsea transfer decision in phone call with Todd Boehly
Sports22 hours ago

Frenkie de Jong makes Chelsea transfer decision in phone call with Todd Boehly

News23 hours ago

Police re-arrest 25 other suspects and the escapee from Jos prison

News23 hours ago

Lagos policeman shoot and murder an ex-convict while battling with armed criminals

News23 hours ago

Cleaner received an eight-month sentence for stealing a laptop bag

Dariye and Nyame recover their freedom, 4 months after Buhari's pardon
News24 hours ago

Dariye and Nyame recover their freedom, 4 months after Buhari’s pardon

Education24 hours ago

BREAKING: WAEC announces the 2022 WASSCE results

"Buga" is a victory song for Nigerian medalists
Entertainment1 day ago

“Buga” is a victory song for Nigerian medalists

Kizz Daniel dazzles in a sold-out performance in Uganda
Entertainment1 day ago

Kizz Daniel dazzles in a sold-out performance in Uganda

After four years of marriage, Gideon Okeke's wife is getting a divorce
Entertainment1 day ago

After four years of marriage, Gideon Okeke’s wife is getting a divorce

Beauty's brother burns critics over disqualification: "Calm down, her script was wonderful."
Entertainment1 day ago

BBNaija S7: Beauty’s brother burns critics over disqualification: “Calm down, her script was wonderful.”

Your daily horoscope for Monday, July 25, 2022
Horoscope1 day ago

Your daily horoscope for Monday, August 8, 2022

BBNaija
Entertainment2 days ago

#BBNaija: Christy O, Cyph evicted

Lewandoski Pedri Gavi Barcelona vs Pumas Joan Gamper Trophy
Sports2 days ago

Deadly Barcelona Thrashed PUMAS to win trophy, Lewandoski gets debut goal

Erling Haaland Manchester City
Sports2 days ago

Reactions to Manchester City’s opening-game 2-0 victory over West Ham: “Erling Haaland is scary.”

Beauty BBNaija
Entertainment2 days ago

BBNaija S7: Beauty eliminated from reality TV show

Erik Ten Hag Manchester United vs Brighton
Sports2 days ago

Erik Ten Hag Chops First Breakfast as Man Utd Manager as Brighton Wins 2-1

Ronaldo
Sports2 days ago

Man Utd must let Ronaldo leave – Wayne Rooney

Scholarship Graduate
Education2 days ago

Australia Scholarship: Apply for Griffith University degree scholarship, 2022

Godwin Obaseki
Education2 days ago

Edo Govt To Recruit 1000 New Teachers, Train 650 Others

Airport
News2 days ago

Ebonyi Govt Laments Destruction Of Airport Fence

Isco
Sports2 days ago

Transfer: Real Madrid star, Isco to Sevilla as free agent

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Complete Episodes)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Complete Episodes)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Complete Episodes)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 07)

SADE'S HEART TALE
ANE Stories7 days ago

[STORY] SADE’S HEART TALE (Episode 19)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 03)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 01)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 01)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 01)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 09)

Daniel Bachmann has won the race to start over Super Eagles goalkeeper Maduka Okoye for Watford this season
Sports5 days ago

Revealed: Why Watford goalkeeper Maduka Okoye was not included in the team on Monday

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Final Episode 04)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 05)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 04)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 02)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 06)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 03)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 04)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 02)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 05)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 12)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 03)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Final Episode 09)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 02)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 08)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 06)

BBNaija S7: Amaka and Phyna bemoan the lack of condoms in the home
Entertainment6 days ago

BBNaija S7: Amaka and Phyna bemoan the lack of condoms in the home

Epic movie "Anikulapo" by Kunle Afolayan is scheduled to premiere in September
Entertainment7 days ago

Epic movie “Anikulapo” by Kunle Afolayan is scheduled to premiere in September

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 08)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 14)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 11)

Nkem Owoh
Entertainment5 days ago

Nkem Owoh Breaks Silence On Claims He Rejected N10 Million To Endorse Bola Tinubu For President

Nancy Isime
Entertainment7 days ago

“Nancy Isime Did Butt Enlargement Surgery” – Blessing Okoro Makes Shocking Revelation

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 17)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 18)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Final Episode 20)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 10)

BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show
Entertainment2 days ago

BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 13)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 19)

ANE's Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.