Connect with us
X
Categories:

Technology

The CISO of SolarWinds on the legacy and lessons of Sunburst: “You earn respect by admitting what happened.”

Published

on

The CISO of SolarWinds on the legacy and lessons of Sunburst: "You earn respect by admitting what happened."
Share this post:

Security chief counts new build system and greater intel sharing among positive legacies of watershed cyber-attack.

From the infamous NotPetya campaign to the CCleaner backdoor, watershed infosec moments are not infrequent, but the SolarWinds supply chain attack stands out as particularly consequential.

The so-called ‘Sunburst’ attack, which leveraged a backdoor implanted in a software update for IT performance monitoring system Orion, gave attackers access to 18,000 SolarWinds customers in 2020. Among them were Microsoft, NASA, security firm FireEye, and the US justice and state departments.

A hugely stressful experience for those affected, not least the man tasked with leading SolarWinds’ incident response. However, as the Texas-headquartered company’s chief information security officer (CISO) Tim Brown tells Daily Swig, the aftermath has not been without salutary benefits.

He believes the advantages have accrued not just to SolarWinds itself – through a pivot to an organization-wide ‘secure by design’ paradigm – but attitudes to cyber-resilience in general, too.

‘Out of a movie’

“Many people believed that a nation-state attack of this level – being very patient, very stealthy, very quiet, very mission-centric – was [like something] out of a movie, that this was not real,” says Brown, who joined SolarWinds in 2017 as vice president of security.

But the attack, which was attributed to Russian state-linked hacking group APT29 (aka Cozy Bear or Nobelium), was all too real – and many organizations were ready to heed the lessons.

“This is what you need to be defending against – and not just from nation states,” says Brown. “The cybercriminal types, the ransomware types, are looking at [Sunburst] saying, ‘well, if I invest $5 million, I get $50 million – that’s a good return on my investment’.

“CISOs around the world thanked me for helping with their budget, because their boards asked: ‘Could this happen to us’?

And of course, the CISO says: ‘Yes, we need to invest here, here, and here’. So we actually injected a lot of security into the overall ecosystem.”

The incident has galvanized the US government, too. A flurry of initiatives, including an overhaul of government software procurement practices and a mobilization plan for securing the software supply chain, have drawn cautious approval from the likes of Randori’s Aaron Portnoy and Sonatype’s Brian Fox.

Further large-scale supply chain attacks against Codecov and Kaseya VSA, and the vulnerability in near-ubiquitous open source library Log4j, have only served to keep complacency at bay.

‘Human side’

Brown, who has previously been chief technology officer (CTO) at Dell, says that with the technical details of Sunburst now “well understood”, people now “want to know what was it like from the inside, for me personally – what’s it really like behind the scenes?”

Arguably this interest in the “human side” partly reflects an anxiety that no organization, no matter how secure, is entirely immune from such sophisticated, targeted, and stealthy attacks.

“It’s not an easy job,” says Brown. “I think we have a duty not to hide, a duty to explain risk in business terms, and elevate our risk posture to that. That helps us manage our own stress and manage risk for the company, but also just put it into the right context for everyone.”

Vendors like SolarWinds, whose network and infrastructure monitoring tools often require privileged access to sensitive data, can afford to have only a small risk appetite.

“What people need to understand is where they fit within critical streams, critical infrastructure, and supply chains,” says Brown. “Based on that, you can define your risk tolerance.

“So if your component is fenced off at the bottom of the ocean and takes an input and an output, and that’s all you do, the level of risk that you’re facing is pretty minimal, right? But if you’re sitting in the middle of a nuclear power plant, then your risk ends up being much higher.”

Ephemeral build environments

SolarWinds’ post-Sunburst revamp “has engineering implications, security implications, process and procedure implications”, says Brown. “Think of it as an umbrella to put security inside of our thought process early as possible in the process for everything that we do.”

SolarWinds has, among other things, given most employees YubiKeys and now has three security operations centers (SOCs) to gain visibility across the environment.

RECOMMENDED  W3C launches Decentralized Identifiers as a web standard

Central to the overhaul is a new software development process unveiled in June, underpinned by four principles. These include ephemeral build environments that self-destruct after completing specific tasks, meaning “you don’t have something static that can be attacked”.

SolarWinds has overhauled its software development process according to secure-by-design principles

SolarWinds has overhauled its software development process according to secure-by-design principles

The second pillar is deterministically constructed products from which by-products will always have identical, secure components.

Brown explains that two identical builds are, ordinarily, not binarily compatible because of divergent times, but SolarWinds has achieved deterministic builds that can be compared binarily.

The third pillar is around creating multiple build pipelines – a fast developer build, security build, and slower validation build – in parallel.

“I compare the results for assurance that nothing changed in that pipeline or associated supply chain,” Brown explains. “No one person has access to all three. We would need collusion between multiple people to affect the build system.”

The final pillar involves tracking software build steps for complete traceability and permanent proof of record.

Sharing is caring

SolarWinds is open sourcing components of its new build system in the professed spirit of sharing best practices.

“Our adversaries collaborate well, they have no problem sharing,” he notes, but says Sunburst has encouraged both more government-sponsored sharing and “grassroots sharing between private and private [entities]”.

This notably includes sharing insights on what attackers are “doing to go after certain industries”, he says, citing the contributions of industry-specific ISACs approvingly.

Microsoft, Fire Eye’s Mandiant, and numerous security researchers “pushed the envelope of what gets shared” following Sunburst.

He also credits the US Cybersecurity and Infrastructure Security Agency (CISA) with “amplifying the truth without ulterior motives”, while the UK’s NCSC “helped people understand the risks that they face and what they should do.”

‘Owning what happened’

Brown’s own experience of talking to thousands of customers in the wake of the attack has, meanwhile, advertised the importance of an empathetic approach to customer engagement.

“It’s important to be open and transparent and answer their questions,” he says.

“We had a pretty bad few months, but our customers did too. It was Christmas and thousands of customers and IT departments around the world had to figure out if it was affecting them. So never forget your customers, never forget their pain.”

Empathy plus transparency have underpinned SolarWinds’ reputational recovery, according to Brown.

“No one had ever really been as open, transparent, and forthcoming from an incident,” he claims. “One of the biggest lessons we can show the industry is that you get respect from owning what happened and then recover. You don’t need to hide.”

Nevertheless, media coverage was unavoidably damaging in the short to medium term, he concedes. “For the first few months, in general the CISOs at larger companies and governments were like, ‘This can happen to anybody, we understand [this was a] sophisticated actor. Thank you for owning [the situation]’.

“The press took a lot longer,” he adds. “Bad news tends to sell. But if your guiding light is helping the customers, then eventually it turns around, to the point of people recognizing that you are doing a good response.”

As well as being “open, honest, and humble” in the wake of incidents, concludes Brown, vendors must not overlook the importance of building “great products that customers love” – otherwise it’s easy for them to switch products, “no matter what you do”.

 


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Kwara’s Sugar Factory studios to host Elite Vibez Awards
Entertainment6 hours ago

Kwara’s Sugar Factory studios to host Elite Vibez Awards

Mc Edopikin plans collaboration of Lagos, Edo entertainers at comedy show
Entertainment6 hours ago

Mc Edopikin plans collaboration of Lagos, Edo entertainers at comedy show

Naija Prime set to take film, content industry to new heights
Entertainment7 hours ago

Naija Prime set to take film, content industry to new heights

Justin Timberlake sentenced to community service for drunk driving
Entertainment15 hours ago

Justin Timberlake sentenced to community service for drunk driving

Garmin announces new smartwatch update with race time prediction improvement
Technology21 hours ago

Garmin announces new smartwatch update with race time prediction improvement

Sad! Nollywood actor, Big Larry passed on
Entertainment22 hours ago

Sad! Nollywood actor, Big Larry passed on

Xiaomi reveals new Smart Bathroom Heater N1 with rapid heating
Technology22 hours ago

Xiaomi reveals new Smart Bathroom Heater N1 with rapid heating

Enzo Maresca provides Romeo Lavia, Malo Gusto and Reece James injury update ahead of Bournemouth clash
Sports22 hours ago

Enzo Maresca provides Romeo Lavia, Malo Gusto and Reece James injury update ahead of Bournemouth clash

Cristiano Ronaldo breaks all past records with one billion followers on social media
Sports22 hours ago

Cristiano Ronaldo breaks all past records with one billion followers on social media

Yemi Alade awarded Spotify's EQUAL Africa artist
Entertainment23 hours ago

Yemi Alade awarded Spotify’s EQUAL Africa artist

Detained police spy apologizes to IGP for political rants
News23 hours ago

Detained police spy apologizes to IGP for political rants

FG plans upgrade of Borno dam to prevent floods
News23 hours ago

FG plans upgrade of Borno dam to prevent floods

Nigerian Air Force Officer Gets Sword Of Honour In UK College
News24 hours ago

Nigerian Air Force Officer Gets Sword Of Honour In UK College

Xiaomi launches new cheaper Redmi Projector 3 with in-built speakers
Technology2 days ago

Xiaomi launches new cheaper Redmi Projector 3 with in-built speakers

New Garmin Forerunner smartwatch software now available with updated vibration feature
Technology2 days ago

New Garmin Forerunner smartwatch software now available with updated vibration feature

Jamie Carragher responds to Gary Neville's "harsh" remark on the Arsenal star
Sports2 days ago

Jamie Carragher responds to Gary Neville’s “harsh” remark on the Arsenal star

Brighton manager Fabian Hurzeler provided an update on Joao Pedro's fitness
Sports2 days ago

Brighton manager Fabian Hurzeler provided an update on Joao Pedro’s fitness

Basketmouth fuels engagement rumours in new Instagram post
Entertainment2 days ago

Basketmouth fuels engagement rumours in new Instagram post

Nasarawa lawmaker Jeremiah Umaru seeks solutions to rising insecurity in constituency
News2 days ago

Nasarawa lawmaker Jeremiah Umaru seeks solutions to rising insecurity in constituency

President Bola Tinubu meets with King Charles to strengthen Nigeria-UK diplomatic ties
News2 days ago

President Bola Tinubu meets with King Charles to strengthen Nigeria-UK diplomatic ties

Burna Boy,Tems and Ayra Starr miss out as Taylor Swift, others bag 2024 MTV VMAwards
Entertainment2 days ago

Burna Boy,Tems and Ayra Starr miss out as Taylor Swift, others bag 2024 MTV VMAwards

A car tragedy claims the lives of two Ondo State Polytechnic students
News2 days ago

A car tragedy claims the lives of two Ondo State Polytechnic students

Real Warri Pikin: How I attempted suicide over N22m debt
Entertainment2 days ago

Real Warri Pikin: How I attempted suicide over N22m debt

Oracle is currently developing a nuclear trio-powered data center
Technology3 days ago

Oracle is currently developing a nuclear trio-powered data center

China refuses to ratify a deal that bans AI from controlling nuclear weapons.
Technology3 days ago

China refuses to ratify a deal that bans AI from controlling nuclear weapons

Todd Boehly and Behdad Eghbali ‘hurt’ by two transfer decisions
Sports3 days ago

Todd Boehly and Behdad Eghbali ‘hurt’ by two transfer decisions

Uruguay star Manuel Ugarte plays through illness ahead of Manchester United debut
Sports3 days ago

Uruguay star Manuel Ugarte plays through illness ahead of Manchester United debut

The Apprentice trailer shows everything about sex and surgery in the ‘Oscar-worthy’ Donald Trump biopic
Entertainment3 days ago

The Apprentice trailer shows everything about sex and surgery in the ‘Oscar-worthy’ Donald Trump biopic

‘I saw the Jonas Brothers for the first time – this unexpected thing truly surprised me’
Entertainment3 days ago

‘I saw the Jonas Brothers for the first time – this unexpected thing truly surprised me’

Ondo poll: PDP gov candidate encourages citizens to avoid violence.
News3 days ago

Ondo poll: PDP gov candidate encourages citizens to avoid violence.

19-year-old lady stabs neighbour’s son to death in Lagos
News3 days ago

19-year-old lady stabs neighbour’s son to death in Lagos

Don't victimize anyone, Fubara warns Rivers monarchs
News3 days ago

Don’t victimize anyone, Fubara warns Rivers monarchs

Tems
Celebrity3 days ago

Tems Break Silence on Pregnancy for Future: “Wizkid, Drake”

Harry Styles, Taylor Swift dominate Spotify Wrapped 2022
Celebrity3 days ago

Taylor Swift endorses Kamala Harris for US President

Wizkid Paid N1.4B For Ferrari - Dealer
Celebrity3 days ago

Wizkid Paid N1.4B For Ferrari – Dealer

Nigeria will not end me — Nicki Minaj voice out
Entertainment3 days ago

Nigeria will not end me — Nicki Minaj voice out

British cancer patient frozen and flown to the US so he can wake up in the future
Technology4 days ago

British cancer patient frozen and flown to the US so he can wake up in the future

All features that makes iPhone 16 the best ever
Technology4 days ago

All features that makes iPhone 16 the best ever

Odegaard’s teammate wants revenge following injury blow and gives update on Arsenal star
Sports4 days ago

Odegaard’s teammate wants revenge following injury blow and gives update on Arsenal star

Childish Gambino forced to cancel tour with hours to go due to ‘physical health’
Entertainment4 days ago

Childish Gambino forced to cancel tour with hours to go due to ‘physical health’

Nigerian nurses in the UK, US forced back home
News7 days ago

Nigerian nurses in the UK, US forced back home

Dangote Refinery
Business7 days ago

Dangote Refinery: NUPENG Vows Protection

Nancy Isime revealed her initial fear of fame
Entertainment7 days ago

Nancy Isime revealed her initial fear of fame

Certain traits and contentious behaviors James Bond can’t have anymore in 2024
Entertainment7 days ago

Certain traits and contentious behaviors James Bond can’t have anymore in 2024

Elton John praises Donald Trump for using one of his songs
Entertainment6 days ago

Elton John praises Donald Trump for using one of his songs

US Open: Jack Draper reveals what made him throw up on court
Sports7 days ago

US Open: Jack Draper reveals what made him throw up on court

Toyota Corolla One Of The Best-selling Cars Of All Time And For Good Reason
Automobile7 days ago

Toyota Cuts EV Target For 2026

Amanda Abbington ‘burning’ at BBC for ‘boys club’ Giovanni Pernice bullying probe
Entertainment6 days ago

Amanda Abbington ‘burning’ at BBC for ‘boys club’ Giovanni Pernice bullying probe

Arsenal suffer injury scare as Riccardo Calafiori withdraws from Italy squad
Sports6 days ago

Arsenal suffer injury scare as Riccardo Calafiori withdraws from Italy squad

US seeks access to ailing Binance executive
News6 days ago

US seeks access to ailing Binance executive

Tributes flows in as Legendary 70s bassist Herbie Flowers dies at age 86
Entertainment6 days ago

Tributes flows in as Legendary 70s bassist Herbie Flowers dies at age 86

Edo State Government suspends school resumption over fuel price hike
News7 days ago

Edo State Government suspends school resumption over fuel price hike

Tecno Pocket Go recognized for award-winning innovation in AR gaming
Technology7 days ago

Tecno Pocket Go recognized for award-winning innovation in AR gaming

Real Reason why Petrol from Dangote Refinery is Colorless
News6 days ago

Real Reason why Petrol from Dangote Refinery is Colorless

FG to construct blood collection facilities in 774 LGs
News7 days ago

FG to construct blood collection facilities in 774 LGs

19-year-old lady stabs neighbour’s son to death in Lagos
News3 days ago

19-year-old lady stabs neighbour’s son to death in Lagos

Odegaard’s teammate wants revenge following injury blow and gives update on Arsenal star
Sports4 days ago

Odegaard’s teammate wants revenge following injury blow and gives update on Arsenal star

Wizkid Paid N1.4B For Ferrari - Dealer
Celebrity3 days ago

Wizkid Paid N1.4B For Ferrari – Dealer

Survivors of Yobe massacre: Decomposing bodies still litter our community after terrorist attack
News6 days ago

Survivors of Yobe massacre: Decomposing bodies still litter our community after terrorist attack

Don't victimize anyone, Fubara warns Rivers monarchs
News3 days ago

Don’t victimize anyone, Fubara warns Rivers monarchs

Jamal Musiala confirms Joshua Zirkzee tried to get him to sign for Manchester United
Sports7 days ago

Jamal Musiala confirms Joshua Zirkzee tried to get him to sign for Manchester United

The Apprentice trailer shows everything about sex and surgery in the ‘Oscar-worthy’ Donald Trump biopic
Entertainment3 days ago

The Apprentice trailer shows everything about sex and surgery in the ‘Oscar-worthy’ Donald Trump biopic

GTA 6 document provides a complete analysis of all leaks
Technology7 days ago

GTA 6 document provides a complete analysis of all leaks

Tesla’s Supercharger stations considered "illegal" in Germany
Automobile4 days ago

Tesla To Launch Its Full Self Driving Feature In Europe And China Early 2025

Nigeria will not end me — Nicki Minaj voice out
Entertainment3 days ago

Nigeria will not end me — Nicki Minaj voice out

Kendrick Lamar creates history by headlining the 2025 Super Bowl Halftime solo performance
Entertainment5 days ago

Kendrick Lamar creates history by headlining the 2025 Super Bowl Halftime solo performance

Harry Styles, Taylor Swift dominate Spotify Wrapped 2022
Celebrity3 days ago

Taylor Swift endorses Kamala Harris for US President

Speaker Tajudeen Abbas condemns kidnap of workers, patients in Kaduna hospital
News4 days ago

Speaker Tajudeen Abbas condemns kidnap of workers, patients in Kaduna hospital

Apple Watch Ultra 2 gets a new black color and new straps
Technology5 days ago

Apple Watch Ultra 2 gets a new black color and new straps

All features that makes iPhone 16 the best ever
Technology5 days ago

The Apple Store website breaks down just hours before the launch of iPhone 16

Todd Boehly and Behdad Eghbali ‘hurt’ by two transfer decisions
Sports6 days ago

Todd Boehly and Clearlake Capital at breaking point

Amazon Fire Stick users have found a brilliant technique to control their TVs
Technology6 days ago

Amazon Fire Stick users have found a brilliant technique to control their TVs

Tems
Celebrity3 days ago

Tems Break Silence on Pregnancy for Future: “Wizkid, Drake”

Jack White sue Donald Trump and declare ‘this machine sues fascists’
Entertainment4 days ago

Jack White sue Donald Trump and declare ‘this machine sues fascists’

Germany to expand border measures to stem irregular migration
News5 days ago

Germany to expand border measures to stem irregular migration

Manchester United star Rasmus Hojlund faces delay to injury return
Sports5 days ago

Manchester United star Rasmus Hojlund faces delay to injury return

European stock markets falls at open
News4 days ago

European stock markets falls at open

Noel Gallagher added ‘grumpy middle-aged man’ to the National Portrait Gallery
Entertainment5 days ago

Noel Gallagher added ‘grumpy middle-aged man’ to the National Portrait Gallery

Man who set Ugandan runner Rebecca Cheptegei on fire dies in hospital
Sports4 days ago

Man who set Ugandan runner Rebecca Cheptegei on fire dies in hospital

Bauchi floods kill 24, destroy N22bn worth of property
News4 days ago

Bauchi floods kill 24, destroy N22bn worth of property

ANE Billboard Hots