SolarWinds’ chief executive said the software provider made a series of changes to its build process and board room reporting structure in an effort to prevent another supply chain attack like the one experienced by the company late last year.
Specifically, CEO Sudhakar Ramakrishna said SolarWinds was experimenting with multiple, parallel build systems and chains for software updates that together could be used to cross-reference and verify the code integrity of the other chains. Each chain would have to be identified and compromised by an attacker in the same way to successfully push the kind of corrupted software updates that wrought downstream havoc on its customer supply chain.
The company is also taking a series of actions designed to boost the profile of cybersecurity in business decisions and increase the autonomy of its chief information security officer and CIO shops. That includes a new cybersecurity-specific committee in the boardroom, with Ramakrishna himself and two other CIOs among the members, as well as “complete autonomy” for the CISO to hit pause on any software updates being pushed for time-to-market reasons.
“We are creating an independent organization to build that level of capability, comfort and seat at the table with regards to our CISO,” said Ramakrishna during a March 25 virtual event. “Having that level of independence, confidence and air cover is supremely important, otherwise they become a cost line item in a [profit and loss statement] and they get called to the sideline.”
SolarWinds – which counts numerous federal agencies and Fortune 500 companies as customers – suffered widespread criticism for its security practices, experienced a loss of customer confidence and saw its stock price tumble in the wake of last year’s hacking disclosure. The company is also facing numerous investigations from federal regulators for insider trading as well as class action lawsuits from shareholders, who are alleging in court that the company’s lack of rigor and candor around cybersecurity led to artificially inflated stock prices. In January, the software provider bought on former CISA chief Chris Krebs and former Facebook CISO Alex Stamos as consultants to assist with the Orion hack investigation and implement new security practices.
Ramakrishna, who also came on as CEO in January after the breach had been disclosed, said the changes reflect a desire by the company to match the same sophistication and cadence of the groups attacking them when it comes to building secure software. He described the work they’re doing on parallel build systems as an “experiment” and said he has had conversations with CISA and the Cyberspace Solarium Commission about whether it could serve as a model for other businesses.
“The idea is that we want to establish software integrity through two or three different pipelines to avoid the same type of supply chain attacks that we have experienced and variations of them,” he said.
While many technical details of the attack on SolarWinds have emerged in the past three months, the cybersecurity community is still largely in the dark regarding how the attackers initially gained access to the Orion build system. Ramakrishna said the investigation is still active but the company has narrowed it down to three possibilities: a “very targeted” spearphishing attack, a vulnerability in an unpatched piece of third-party vendor software that might have exposed an entry point into SolarWinds’ network or a credentials compromise of a few specific users.
Their internal investigation got “lucky” in its initial stages by identifying and decompiling a single backup build environment that allowed them to pinpoint the Sunspot code that had been used to inject malware into a single source code file. This change was executed and then covered up by the attackers during “a few millisecond window” before the certificate signing process that wasn’t captured in source code logs.
He declined to comment on who the company thinks may have been behind the attack, saying there “is enough commentary out there that I don’t need to.” U.S. officials have alleged that the initial campaign was “likely” carried out by hackers tied to Russian intelligence agencies in order to conduct espionage on the U.S. government and private sector IT networks.
Ramakrishna said the sophistication of the attacker, the unusual length of the compromise (some indicators found by investigators go as far back as 2019) and logging inconsistencies means “you may not be able to identify patient zero” in terms of which of those pathways was exploited first. However, the company’s mindset is that conclusively determining the initial point of entry is less important than implementing the broader security lessons learned from the experience.
“I would like to separate the drama factor of this ‘aha’ of identifying something from this continuous thought process of ‘what can we learn, what can we do to improve, how can we be more safe and secure while delivering excellent, quality software?’ That’s the mindset that we are trying to drive towards,” he said.