SolarWinds is ready to weather the “cyberincident,” having spent the past year strengthening its build model and processes to better mitigate future cybersecurity breaches. It has also expanded its systems monitoring capabilities as part of efforts to help customers better manage the complexities of hybrid cloud environments.
Mention SolarWinds and most will recall a colossal security breach that unleashed when a malware-containing update for the vendor’s Orion network monitoring platform was pushed out to customers. Thousands of companies received the Orion update containing the Sunburst malicious code, including US government agencies, Microsoft, Malwarebytes and FireEye, which first raised the alert in December 2020.
Acknowledging that 2021 has been a tough year, SolarWinds President and CEO Sudhakar Ramakrishna told ZDNet that the company has spent time and investment evaluating what it needs to do to strengthen its infrastructure and capabilities. process.
In January 2021, with Ramakrishna then newly on board, SolarWinds tapped Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency, and former Facebook security director Alex Stamos to help improve its security posture. security.
Over the past year, Krebs and Stamos have engaged governments and regulators and implemented best practices to drive the vendor to focus on “security by design,” Ramakrishna said in an interview. Although SolarWinds already had capabilities in this aspect before the breach, more have been added across all security elements, he said.
Efforts were focused on three key areas around its infrastructure, which included its cloud assets and applications, software build, and processes.
The goal here was to reduce the threat window that a security incident could occur and to change the threat surface on which an attack could be launched, he explained. A new build process was then implemented to meet both of these goals, he said, adding that the goal was not to provide a fixed target for attackers to target by creating dynamic rather than static processes. .
In this “next-generation build system,” SolarWinds subscribes to four pillars that sought to support “secure-by-design” software development principles to build resilience against future attacks. These encompass “ephemeral operations,” among others, in which assets are produced on demand and dismantled when tasks are completed, making it more difficult for threat actors to establish a base on systems.
The vendor also adopts a “parallel build” principle whereby it creates multiple safe duplicates of its new build system and builds all artifacts in parallel, on all systems at the same time. This establishes a basis for integrity checks and “consensus attested builds”.
In addition to assessing the resilience of its systems, SolarWinds has also spent the past year investing in investments to expand its operations in two key regions, Asia-Pacific and EMEA, said Ramakrishna, who was at Singapore this week.
Additionally, it has worked to “evolve” its product offerings to support digital transformation and changing customer needs, particularly as multi-cloud environments are increasingly adopted, a- he declared. In this aspect, the supplier has sought to enhance the capabilities of its products in automation, observation, visualization and correction.
Describing 2021 as a “challenging” one as it dealt with the aftermath of the “cyber incident”, the SolarWinds CEO said the year was also “rewarding” as the vendor was able to focus on strengthening its systems and processes for construction as well as on the investments he made.
And while he remains associated with the security breach, he said SolarWinds should also be associated with how it handled and dealt with the flaw and emerged from it.
He noted that the security incidents were “here to stay”, pointing to others that had followed since SolarWinds’ own breach, such as Kaseya, US Colonial Pipeline, Log4j and most recently Okta.
Deeper observability needed to manage complex hybrid environments
Rather than turn around and play the victim, Ramakrishna said companies need to learn from these attacks and are continuously working to better mitigate their impact.
This was particularly critical amid significant changes in IT environments, as organizations embraced hybrid working and were more reliant on cloud services, he said.
As their ecosystems expanded, they now had to deal with different environments with different security postures and different connectivity profiles, he noted. Security challenges have been amplified with performance requirements and the ability to identify and resolve issues, he added.
That prompted SolarWinds to round up its monitoring capabilities and expand them to meet those security requirements, he said. This included the need for deeper observability or “observation”, as he coined it, with a comprehensive system that could examine data from all entities, including networks, databases, applications, users and systems. Organizations would then be able to detect problems more quickly and fix them.
Reiterating the need for security by design, Ramakrishna also highlighted the importance of adopting a zero-trust framework as well as the need for better collaboration between the private and public sectors.
“No company, no matter how resourceful or smart and dedicated you are, will be able to thwart nation-state attacks,” he said, noting the difficulty of defending against such threats. “The best way I know [that] What it takes is for sellers like us to share information and be shy to share when we’ve been hacked. As in any crisis situation, the sooner we announce, the sooner we accept help, the sooner we solve problems.”
Additionally, he urged governments to proactively share threat intelligence with the private sector so industry can be more vigilant against potential attacks.
Although there is currently not enough such information sharing, he said he was optimistic it would improve over time as there was already a “collective will” to start doing so. . “Threat intelligence should never be used as a competitive advantage,” he added. “We need to be competitive on the value we deliver to customers, [but] not about withholding information from your competitors regarding threat intelligence.”
Governments also have a role to play in how victims of cybersecurity breaches are perceived, he said, noting that shaming victims would discourage companies from coming forward. An “environment of understanding” for those who would comply would speed resolution in the event of a security incident, he added.
Asked about his priorities for the future, Ramakrishna again highlighted SolarWinds’ significant investment to drive its expansion plans in Asia-Pacific, which he believes could be its fastest growing region.
He declined to detail the provider’s growth and investments by region, but said it had recently established offices in South Korea and expanded its presence in Japan as well as Asean and ANZ.
In its first-quarter 2022 earnings report last week, SolarWinds said revenue of $177 million, up 2% year-over-year. Subscription revenue grew 37% year-over-year to $38.7 million, with adjusted EBITDA of $69 million. For the year, it forecast revenue of between $730 million and $750 million, with annual growth of between 2% and 4%.
According to Ramakrishna, the provider’s customer renewal rates before the breach had hovered in the low to mid-90s, but dropped to the 80s in 2021 following the December 2020 cyber incident. 91% in the first quarter of this year, he said.