Since the news broke in December, the name SolarWinds has become both a buzzword and cautionary tale everyone in the security industry continues to talk about it. It is to 2021 what Equifax was to 2017. So it's no surprise that a keynote discussion that places SolarWinds CEO Sudhakar Ramakrishna in the hot seat is one of the most highly anticipated items on this week's RSA Conference 2021 agenda.
In what is promised to be a candid discussion between Forrester analyst Laura Koetzle and Ramakrishna, the session, titled "SolarWinds: What Really Happened?," will offer a view of the attack's details: the what, how, and who of what went down – and what industry professionals might learn from the breach.
Dark Reading spoke to Koetzle in advance about what she's anticipating to come out of the session and her view of the headline-making attack.
Dark Reading: Sudhakar Ramakrishna will be speaking with you about the results of a long investigation, his perspective around the attack, and specific learnings from the incident. For starters, what are you hoping attendees will gain from the session?
Koetzle: When RSA Conference asked me to interview Sudhakar for the keynote session, I agreed quite quickly. And then the next day I realized that much would depend on how candid Sudhakar was willing to be – and how open his legal and communications team were willing to let him be. Happily, Sudhakar and his team wanted to be as transparent as possible about the incident and everything that followed from it, which I'm hoping the members of the security community will both appreciate and emulate.
Our discussion should let attendees see the choices and pressures that SolarWinds faced from the inside so that they're better prepared when they're faced with a breach themselves. I'm also hoping that attendees will learn from the things that SolarWinds did well and from the things that they would do differently in hindsight.
Dark Reading: As an experienced security analyst who has been following high-profile incidents like SolarWinds for many years, how do you think the organization handled the fallout in the immediate days following the news? One of the headlines was about how a password issue was the result of an intern's mistake. Some criticized that as a misstep. What is your take?
Koetzle: The "intern posts password in cleartext on GitHub" incident is tailor-made for finger-wagging headlines, and it also became a hot-button issue when Sudhakar and former SolarWinds CEO Kevin Thompson testified at a congressional hearing. Sudhakar and I will discuss this in our interview, because, one, the credentials the intern posted weren't used in the breach, and some of the reporting at the time seemed to indicate that they had been, and, two, Sudhakar acknowledges that he and his colleagues didn't handle that situation optimally.
Dark Reading: And with a new CEO at the helm, how do you think they continue to handle things now? Are there any takeaways from what you are observing that are helpful for other companies that may deal with a breach in the future?
Koetzle: As attendees will hear during the interview, Sudhakar was announced as the incoming CEO of SolarWinds on Dec. 9, 2020. That's the day after FireEye announced it had been the victim of an attack but before anyone at SolarWinds knew about the compromise to SolarWinds Orion. Sudhakar didn't take over as CEO until Jan. 4, 2021, when SolarWinds was about three weeks into its response to the breach. So Sudhakar walked into a high-profile incident response.
I was surprised and pleased by how candid Sudhakar and SolarWinds were willing to be for our interview, and the same goes for their response itself. They've released new information as they learned it throughout their response to help their customers and the security community, rather than repeating "No comment" until they felt like they had everything buttoned up. That transparency is something I'd encourage attendees and other companies responding to breaches to emulate.
Dark Reading: We are heading into this talk with the Colonial Pipeline attack now fresh in our minds. The last six months have brought us several attacks that have major implications on US national security and infrastructure. In Washington, lawmakers are discussing legislative fixes, and the Biden administration is talking about a new information-sharing system among private companies and the US government. What are your thoughts on some of what is being proposed?
Koetzle: Suffice it to say that more cybersecurity legislation and regulation is long overdue, so I welcome the attention to it. The Biden administration had been signaling its intent to prioritize spending to address cybersecurity risk in its first several weeks in office. I'm happy that they're emphasizing the "unsexy but necessary" bits of information security practice, such as making sure that government agencies actually implement the best practices for identifying and managing risks that its own experts recommend; according to the GAO, none of the 23 agencies they'd reviewed had implemented those practices as of March 2021.
And as one of the members of the Forrester security research team who was present at the creation of the zero-trust approach back in 2009, I'm thrilled to see the US federal government is mandating the use of zero trust – because it works. I'm also happy to see that President Biden's executive order requires that products provide a software bill of materials (SBOM), following the approach that the National Telecommunications and Information Administration (NTIA) at the US Department of Commerce has been coordinating with the software industry. Widespread implementation of SBOM will mean that companies and security professionals can know what's really in the software products they buy and use.
Dark Reading: Now that we are six months out from when the news of SolarWinds first broke, what is your take on the lessons security and software vendors can learn from this breach?
Koetzle: I've already mentioned that I was impressed by SolarWinds' commitment to transparency and its willingness to share what it has learned in its investigation; that's a practice I'd suggest we all emulate. But for security and software vendors specifically, if you've succumbed to the temptation of producing opportunistic marketing - I've seen some egregious "Want to avoid a breach like SolarWinds had? Buy our software!" pitches, which I immediately toss in the virtual trash bin – please stop now. Most security professionals know that we're all going to be the victims of an incident sometime. Today it's SolarWinds, but tomorrow it could be you.
Dark Reading: Moving forward, what do you suggest CISOs and security managers focus on to establish or improve product security initiatives?
Koetzle: Many CISOs and other security professionals are accustomed to working in internal, enterprise security environments, and working on the security of the products that your company sells requires a different mindset. Strong product security requires working with product teams in the very early stages of development, which is more chaos than many security professionals are accustomed to.
If you're working on product security, you'll need to be comfortable with lots of uncertainty and to create risk management processes that accept high levels of risk at the early stages and encourage developers to reduce risk – and improve security – as they improve the product they're building. "Minimum viable security" isn't a phrase traditional security professionals use very often, but that's the right way to think about the acceptable security level for a minimum viable product.
More details on the keynote discussion between Koetzle and Ramakrishna can be found here.