Enhancing our Security Posture Post SolarWinds Breach
Implications of SolarWinds Breach by Market Segment & Who Is Most Impacted
Many of our customers and our partners have been asking us to comment on the recent cyber attacks involving SolarWinds and other vendors—from a ScienceLogic perspective.
It has impacted a broad swath of communities. Michael, what is your sense of the distribution of where the implications are most acutely felt?
The short answer is having an understanding of what industries have the most to lose by virtue of an external actor gaining access and control over their assets—or, by extension, their customers’ assets. Highly regulated industries such as pharma and financial, have a lot to lose in terms of those kinds of assets. Also, utilities, having anything that’s actually controlling physical infrastructure, is super critical.
You also have to keep in mind the digital infrastructure—hyperscalers and cloud providers that are providing application services to hundreds and thousands of different customers are definitely going to be impacted in a breach of this magnitude. And lastly, government, the Department of Defense —they are security conscious all the time for obvious reasons.
How Enterprises & Government Agencies Are Responding
It certainly is the regulated industries and the Federal government —whether it’s the civilian or the military side—all of them have seen the effects of this.
One thing that we are observing is that customers are questioning and trying to figure out if this is something that they look at and say, “Look, I had a particular breach, and it involved a particular software product. Let me just go replace that product, and get on with my business,” which is very understandable.
Or should they use that as a catalyst to drive a broader rethink of their IT operations management systems, their trajectory of how they think about tools consolidation, their needs, and how they’ve evolved? What are your thoughts on how the customers are thinking through this process?
I think there’s a tactical and a strategic response. The tactical imperative, obviously, is shut the back door—meaning if you’re running a software that’s known to be affected, your first order priority is get rid of that vulnerability. That’s very clear. But just reacting to that and saying, “Okay, I plugged the hole in the dike and we’re good,” and you go on your merry way is very short-sighted.
This breach is a forcing function for businesses of all sizes and types to dust off whatever security policies and approaches they’ve had in the past. And looking at them again, reviewing them in a new light, thinking about where they want to go tomorrow and the next decade. Businesses are also reassessing the sorts of IT services and other technology services they plan to adopt and how do they do that in a way that is secure by default? You’re putting security right in the center of your design—in the center of your strategy.
How ScienceLogic Is Responding to Uplevel Security
Our advice would be that if you’re using this as an opportunity and you haven’t been doing it already, to look holistically at your IT strategy. Ask yourself, “What is your platform for the future? How are you going to ensure the services you provide back to your business are as secure as possible?”
ScienceLogic has been looking at this in a multi-faceted way early on. We’re looking at it in terms of what features we introduce in the SL1 platform to make it more secure by default, how can we make it easier to manage how users are defined in the system, what sort of permissions those users are granted, and role-based access and authentication—all the aspects we’ve had in the product for a while. And we are also tightening the screws on what is already part of SL1 and making them even more secure—providing more richness to the end user, so they can manage these things in a more intuitive way. That’s super important.
Not only are we looking at security from a product feature standpoint, but we’re also looking at it from a software delivery life cycle standpoint, in terms of how do we actually build and deliver software at ScienceLogic? Because, as we saw with SolarWinds, that particular attack was what they call supply chain attack. The software was intercepted and compromised pre-release. So, by the time it got out to a release server, it was already compromised. The cyber attackers got in behind the back door, got access to the network, and were able to change the software without being noticed.
And that plays down to our processes, how we build and release software at ScienceLogic, and making sure we have the right tools in place to do things like static code analysis, understand deltas in the software that were unauthorized, and a whole variety of other techniques to ensure that we’re releasing exactly what we mean to release.
And a lot of these are, essentially, enhancements to the processes that we’ve already had in both the product, as well as the process side in the systems and facilities. But this is, essentially, a sort of upping the game.
That’s right. We’re really turning the volume up to 11 because we have to. Yes, we’ve done vulnerability testing, we’ve done static code analysis. We also do threat vector analysis at design time. And we are doing this in a more rigorous fashion, as well as introducing even more tools into our pipeline, and how we’re doing software development. We are being so rigorous so we can determine at every stage that it is secure, and that we’ve maintained the integrity of the build and so forth.
We’ll be speaking more about this topic at Symposium 2021 coming up in May. I think a lot of our customers and partners are going to offer their own comments and insights from the lessons learned and what they’re doing.
I appreciate your time and you sharing these with our community of ScienceLogicians. Thank you, Michael.