IT management software provider SolarWinds recently released its annual IT trends report, which includes a dive into an issue the company has very real experience with -- dealing with security threats.
The report, “Building a Secure Future,” looks at how technology professionals regard the current state of risk in evolving business environments, where the pandemic and other factors can create new potential points of exposure. This also heralds the introduction of a guide, “Secure by Design,” from SolarWinds that may serve as an approach to better mitigate cyberattacks going forward.
Sudhakar Ramakrishna, CEO of SolarWinds, joined the company in January from Pulse Secure, not long after last December’s infamous Sunburst cyberattack made headlines.
Sunburst was a sophisticated, malware supply chain attack that SolarWinds says inserted a vulnerability into software used by thousands of its customers. SolarWinds suspects the attack, which may have begun two years before its discovery, was conducted at the behest of another nation state but has not yet verified the source of the attack.
Ramakrishna spoke with InformationWeek about the mindset and perspectives on security seen across the business landscape and some of the IT security lessons learned from dealing with the pandemic lockdowns and the Sunburst cyberattack.
What were some presumptions on how IT security should be handled prior the pandemic and Sunburst? How have things changed and what stands among the report’s findings?
A lot of the concepts we are implementing post-pandemic with remote work and other trends have been known to us for a period of time. The movement to the cloud, the focus on elimination of shadow IT, the consistency of policies between cloud-based infrastructure and premises-based infrastructure -- those were things that already existed.
However, because there was that urgency to make everybody remote, certain constructs like endpoint security were not top of mind. Nor was policy integration between cloud and application infrastructure with premises infrastructure. Those are two key things that happened and have attained a heightened sense of focus. In some industries, let’s say the financial industry, compliance and governance are incredibly important. In those instances, customers were left in a lurch because they didn’t really have the right solutions and vendors had to adapt.
I speak from the context of a previous company [Pulse Secure] that was a pioneer in zero-trust technologies and when the pandemic hit, we literally had to take companies where they may have 250,000 employees where barely 10,000 were working remotely at any point in time to a company where all 250,000 employees had to work from home.
That put a lot of stress on IT infrastructure, security more specifically.
With the move to remote, were there real technology changes or was it a matter of implementation of existing resources? The human portion of the equation of how to approach these things -- is that what really changed?
The way I would describe security at large, and risk as well, is that it has as much to do with policies, human behavior, and focus as it does on actual technology. A lot of times we feel like, “We threw in a firewall; we should be safe.” There’s much more to security and risk than that. Areas such as configuration, policy, training of people, and human behavior add as much to it.
Specific to the pandemic, a lot of technologies, endpoint security, cloud security, and zero trust, which have proliferated after the pandemic -- organizations have changed how they talk about how they are deploying these.
Previously there may have been a cloud security team and an infrastructure security team, very soon the line started getting blurred. There was very little need for network security because not many people were coming to work. It had to be changed in terms of organization, prioritization, and collaboration within the enterprise to leverage technology to support this kind of workforce.
What stood out in the report that was either surprising or reaffirming?
One of the challenges that continues to jump out is the lack of training for personnel. Risk and security have a lot of implications on people. Lack of training continues to jump out; it seems to happen year after but very little is being done about it.
In our case, we are focusing a lot more on interns, grabbing people in colleges and universities and getting them trained so they’re ready for the workforce. I believe it needs to be more of a community effort to make people more aware of these issues, first and foremost. You can only protect when you are aware. Lack of training is a challenge. A lack of budget, and therefore decreased staff, also keeps coming up. I think that is where technology and vendors like us have to provide technology to simplify the lives of IT professionals.
It is surprising to me that about 80% of people understand or believe they are ready to address cyberattacks. I would like to dig deeper into what level of preparedness means and is there consistency in the level of preparedness. This goes back to the level of awareness you have, the training you have -- those two things should drive level of preparedness.
Regarding training, are we talking very intensive training that needs to happen? Most organizations have cursory sessions to make employees aware of potential vulnerabilities.
Formally training them as well as training them in context are important. We have established a “red team” within our organization. Typically, red teams are only set up in esoteric security companies, but my view is that as more and more companies become risk-aware, they might start these things as well.
One part of it is constant vigilance. Every team has to be constantly vigilant about what might be happening in their environment and who could be attacking them. The other side of it is constant learning. You constantly demonstrate awareness and vigilance and constantly learn from it. The red team can be a very effective way to train an entire organization and sensitize them to let’s say a phishing attack. As common as phishing attacks are, a large majority of people, including in the technology sectors, do not know how to fully prevent them despite the fact there are lot of phishing [detection] technology tools available. It comes down to human behavior. That is where training can be constant and contextual.
How have cyberattacks evolved? Are there different approaches used now that were not prevalent before the pandemic? Will the nature of vulnerabilities evolve continuously?
That has been the case for as long as I have been in the industry and that will continue to evolve, except at a more accelerated pace. A few years ago, the concept of a nation-state cyberattack was foreign. When there were cyberattacks, they were largely viruses or ransomware created by a few people either to grab attention or maybe get a little bit of ransom. That used to be the predominant variety. Increasingly, nation-states are participating or at least supporting some of these threat actors. They have a lot more persistence and patience in their approach to cyberattacks.
Previously, the goal use to be a virus. The job of a virus is to come in and get as much visibility as you can, create as much damage as you can, and then afterwards you might be inoculated. Right now, these are advanced, persistent threats. The whole idea is to persistently attack but the entity being attacked does not know about it because they are being very patient and deliberate, flying under the radar for the most part.
The level and extent of damage is not known until well into the attack. There is a fundamental shift in that mindset. That’s where you see supply chain attacks. That’s where you see slow attacks. How you detect and protect against those is now becoming much more of a challenge. If something is highly visible, it can be found and fixed. If it’s not visible, how do you find it?
What was understood about the Sunburst attack and when you became CEO, what steps did you put in motion in response?
As I came into SolarWinds, you look at the budget and the staff size to say, “For a company of your size, did you have investments in security commensurate to the industry?” The answer was a resounding yes. We compared it against IDC benchmarks, and we were spending at a level that was slightly even. So, spend was not the issue. What was the issue?
Like many other larger organizations, there are different policies and administrative domains in the organization. When you have that, it opens up windows of opportunity for attackers. One of the key things we’ve done, a lesson learned, is consolidate them under purview of a CIO to make sure there is consistency, there is multifactor authentication, there is single sign on to various applications.
This is a self-check every organization should go through and try to reduce the number of stovepipes.
We researched what we may have been able to do to protect our builder environments much better. We’ve built Paddle-build environments, shifting the attack surface for a threat actor, thereby preserving the integrity of our supply chain more effectively.
The implementation of the red team, wherever under the purview of our CISO, we will be running essentially attack drills.
Those processes, tools, and techniques being used are unknown to the rest of our company. When they simulate an attack, it seems like it’s coming from the outside. This is part of the constant vigilance/constant learning aspect.
We standardized on endpoint protection across the enterprise so regardless of whether they are remote or inside the network, you have consistent policies. We also integrated cloud and premises-based policies so there’s no fragmented policy islands. Also, mandatory security training for every employee in the company, sponsored by our CISO.
So, there is no magic bullet for security that fixes all issues?
I wish there were and I’m sure a lot of us continue to search for it.