SolarWinds CEO: Breach transparency 'painful' but necessary

More than nine months after discovering a devastating nation-state attack, SolarWinds CEO Sudhakar Ramakrishna said his company has drastically overhauled its security posture and practices even as it continues to search for the root cause of the breach.

In an interview with SearchSecurity, Ramakrishna discussed SolarWinds' efforts to learn from the supply chain attacks. While providing transparency after the massive data breach was challenging at times, Ramakrishna said the company feels obligated to share knowledge and information with other companies -- particularly those with limited security resources -- so they don't have to learn those lessons firsthand.

Ramakrishna, who took over as SolarWinds CEO just a few days before the Sunburst backdoors were discovered, disclosed the status of the ongoing investigation into the initial intrusion and some of the major changes made inside the company after the attack. He also discussed the rise of nation-state threats, the potential of zero-trust access and more.

In the position you are in now, after a major attack, your organization probably has a pretty strong awareness, top to bottom, of security and what's at stake. How has the company changed, and could you have gotten to those changes without going through what you went through?

Sudhakar Ramakrishna

Sudhakar Ramakrishna: I would say most likely, yes, but not in the same compressed time period.

Let me set that aside for a second and give you a different example. The CIO of a large bank, which my company helped digitally transform them to support all remote work last year, said, 'In five weeks, you helped me do what would have normally taken five years to do.' Let's say that was an exaggeration. Let's say five months instead of five weeks. It was one of those things where there was a need for them to do that. Would they have gotten to that point [without the pandemic]? Yes, except that it would have taken much longer. Would we have learned from, let's say, others' Sunburst infections and become better? Yes, but it may have taken us longer. What the incident has done is really compressed the time cycle for us.

Is it easier, then, for a company like yours to make those changes and justify the investments in security?

Ramakrishna: Again, it kind of ties back to human behavior. And I truly believe, as ironic as it is, it is actually a true situation. Just like human behavior causes security incidents and challenges and threats, human behavior also says, 'Hey, everything seems to be going fine. Why do I need to spend this money?' But as you know, wise people learn from others' experiences.

There are a few things that we can do both from a governance standpoint as well as from a behavioral standpoint. From a governance standpoint, one of the things we have done is build a technology and cybersecurity committee of the board. In addition to things like governance, in addition to things like audit committees, compensation committees, nominating and corporate governance committees, which every board has, one of the very first things I did was build the technology and cybersecurity committee on the board. It has two sitting CIOs who are very accomplished in their fields [Dennis Howard, executive vice president and CIO at Charles Schwab & Co., and Easwaran Sundaram, former CIO and current chief digital and technology officer at JetBlue] plus myself. What it allows us to do is keep that discussion front and center, similar to strategies and financials, so security is at the same level. With that, we are changing the behavior of the entire company as well. Ultimately, it will boil down to a case of awareness. If you go back, even to the [2021 IT Trends] report, when 80% of IT professionals say the challenge has to be addressed with technology, but then each one of them is saying 'I don't have budget or people to do that,' then there is something we are missing as managers and leaders to support that.

You've spoken about how important transparency is after a cyber attack or breach and how SolarWinds shared as much information about Sunburst and the supply chain attack as possible, as soon as it could. But sharing those kinds of details must have been intimidating. Was there a part of you that wondered if it was the right move?

Ramakrishna: As you know, there's a lot of victim shaming that goes on. At times did I wonder if this is the right thing to do? I would say I never wondered about that because I believe that transparency is always the right thing to do. Does that mean that I was happy doing it at all points in time? No. Because sometimes you feel like, 'Why do we have to go through this pain? Why can't people see it differently?' At the same time, you always come back to neutral, so to speak, which is to say, you do the right thing, and it may take some time, but it will yield the right results. And while it didn't seem that way in the first three, four or five months of this year, we slowly but surely got more and more visibility.

It was painful going through this. But there was also never any doubt in my head that we should be transparent about it.

But there's a broader issue here. And maybe this is because of my experience dealing with security incidents in the past and coming from the security industry to SolarWinds. I sincerely believe that the only way we can protect ourselves as a community is by having this notion that I've been calling a 'community vigil.' The threat actors, especially nation-state threat actors, can throw resources at the problem. They really don't play by any rules, whereas we are bound by rules, and rightly so. Unless we share information freely, we are not going to be able to become stronger. That's number one. Number two, the first 24 hours, as they say, are very, very important. The timeliness of disclosure is very, very important. The sooner you can disclose, hopefully you can protect yourself faster. Those are principles that are driving us in our actions. But I'll be perfectly honest with you -- it was painful going through this. But there was also never any doubt in my head that we should be transparent about it.

In your last update on the investigation, you said the most likely vector for the initial intrusion into your network was either a phishing or social engineering attack, a brute-force or password-spraying attack, or a zero-day vulnerability in a third-party product like Office 365. Are you any closer to figuring out how the threat actors initially got inside of your environment? And does that even matter at this point, in terms of improving your security posture?

Ramakrishna: It doesn't matter from this standpoint: We honed it enough to take corrective steps, assuming the initial entry point could be one of those many things.

The way we approached this was we came up with hypothesis after hypothesis after hypothesis, and then went after the data to prove or disprove them, as you would normally conduct any investigation. After all the sifting through the many hypotheses, we settled on those three that we spoke about. And we believe we have done sufficiently good work to not only cover for those three, but many other [possible threats] with a focus on ongoing improvements and vigilance.  In that regard, it doesn't matter. But if you ask me personally, would I wish to know what was the exact pinpoint time and incident that this happened? Yes. Unfortunately, we haven't been able to prove it.

It seems like zero trust has gotten a significant boost after the supply chain attacks. A lot of organizations over the last year-plus have at least kicked the tires on zero-trust networks and zero-trust access with the hope that it can improve security and limit the type of devastating intrusions that occurred via Sunburst. What are your thoughts on zero trust as somebody that's been through this?

Ramakrishna: I'm a believer in zero-trust principles. And I worked for a company until December of last year [Pulse Secure] that was a pioneer in zero trust and secure access. I have no conflicts there in terms of philosophy or approach. The zero-trust principle, as you know, is very simple: Verify, for example, that Rob is Rob before you provide access to anything, and there is zero trust that Rob is Rob until that verification is completed. Previously, the process was I would connect to something, and I get access with a password, and then I can do whatever I want beyond that.

But here's the issue: I don't want us to oversimplify that zero trust will solve all these problems. Let's say I steal your credentials, then I present myself as you. The fact that there is zero trust implemented before providing access is not going to cut it in some cases. I would say it is an important principle, but it still doesn't overcome all the challenges that we spoke about with human behavior, the need for training and depth of defense, security policy islands and fragmentation, etc. If all of those are true, then we still have the same challenges that we currently have.

As an organization that's been the victim of a major nation-state attack, what are your thoughts on such threats? What should organizations be doing to better prepare for those kinds of attacks?

Ramakrishna: We've been talking to the government about this. Just like there are rules of war and rules of engagement, there has to be rules of, let's call it, cyber engagement. And that should apply to all nations; we need to bring them to the table and get certain rules where they cannot be harboring cybercriminals and, worse, they cannot be initiating attacks because it becomes an act of war at some point. Granted, these attacks are against enterprises versus the nation. But when you attack my critical facilities, that is against my nation. I do think there's a lot more work that needs to be done by the governments of the world. To be perfectly honest, that is an area that I don't have a lot of expertise in. But I do have points of view. And we have shared those with cyber defenders in the U.K., the Five Eyes, as well as organizations like CISA.

Do you feel like progress is being made on this, and that we're at least moving in the direction of rules of cyber engagement that other nations will actually adhere to?

Ramakrishna: I'm not sure we are moving in that direction just yet. But am I optimistic that eventually something like that will happen? I believe so. Because ultimately, they might all realize that it's not in their best interest, both on the people side as well as on the economic side, to engage and indulge in these attacks. Hopefully, that will prevail.

Editor's note: This interview has been edited for clarity and length.