Our Plan for a Safer SolarWinds and Customer Community

I joined the SolarWinds family earlier this week as the new Chief Executive Officer. Although I accepted the position to become CEO before the Company was notified of the cyberattack, I feel an even greater commitment now to taking action, ensuring we learn from this experience, and continuing to deliver for our customers. 

In my most recent role as CEO of Pulse Secure, and in other executive assignments, I have dealt with highly visible security breaches. In these instances, I have sought to let humility, ownership, transparency, focused action, and bias towards customer safety and security be my guiding principles. It is my goal to bring this same approach to bear here at SolarWinds.

It is in this spirit that I have made it a priority to support and continue the SolarWinds investigation of this incident in cooperation with important stakeholders – including industry colleagues, third-party cybersecurity experts, law enforcement, and intelligence agencies around the world.

By far, my most important commitment is to help our customers and partners navigate this challenge with the help and support of the entire SolarWinds team.

Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies. I am doing that by working directly with the SolarWinds team to lead the immediate improvement of critical business and product development systems, with the goal of making SolarWinds an enterprise software industry security leader. These transformative efforts will require tremendous focus on security programs, policies, teams, and culture.

We have engaged several leading cybersecurity experts to assist us in this journey and I commit to being transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements to ensure we maintain what’s most important to us – your trust.

As we seek to evolve SolarWinds into a company that is “Secure by Design” our internal efforts are focused on three primary areas:

  • Further securing our internal environment
  • Enhancing our product development environment
  • Ensuring the security and integrity of the products we deliver

Key immediate steps to further securing our internal environment which we are committed to prioritizing as a central part of our operational fabric as we move forward include:

  • Deploying additional, robust threat protection and threat hunting software on all our network endpoints, including a critical focus on our development environments
  • Resetting credentials for all users in the corporate and product development domains, including resetting the credentials for all privileged accounts, and for all accounts used in building the OrionRegistered Platform and related products
  • Consolidating remote and cloud access avenues for accessing the SolarWinds network and applications by enforcing multi-factor authentication (MFA)                                            

Key steps to enhancing our product development environment include:

  • Performing ongoing forensic analysis of our product development environments identifying root causes of the breach and taking remediation steps
  • Moving to a completely new build environment with stricter access controls and deploying mechanisms to allow for reproducible builds from multiple independent pipelines

Key steps to ensuring the security and integrity of the software we deliver to customers include:

  • Adding additional automated and manual checks to ensure that our compiled releases match our source code
  • Re-signing all Orion Platform software and related products, as well as all other SolarWinds products, with new digital certificates
  • Expanding our vulnerability management program to reduce our average time-to-patch and to better enable us to work with the external security community
  • Performing extensive penetration testing of the Orion Platform software and related products to identify any potential issues which we will resolve with urgency
  • Leveraging third-party tools to expand the security analysis of the source code for the Orion Software Platform and related products
  • Engaging with and funding ethical hacking from white hat communities to quickly identify, report, and remediate security issues across the entire SolarWinds portfolio                                                                                                                                               

We expect these efforts and plans to guide our journey to becoming an even safer and more secure company, and we understand that there is much more work to be done. In the coming weeks, we will plan to share further plans and programs that we believe will help us achieve that goal.

Over 20+ years, SolarWinds has earned the trust of our customers by delivering powerful and affordable solutions. My mission is to continue to build on that relationship by delivering powerful, affordable, and secure solutions. I am confident in this future.

This Blog Post contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding SolarWinds’ steps to secure our internal environment, improve our product development environment and ensure the security and integrity of the software that we deliver to customers. The forward-looking statements in this Blog Post are based on management's beliefs and assumptions and on information currently available to management, which may change as we continue to address the vulnerability in our products, investigate the SUNBURST attack and related matters and as new or different information is discovered about these matters or generally. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as "aim," "anticipate," "believe," "can," "could," "seek," "should," "feel," "expect," "will," "would," "plan," "intend," "estimate," "continue," "may," or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, (a) the discovery of new or different information regarding the SUNBURST attack and related security incidents or of additional vulnerabilities within, or attacks on, SolarWinds’ products, services and systems, (b) the possibility that SolarWinds’ mitigation and remediation efforts with respect to the SUNBURST attack and related security incidents may not be successful, (c) the possibility that customer, personnel or other data was exfiltrated as a result of the SUNBURST attack and related security incidents, (d) numerous financial, legal, reputational and other risks to SolarWinds related to the SUNBURST attack and related security incidents, including risks that the incidents may result in the loss, compromise or corruption of data, loss of business, severe reputational damage adversely affecting customer or vendor relationships and investor confidence, U.S. or foreign regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, (e) risks that SolarWinds’ insurance coverage, including coverage relating to certain security and privacy damages and claim expenses, may not be available or sufficient to compensate for all liabilities SolarWinds incurs related to these matters, (f) the possibility that our steps to secure our internal environment, improve our product development environment and ensure the security and integrity of the software that we deliver to customers may not be successful or sufficient to protect against threat actors or cyberattacks and (g) such other risks and uncertainties described more fully in documents filed with or furnished to the U.S. Securities and Exchange Commission by SolarWinds, including the risk factors discussed in SolarWinds’ Annual Report on Form 10-K for the period ended December 31, 2019 filed on February 24, 2020, its Quarterly Report on Form 10-Q for the quarter ended March 31, 2020 filed on May 8, 2020, its Quarterly Report on Form 10-Q for the quarter ended June 30, 2020 filed on August 10, 2020 and its Quarterly Report on Form 10-Q for the quarter ended September 30, 2020 filed on November 5, 2020. All information provided in this Blog Post is as of the date hereof and SolarWinds undertakes no duty to update this information except as required by law.

Anonymous

Top Comments

  • Thank you, . We appreciate the content and the intent of this message, and do look forward to reading continued in-depth updates (as much is allowed while the investigations continue). 

    Many of us have long agreed that this community is one of the primary value-ads for SolarWinds' products. While many of us have lost sleep during the discovery and mitigations, being part of the community means that it is not lost on us that SolarWinds employees (people like us) also have a monumental challenge to work through at the same time. Again, thank you to everyone for that effort.

    Being candid, that of course does not soften the blow or lighten the responsibility of security. There is a common assumption, among IT optimists if you will, that once a company suffers a breach, they will emerge as a more secure organization (ideally with an even more secure product) at the outcome. This presumption is reinforced by action, communication, and visible results. It is eroded if any of those three components are lacking. At this moment, we must trust that every resource is being put into action and results. (With credit to the developers who turned out the hotfixes, and to the support staff who have been working tirelessly with customers on the mitigations!) With that fix said and done, please know that it will be frequent, informative, and transparent communication that retains your community of customers and partners. 

    I wish all the best to you and to everyone else in this community. May we look forward optimistically to a stronger, more secure future with well monitored infrastructure and minimal alerts! 

  •  - Welcome and congratulations on your new position. Last few weeks has been quite a chaos and I am sure SolarWinds as a team would do great. I have always loved SolarWinds Orion suite of tools. Thanks for letting us know what's in the pipeline.

    AND i would as well like to thank all who worked through the Christmas in getting this recent issue sorted, I am sure many professionals at SolarWinds would have slogged to remediate the issue - Great Job!!! and keep up the good work. 

  • Not the start to your new position you were hoping for or expecting. The response to this incident by SolarWinds is vital to restoring trust and confidence, which the message demonstrating the commitment and approach to making SolarWinds secure first is great to hear.