I joined the SolarWinds family earlier this week as the new Chief Executive Officer. Although I accepted the position to become CEO before the Company was notified of the cyberattack, I feel an even greater commitment now to taking action, ensuring we learn from this experience, and continuing to deliver for our customers.
In my most recent role as CEO of Pulse Secure, and in other executive assignments, I have dealt with highly visible security breaches. In these instances, I have sought to let humility, ownership, transparency, focused action, and bias towards customer safety and security be my guiding principles. It is my goal to bring this same approach to bear here at SolarWinds.
It is in this spirit that I have made it a priority to support and continue the SolarWinds investigation of this incident in cooperation with important stakeholders – including industry colleagues, third-party cybersecurity experts, law enforcement, and intelligence agencies around the world.
By far, my most important commitment is to help our customers and partners navigate this challenge with the help and support of the entire SolarWinds team.
Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies. I am doing that by working directly with the SolarWinds team to lead the immediate improvement of critical business and product development systems, with the goal of making SolarWinds an enterprise software industry security leader. These transformative efforts will require tremendous focus on security programs, policies, teams, and culture.
We have engaged several leading cybersecurity experts to assist us in this journey and I commit to being transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements to ensure we maintain what’s most important to us – your trust.
As we seek to evolve SolarWinds into a company that is “Secure by Design” our internal efforts are focused on three primary areas:
- Further securing our internal environment
- Enhancing our product development environment
- Ensuring the security and integrity of the products we deliver
Key immediate steps to further securing our internal environment which we are committed to prioritizing as a central part of our operational fabric as we move forward include:
- Deploying additional, robust threat protection and threat hunting software on all our network endpoints, including a critical focus on our development environments
- Resetting credentials for all users in the corporate and product development domains, including resetting the credentials for all privileged accounts, and for all accounts used in building the Orion Platform and related products
- Consolidating remote and cloud access avenues for accessing the SolarWinds network and applications by enforcing multi-factor authentication (MFA)
Key steps to enhancing our product development environment include:
- Performing ongoing forensic analysis of our product development environments identifying root causes of the breach and taking remediation steps
- Moving to a completely new build environment with stricter access controls and deploying mechanisms to allow for reproducible builds from multiple independent pipelines
Key steps to ensuring the security and integrity of the software we deliver to customers include:
- Adding additional automated and manual checks to ensure that our compiled releases match our source code
- Re-signing all Orion Platform software and related products, as well as all other SolarWinds products, with new digital certificates
- Expanding our vulnerability management program to reduce our average time-to-patch and to better enable us to work with the external security community
- Performing extensive penetration testing of the Orion Platform software and related products to identify any potential issues which we will resolve with urgency
- Leveraging third-party tools to expand the security analysis of the source code for the Orion Software Platform and related products
- Engaging with and funding ethical hacking from white hat communities to quickly identify, report, and remediate security issues across the entire SolarWinds portfolio
We expect these efforts and plans to guide our journey to becoming an even safer and more secure company, and we understand that there is much more work to be done. In the coming weeks, we will plan to share further plans and programs that we believe will help us achieve that goal.
Over 20+ years, SolarWinds has earned the trust of our customers by delivering powerful and affordable solutions. My mission is to continue to build on that relationship by delivering powerful, affordable, and secure solutions. I am confident in this future.
This Blog Post contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding SolarWinds’ steps to secure our internal environment, improve our product development environment and ensure the security and integrity of the software that we deliver to customers. The forward-looking statements in this Blog Post are based on management's beliefs and assumptions and on information currently available to management, which may change as we continue to address the vulnerability in our products, investigate the SUNBURST attack and related matters and as new or different information is discovered about these matters or generally. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as "aim," "anticipate," "believe," "can," "could," "seek," "should," "feel," "expect," "will," "would," "plan," "intend," "estimate," "continue," "may," or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, (a) the discovery of new or different information regarding the SUNBURST attack and related security incidents or of additional vulnerabilities within, or attacks on, SolarWinds’ products, services and systems, (b) the possibility that SolarWinds’ mitigation and remediation efforts with respect to the SUNBURST attack and related security incidents may not be successful, (c) the possibility that customer, personnel or other data was exfiltrated as a result of the SUNBURST attack and related security incidents, (d) numerous financial, legal, reputational and other risks to SolarWinds related to the SUNBURST attack and related security incidents, including risks that the incidents may result in the loss, compromise or corruption of data, loss of business, severe reputational damage adversely affecting customer or vendor relationships and investor confidence, U.S. or foreign regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, (e) risks that SolarWinds’ insurance coverage, including coverage relating to certain security and privacy damages and claim expenses, may not be available or sufficient to compensate for all liabilities SolarWinds incurs related to these matters, (f) the possibility that our steps to secure our internal environment, improve our product development environment and ensure the security and integrity of the software that we deliver to customers may not be successful or sufficient to protect against threat actors or cyberattacks and (g) such other risks and uncertainties described more fully in documents filed with or furnished to the U.S. Securities and Exchange Commission by SolarWinds, including the risk factors discussed in SolarWinds’ Annual Report on Form 10-K for the period ended December 31, 2019 filed on February 24, 2020, its Quarterly Report on Form 10-Q for the quarter ended March 31, 2020 filed on May 8, 2020, its Quarterly Report on Form 10-Q for the quarter ended June 30, 2020 filed on August 10, 2020 and its Quarterly Report on Form 10-Q for the quarter ended September 30, 2020 filed on November 5, 2020. All information provided in this Blog Post is as of the date hereof and SolarWinds undertakes no duty to update this information except as required by law.