SolarWinds’ CEO Wants To Give The Hackers Who Attacked It A Headache By Massively Multiplying Code | #government | #hacking | #cyberattack


Towards the end of 2020, Sudhakar Ramakrishna was getting ready to take over as CEO of SolarWinds when the software company he was destined to join hit the headlines. Hackers from a group called Nobelium that’s believed to be linked to Russia’s SVR intelligence agency had infiltrated SolarWinds’ software-development process and installed malware that then spread to some of its customers through updates they made to its code.

Now Nobelium is making headlines again with a new set of software supply-chain attacks. In a blog post published on October 24, Microsoft security executive Tom Burt said his company had uncovered signs that the hacker group has been targeting software resellers and technology service providers in the cloud computing world. Since it saw the malicious activity in May, Microsoft has notified more than 140 companies that they may have been targeted and believes that as many as 14 have been compromised.

The effort is part of a broader wave of attacks by Nobelium. In his post, Burt noted that between July 1 and October 19, Microsoft informed 609 customers it believed had been attacked a total of 22,683 times by the group, though it only had a low single digit success rate.

SolarWinds’ Ramakrishna would like to drive down that success rate as close to zero as possible in the future. Since taking the reins at the company, he’s been working to repair its battered reputation—and to make it much harder for hackers to compromise its software again.

His moves to overhaul the way the $2.9 billion market cap company designs and builds code are being closely watched by its investors and its customers. Now that almost every business relies heavily on code for its success, they also have significant implications for CEOs and technology leaders everywhere.

Into the breach

When Ramakrishna walked into his office for the first time, the full extent of the attack mounted by Nobelium was still unclear. It’s now known that the hackers were able to manage the intrusion through multiple servers based in the U.S. and found ways to circumvent SolarWinds’ internal controls to gain access to its software development pipeline.

They were inside for well over a year before the intrusion was discovered, giving them ample time to install their malware, which allowed them to compromise the systems of around 70 SolarWinds customers. Microsoft, cybersecurity company FireEye and multiple government agencies, including the Department of Energy and the Department of Homeland Security were among the victims.

SolarWind’s CEO isn’t the least bit surprised by the latest news of Nobelium’s activities or that they are expanding into other parts of the software supply chain. “These are threats that are much broader than one company. These are threats that are much broader than one sector of the economy. It calls for better vigilance on all our parts,” he says.

Since his company was hit, Ramakrishna, who’s 53, has been working overtime to repair employee morale, bolster the confidence of customers and rethink the way it builds code. That work is paying off in terms of increased revenue, though the investment SolarWinds has been making in reengineering its security strategy has hit its bottom line. The company reported revenue of $262 million in the second quarter of 2021, which represents a 6.5% year-over-year increase, but turned in a loss of $11.6 million compared with a profit of $12.8 million in the same quarter of 2020.

SolarWinds plans to invest $25 million this year in its efforts to recover from the Nobelium hack, with a significant amount of that dedicated to its code overhaul. The company expects that cost to decline significantly in the future, as more processes are automated and it taps other efficiencies.

Triple play

Ramakrishna, who was previously the CEO of cybersecurity company Pulse Secure, has used the extra investment to take several steps to tighten controls at SolarWinds, including installing more software that can spot intrusions and ensuring that developers working on code are not the ones who also hold administrator rights to the systems in which the software is being built.

But arguably the biggest change—and the one that’s most likely to attract the attention of other CEOs and technology leaders—is his decision to create three separate software development pipelines rather than the single one SolarWinds had before. “This is where we are putting most time and effort,” says Ramakrishna.

These are threats that are much broader than one company. These are threats that are much broader than one sector of the economy. It calls for better vigilance on all our parts,

Sudhakar Ramakrishna, CEO, SolarWinds

Each pipeline is staffed by different developers who work in different coding “environments,” such as one hosted in the cloud. The goal is to create the digital equivalent of a hermetic seal between the three teams, who all work on an identical coding project. Once their work is complete, the software is compared and any discrepancies between the three sets of code are flagged. Timestamps of changes made are also carefully reviewed.

The point of all this is that it means hackers now have to break into multiple systems rather than a monolithic development pipeline, which makes their job harder. Checking the times that changes were made also makes it more likely suspicious alterations will be flagged.

Most companies shy away from duplicating—let along triplicating—software development work because of the cost involved. But Ramakrishna is betting that advances in automation tools and other innovations will help, and estimates that operating all three pipelines will be no more than one and a half times more expensive than SolarWinds’ previous approach over a five-to-seven-year timeframe.

Collective action

Security experts say that while expense is a consideration, escalating threats from groups such as Nobelium are shifting thinking fast. “Any approach that helps organizations understand the provenance of software [and] distinguish between code that’s been written from within and that which has originated externally is a good step forward, “ says Danny Lopez, CEO of cybersecurity firm Glasswall.

Ramakrishna’s hoping he can get other companies to follow his lead by releasing white papers highlighting SolarWinds’ approach and by working with software industry bodies and government agencies to promote it. He also wants collective pressure to drive reform of the current legislative regime in the U.S. that makes companies reluctant to reveal they’ve been hacked because of fear of lawsuits from aggrieved stakeholders.

Getting the rules changed won’t be easy because there are many who think that the threat of litigation is an effective way to ensure companies take cyber threats very seriously. Ramakrishna acknowledges that management needs to be held accountable but says a better balance between censure and collaboration urgently needs to be found.

“Instead of fighting amongst ourselves to discover what went wrong, we should be fighting against threat actors,” he says. “We’re losing time, we’re losing focus and we’re losing the war.”



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

− one = one