Up until recently, John Pagliuca’s mother-in-law thought he worked for a solar power company of some kind. That changed for good late last year.
“We got a little famous at the end of 2020,” observes Pagliuca, president of SolarWinds MSP, in a reference to the headline-grabbing revelations last December that SolarWinds MSP’s parent company had been breached by attackers believed to be working for Russian intelligence.
Pagliuca, along with other speakers, addressed that incident today during an online meeting for SolarWinds MSP partners. The event’s core goal, he emphasized, was to share the latest information, based on some two months of internal investigation, about what happened last year, what didn’t, and what it means for users of SolarWinds MSP’s RMM products and other solutions.
“A lot of times, rumors and fiction travel a lot faster than fact,” Pagliuca said this morning. “We need to make sure that we’re separating fact from fiction.”
Fact number one, he asserted, is that the SolarWinds breach, which infected its highly popular Orion management platform, did not impact either the cloud-based SolarWinds Remote Monitoring and Management or on-premises SolarWinds N-central RMM solutions.
“What we know is that our source code, our build environment, as far as we can tell you with all of this investigation that we’ve been going through with the code, has not been impacted,” Pagliuca said today, echoing statements SolarWinds MSP has made on its website and elsewhere since news of the Orion hack surfaced.
To confirm its own enquiries, SolarWinds MSP hired CrowdStrike to perform a threat hunting sweep of its infrastructure. “They’ve instrumented over 90% right now of workstations and servers within the environment,” said Tim Brown, vice president of security for SolarWinds MSP, during the partner conference. So far, he continued, they’ve found no evidence of compromised machines or devices attempting to reach an attacker’s command and control server.
KPMG, Brown told ChannelPro in an earlier conversation, has helped with forensics analysis in recent weeks too. Krebs Stamos Group, the consultancy led by Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), and Stanford Internet Observatory founder Alex Stamos, has provided assistance as well.
“We feel that because we have this intimate knowledge, we have these experts in house, we’ll be in a better position to make sure that we are secure by design,” Pagliuca told ChannelPro earlier this week.
Indeed, though its RMM software appears to have escaped unscathed from the Orion hack, SolarWinds MSP is treating the incident as a learning opportunity. “The guidance I gave to Tim and also to my other leaders is embrace this incident and let’s make sure we can leverage it to better put ourselves in a better position,” Pagliuca says.
Changes the company has introduced based on lessons learned so far include the introduction of a “two-way build” process in which source code is converted into products and those products are then compared with the original source code to ensure nothing has changed. Product teams have also replaced earlier one-pipeline build processes with multiple pipelines in which carefully controlled privileges prevent any one person from having access to all of the code. One of those builds is kept in a segregated “clean room,” moreover, and used to check the others for tampering.