Up until recently, John Pagliuca’s mother-in-law thought he worked for a solar power company of some kind. That changed for good late last year.
“We got a little famous at the end of 2020,” observes Pagliuca, president of SolarWinds MSP, in a reference to the headline-grabbing revelations last December that SolarWinds MSP’s parent company had been breached by attackers believed to be working for Russian intelligence.
Pagliuca, along with other speakers, addressed that incident today during an online meeting for SolarWinds MSP partners. The event’s core goal, he emphasized, was to share the latest information, based on some two months of internal investigation, about what happened last year, what didn’t, and what it means for users of SolarWinds MSP’s RMM products and other solutions.
“A lot of times, rumors and fiction travel a lot faster than fact,” Pagliuca said this morning. “We need to make sure that we’re separating fact from fiction.”
Fact number one, he asserted, is that the SolarWinds breach, which infected its highly popular Orion management platform, did not impact either the cloud-based SolarWinds Remote Monitoring and Management or on-premises SolarWinds N-central RMM solutions.
“What we know is that our source code, our build environment, as far as we can tell you with all of this investigation that we’ve been going through with the code, has not been impacted,” Pagliuca said today, echoing statements SolarWinds MSP has made on its website and elsewhere since news of the Orion hack surfaced.
To confirm its own enquiries, SolarWinds MSP hired CrowdStrike to perform a threat hunting sweep of its infrastructure. “They’ve instrumented over 90% right now of workstations and servers within the environment,” said Tim Brown, vice president of security for SolarWinds MSP, during the partner conference. So far, he continued, they’ve found no evidence of compromised machines or devices attempting to reach an attacker’s command and control server.
KPMG, Brown told ChannelPro in an earlier conversation, has helped with forensics analysis in recent weeks too. Krebs Stamos Group, the consultancy led by Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), and Stanford Internet Observatory founder Alex Stamos, has provided assistance as well.
“We feel that because we have this intimate knowledge, we have these experts in house, we’ll be in a better position to make sure that we are secure by design,” Pagliuca told ChannelPro earlier this week.
Indeed, though its RMM software appears to have escaped unscathed from the Orion hack, SolarWinds MSP is treating the incident as a learning opportunity. “The guidance I gave to Tim and also to my other leaders is embrace this incident and let’s make sure we can leverage it to better put ourselves in a better position,” Pagliuca says.
Changes the company has introduced based on lessons learned so far include the introduction of a “two-way build” process in which source code is converted into products and those products are then compared with the original source code to ensure nothing has changed. Product teams have also replaced earlier one-pipeline build processes with multiple pipelines in which carefully controlled privileges prevent any one person from having access to all of the code. One of those builds is kept in a segregated “clean room,” moreover, and used to check the others for tampering.
None of that, according to Pagliuca, represents a departure for SolarWinds MSP, which has long emphasized secure development practices. “That’s always been one of the key pillars of the strategy,” he says. “It’s just more of a reinforcing and a little bit of a reprioritizing.”
For all the well-justified attention the Orion breach has attracted, Brown stresses, the actual damage it caused was relatively modest. Though thousands of businesses have had to put long hours into checking the integrity of their networks and databases, and multiple federal agencies, including the Departments of Defense, Commerce, and Energy, have been compromised, SolarWinds believes no more than 50 organizations were successfully “weaponized” by the Russian malware.
“The true impact has been extremely low,” Brown says.
Much of that impact, he continues, can be traced back to sloppy IT departments. “Customers that were truly affected did not have a very good network design,” Brown says, noting a properly configured Orion deployment should never use the internet for anything other than licensing and updates, if then. Malware downloaded to Orion environments not open to the internet was incapable of communicating with its author and thus essentially harmless.
SolarWinds MSP partners, according to Brown, should learn from that fact. “MSPs and their customer environments need to be appropriately segmented,” he says. “They need to be locked down appropriately. They need to make sure they’re doing network control of the users, so that they can be resilient to this type of attack.”
Sharing best practices advice like that is one way SolarWinds MSP has been helping partners navigate the Orion hack. That guidance has been based both on the company’s own expertise and on recommendations supplied by CISA. “They’ve been our independent voice,” Brown says.
For a limited time, SolarWinds MSP partners can deploy endpoint detection and response software from SentinelOne on their network for free as well. SentinelOne has been a SolarWinds MSP technology partner since 2019, when a SolarWinds EDR solution based on SentinelOne’s platform debuted. Pagliuca cites two motivations for the offer.
“One, to get them more familiar with how they can use it so they can it deploy for their customers, but two, to give them the peace of mind that their endpoints are secure,” he says. “It’s well documented the SentinelOne technology stood strong against some of these most recent vulnerabilities and malware, and so to give those MSPs for free something that they can put in their environments immediately we thought was an important thing to do.”
Unaffected by the Orion incident, according Pagliuca, are previously announced plans to spin off SolarWinds MSP as an independent, publicly traded corporation. Officially under consideration since last August, that move has appeared increasingly inevitable since then. SolarWinds confidentially submitted a Form 10 registration statement with the U.S. Securities and Exchange Commission in connection with the spinoff last December, an interim step on the road to a transaction that Pagliuca expects to happen in the second quarter of the year.
“That’s still very much the plan,” he says.
Changing SolarWinds MSP’s name to N-able, a brand familiar to managed services veterans from the RMM software maker SolarWinds acquired in 2013, has been part of that plan since December too. According to Pagliuca, partners will see that switch reflected on the SolarWinds MSP website toward the end of Q1.
In the meantime, according to Brown, partners can expect more information sharing through activities like today’s conference. “Our path forward as SolarWinds is more transparency, more openness, more auditing, more answering the hard questions about, ‘hey, how do you develop code?'” he says. Brown hopes everyone in IT concerned about today’s treacherous security landscape follows that same path.
“More transparency in this industry and more transparency from the MSPs themselves to their clients, and then more transparency from the vendors to the MSPs, is going to be critical moving forward,” he says.
