Next-Generation Technologies & Secure Development , Secure Software Development Lifecycle (SSDLC) Management , Threat Modeling
SolarWinds CEO on How to Secure the Software Build ProcessSudhakar Ramakrishna on How SolarWinds Has Ensured the Integrity of Its Source Code
President and CEO Sudhakar Ramakrishna says SolarWinds has done extensive work implementing security into the build process since Russian hackers in late 2020 bundled malware into an update of the company's flagship network monitoring software.
See Also: 2022 Unit 42 Incident Response Report
Testing, validating and qualifying the integrity of the company's source code requires significant effort given that SolarWinds operates three distinct build systems, Ramakrishna says. The company has stepped up its SOC capabilities and red teaming efforts to complement efforts to secure its build process through static code analysis, pen testing and better understanding open-source vulnerabilities, he says.
"The image of SolarWinds itself has evolved quite drastically and dramatically," Ramakrishna says. "People in the past might have been skeptical about our secure by design work or our own competencies. But now, I routinely see customers, partners and others wanting to implement the techniques that we are using in their environment."
Information Security Media Group spoke with Ramakrishna before SolarWinds disclosed that federal regulators plan to investigate whether the firm violated securities law by failing to adequately disclose cybersecurity risks and incidents prior to the 2020 Russian government hack. The firm plans to contest the determination to move forward with an investigation (see: SolarWinds May Face SEC Investigation Over Hack Disclosure).
SolarWinds also disclosed subsequent to Ramakrishna's conversation with ISMG that it has agreed to settle a shareholder class action lawsuit for $26 million that accused the company of overstating its security capabilities prior to the Russian hack.
In a video information with ISMG, Ramakrishna also discusses:
- The biggest lessons learned from the 2020 Russian government hack;
- Top challenges around incorporating security into the build process;
- How SolarWinds Observability can help companies improve security.
Ramakrishna joined SolarWinds in January 2021 following nearly 25 years of experience across the cloud, mobility, networking, security and collaboration markets. He spent more than five years as the CEO of Pulse Secure, where he was responsible for all aspects of business strategy and execution. Prior to that, he spent two years leading Citrix's enterprise and service provider division, where he was responsible for virtualization, cloud networking, mobile platforms and cloud services solutions. Ramakrishna has also held senior leadership roles at Polycom, Motorola, 3Com and U.S. Robotics.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Sudhakar Ramakrishna. He is president and CEO of SolarWinds. Good morning, Sudhakar. Doctor, how are you?
Sudhakar Ramakrishna: Good morning, Michael. Thanks for having me. I'm doing great. Hope you're doing well as well.
Novinson: I'm doing very well. Thank you for making the time. Wanted to jump into things here to talk about the recent launch of SolarWinds Observability. Specifically I wanted to get a sense of what the implications are of this new offering from a cybersecurity standpoint.
Ramakrishna: Absolutely. Michael, as you know, SolarWinds is a leader in monitoring solutions. And we have over the last 20 years, provided customers with great solutions for networks, applications, database, infrastructure and Cloud Monitoring. Over the last 18 months, we have been evolving into what we call full stack observability, except that we are taking customers on a cloud journey. So in other words, we are not imposing on them that they only have to consume it in SaaS, or they only have on-premises solutions, what we are doing is evolving our monitoring into observability. So there are two important elements of the announcement that we made. One is extension of our hybrid cloud observability solutions, which are largely on-premises but can be deployed in a hybrid world, and the introduction of our SaaS observability solutions, which can actually co-mingle and co-reside in customer environments to provide them a continuum, let's say from premises to hybrid to complete SaaS, depending on the pace of their cloud journey. Both of these solutions are built on our secure-by-design foundation. So all the work that we have done over the last two years almost in terms of implementing security elements to the build systems, the software supply chain, and the enhancements that we've made, will essentially result in a more robust and more secure solution for our customers.
Novinson: From the standpoint of the customer themselves, how can adopting implementing SolarWinds Observability help them with their own security?
Ramakrishna: So first things first, Michael, is that the hybrid cloud observability helps customers consolidate tools, or in other words, eliminate tool sprawl. That's step one. As a result of doing that, we have also enhanced through AI and ML techniques, better call it alert stacking, as you know, alert fatigue is a real thing. And we are trying to work with customers to help them get to the right alerts faster. So in essence, when they have security incidents, they are able to address the right incidents faster through our technology as well. In doing both those things, we are improving their productivity and reducing their costs. So there's a lot of compelling value from a security standpoint. But there's an economic value associated with that as well.
Novinson: In terms of cloud adoption, and I know you offer this in some a couple different form factors. What have you seen in terms of cloud adoption and shifts and usage patterns, since the onset of the COVID 19 pandemic?
Ramakrishna: Remote work, I would say has been driving a lot of the acceleration in in cloud adoption as well. So they are in many ways intertwined. What we noticed is that while there was a lot of cloud adoption, as a result of COVID, customers are also realizing for my environment, for my economics, is going all into the cloud is the right answer, or is there a way I can have a hybrid model where policies, user experiences, deployments can be viewed as one large and one single and unified view, while I still sweat my on-premises assets, so to speak. So I'm increasingly seeing, especially in this environment, where high inflation, compress budgets, which I won't go into, because everybody knows about these, value and the element of deriving value becomes even more important. So I would say they are still focused on the cloud journey, but maybe not as accelerated the pace as they used to at the advent of the pandemic.
Novinson: Interesting, wanted to talk a little about the market landscape. So if SolarWinds were to find themselves in a competitive bid scenario around observability or some of the other products, which companies are you most frequently encountering, and what do you consider to be your biggest differentiators?
Ramakrishna: So I'll start with the differentiators at a company level first, Michael, and then talk about each of the segments the way we are projecting our value to customers. Over the years we have said we will deliver simple, powerful and increasingly secure solutions - simple, powerful and secure. Through that process, what we intend doing is increase customers productivity and reduce their costs. And specific to our solutions, we focus on three value drivers. Best time to value in the market, you buy our products, you start getting value quickly. This is one dynamic that I'm seeing with customers where they don't want long value cycles, buying, implementing, testing, adopting, and then finally getting value. So compress time to value, fastest time to isolate and identify issues in their multi-cloud environments, not just in networks, but multi cloud environments. There, the fact that I spoke about the AI/ML capabilities, for instance, is a way of giving them the fastest time to identify. And last but not least, it's not good enough just to identify issues, but time to remediate. So time to value, time to identify, time to remediate are the three value drivers across the entire portfolio that we're building, whether it is database monitoring, service management, or full-stack observability. In terms of competitors, the way I would describe it is, depending on the segment that we are in, let's take call it the broader observability segment, we have the traditional monitoring providers as well, because it is a share of wallet, thing, traditional being more of the microfocuses and the computer associates of the worlds. But unfortunately, I don't believe that innovation cycles are rapid enough to give customers the confidence necessary to traverse in the multi-cloud world and more of the new age, but more focused on a particular segment of observability - be the new relics of the world that come largely from an app management and app monitoring type of world and spreading into the observability spectrum. Splunk, as you know, is getting more from a security dimension to the observability dimension. And then obviously Datadog is taking a different approach, starting from infrastructure and moving up into applications and others. So different vendors are coming at it from a different angle of incidence. But the fundamental differentiator, I would say is we are taking customers from where they are today and evolving them in the multi-cloud journey. So like I said at the beginning, not forcing a particular way of deploying, and also giving them the user experiences, the seamless migrations, and the economic value of the evolution from monitoring to observability, like nobody else is able to do.
Novinson: In December, it will have been two years since the world learned of the Sunburst attack. What do you consider to be the biggest lessons learned both for SolarWinds in particular, as well as the industry as a whole?
Ramakrishna: That we continue to learn, is the way I would say it, Michael, we are a learning organization. And as you know, we came through the Sunburst set of issues with outlining our secure-by-design principles, which were at some level learnings at that point. But the learnings continue to refine. A few reinforcements I'd make is situations like Sunburst are unfortunate, but they require us to constantly focus on the learnings. And one of the key learnings is the need for public and private partnerships is probably never been greater than it is today. In fact, I've been most recently in many fireside chats and discussions where we are trying to amplify it because it is important to understand that no one single company - no matter how good is how many resources we have - is able to defend ourselves especially against let's say a nation-state attack. So it is my continuous appeal to both private and public to have a better partnership so we can protect assets better. The software supply chain issues are real, and we cannot lose sight of those. So we have done quite a bit of extensive work and built processes and implemented security or better yet, I like to call it left shifting security. So it doesn't start at pen testing. It is at the development and the design phase, which is why I'm very deliberate about calling it secure by design. It is a real thing that must be adopted by the entire industry. We have done some extensive work - published white papers as essentially open source for everyone to use, and that becomes an increasingly important conversation with my customers. Three is vendor validation by customers is a more and more relevant thing to do. Vendors need to educate themselves on what are the key things we should ask. I should say customers need to educate them on what should I ask vendors for in terms of the security posture, not just in investment, but in actually processes, tools and techniques that they use, because we are pocketing value chain in an ecosystem, and deficiencies in one will affect the other. So these are three areas that I would say need heightened focus.
Novinson: In terms of the embedding security into that build process - the design and the development process - what are some of the obstacles and challenges that you've had to navigate as you try to put that into practice?
Ramakrishna: So I'll give you a very quick update on that. We run three build systems or build processes, Michael. The location of those builds, will change. Who has access to those changes? So first things first was changing the developers' behaviors themselves, because they're used to a certain way of doing things, which is true in every company, and we had to enforce or we had to influence - I should say not enforce - them to understand why we have to do these things. And then once they jumped on it, it was a matter of like, second nature now for us to be able to do that. So that is one. Two, it is a pragmatic issue that many companies will fail face, which is, it's an investment that you make, because you are investing in security, you're investing in your people, and you're investing in your processes. Oftentimes, you may discount the significance of it. But I can say that from prior experience, and hear that it will pay off a lot. And in terms of confidence you have with customers, and it has some very strong ROI, even if you think about it in ROI terms. So that's a second, I would say. It needs to be elevated from a prioritization standpoint. Third, I would say is the real effort in testing, validating, and qualifying, when you have multiple build systems, the integrity of the code itself. So that's more of the effort side of it. So those are the three elements.
Novinson: Surely after you started as CEO in January 2021, you announced the secure-by-design initiative. And now looking back over the past 21 months, what are some of the bigger changes that you've made to secure by design? And what are some of the bigger areas of emphasis for secured by design that maybe were on top of mind when you first launched this?
Ramakrishna: Michael, the principles of secure by design have stayed the same. But what I will say is that the details of secure by design have evolved a lot. I'll give you a couple of examples. One is, I would say that red team efforts and secure operating center efforts within SolarWinds are significantly more advanced than when we started. We do a bunch of activities, we attack ourselves, the tools, techniques and processes that my CISOs team uses is not known to a lot of people. So in essence, we try to do social engineering things, penetration testing, without users knowing about it. And we learn a lot from it. And let's say you click on a very sophisticated phishing attack, you're going to get a teaching lesson, so to speak from us. So these are all techniques that we have been continuously improving in the spirit of elevating our internal security postures that is definitely number one that has improved. Two is the image of SolarWinds itself has evolved, I would say quite drastically and dramatically. Whereas people may have been skeptical about secure-by-design work. Whereas people may have been skeptical about our own competencies. Routinely, I see customers, partners, others wanting to implement the techniques that we are using in their environments. Again, going back to the need for us to all be part of the same ecosystem and a secure ecosystem. That's changed a lot. Three, in the build systems - in the build processes - we are using a number of techniques to improve the security posture. Not just like things like static code analysis and pen testing and such. But looking at open source, understanding open source vulnerabilities, checkpointing software, the multiple build systems, those are all evolutions that have happened in the last 10 to 12 months.
Novinson: Interesting. Finally here, I wanted to turn back from internal security to helping customers secure themselves and talk a little bit about what's on the roadmap for 2023 and what innovations customers can expect from SolarWinds in order for them to improve their own security.
Ramakrishna: So the alert stacking pieces that I mentioned, the continuous focus on AI/ML from a security standpoint, but then broadly speaking, the observability camp, Michael, one of the areas in observability is the security observability itself. So the uniqueness of our platform is not only we are we looking at observability from an app, database, network, monitoring standpoint, but we also looking at security as an element of observability. And more critically tying the capabilities of, let's say, applications, networks, etc, to security and logs and providing customers with better insights. What it does is again, it goes back to fault isolation, incident isolation, and incident remediation. Those are the things customers can expect from us.
Novinson: Good to know. Sudhakar, thank you so much for the time.
Ramakrishna: Thanks again, Michael. Pleasure meeting you again.
Novinson: Yourself as well. We've been speaking with Sudhakar Ramakrishna. He is president and CEO of SolarWinds. For Information Security Media Group, this is Michael Novinson. Have a nice day.