SolarWinds CISO: Know your adversary, what they want, watch everything

The compromise of SolarWinds' Orion software changed the company's approach to security. Tim Brown shares some hard-won advice for how CISOs and software vendors should prepare for supply chain attacks.

timbrown solarwinds ciso 3x2

Late last year, a group believed to be Russia’s Cozy Bear (APT29) successfully compromised SolarWinds’ Orion update software, turning it into a delivery vehicle for malware. Nearly 100 customers of the popular network monitoring tool were affected, including government entities and cybersecurity company FireEye.

The attacker was able to gain access to SolarWinds’ IT infrastructure to produce trojanized updates to the Orion software. FireEye, which first discovered this software supply chain attack, said it required meticulous planning and manual interaction by the attackers.

While researchers consider the attack noteworthy, so is SolarWinds’ response. The company quickly brought in capable outside help to not only address the immediate crisis, but to also help review their security operations and craft a strategy to better guard against future software supply chain attacks. SolarWinds has openly communicated its knowledge of the incident and the steps it is taking to improve its security posture.

CSO spoke with Tim Brown, SolarWinds CISO and vice president of security, about how this incident has changed the company’s approach to security. Brown is responsible for both product and internal security.

How has your role changed since the attack?

Prior to the attack, I didn't necessarily call myself a CISO because I was focused on both security operations and product security/strategy. My goal has always been a mix between product as well as operation. That's important when you have a product development environment that you do have that mix. We do we take on the security aspects of an operation. Our primary delivery is products, so it’s very important that our security team is tied into both sides of that.

To continue reading this article register now

Microsoft's very bad year for security: A timeline