SolarWinds Fights Back With Chris Krebs, Alex Stamos Hires

‘Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies. We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review,’ SolarWinds tells CRN.

SolarWinds has brought in two of the world’s most famous security minds to help the embattled vendor pick up the pieces after the colossal Russian hacking campaign.

“Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies,” SolarWinds told CRN. “We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class guidance on our journey to evolve into an industry leading secure software development company.”

Krebs served as director of the Cybersecurity and Infrastructure Security Agency from November 2018 until November 2020, when he was fired by President Donald Trump for refuting Trump‘s baseless claims of election fraud. Stamos is a Stanford University professor and Facebook’s former security chief, who left the social media giant following disagreements over how to combat Russian misinformation.

[Related: SolarWinds Hackers Compromise Confidential Court Filings]

The hires were first reported late Thursday by the Financial Times, who said Krebs and Stamos will work as independent consultants to help SolarWinds coordinate its crisis response. The pair told the Financial Times it could take years before all of the compromised systems are completely secure again.

“This has been a multiyear effort by one of the very best, the most sophisticated intelligence operations in the world,” Krebs told the Financial Times. “It was just one small part of a much larger plan that’s highly sophisticated, so I would be expecting more companies that have been compromised; more techniques that we’re yet to find.”

SolarWinds has been accused of not being sufficiently open about the scale or method of the attack, and the Financial Times said Stamos tacitly acknowledged that criticism. The injecting of malicious code into SolarWinds’ Orion network monitoring platform between March and June 2020 allowed Russian government hackers to compromise federal agencies and private companies like FireEye and Microsoft.

“FireEye has been extremely transparent and that’s worked out really well for them,” Stamos told the Financial Times. “There’s been less of that [from] the other companies involved, and that means that things are leaking out that may or may not be true.”

New SolarWinds CEO Sudhakar Ramakrishna didn’t mention Krebs or Stamos by name in a blog post late Thursday, but said the Austin, Texas-based IT infrastructure management vendor has “engaged several leading cybersecurity experts” to assist SolarWinds in its efforts to become more secure. Ramakrishna was previously CEO of Pulse Secure, and took over for longtime SolarWinds CEO Kevin Thompson Jan. 1.

Ramakrishna said he’s working directly with the SolarWinds team to drive immediate improvement around the company’s critical business and product development systems. Specifically, he said company efforts are focused on further securing SolarWinds’ internal environment, enhancing the company’s product development environment, and ensuring the security and integrity of delivered products.

From an internal environment standpoint, Ramakrishna said SolarWinds plans to deploy more threat protection and threat hunting software on all network endpoints, with a critical focus on development environments. The company also plans to enforce multi-factor authentication and reset the credentials for all privileged accounts as well as all accounts used in building the Orion platform, Ramakrishna said.

As far as product development is concerned, Ramakrishna said SolarWinds is performing an ongoing forensic analysis to identify root causes of the breach and take remediation steps. The company also plans to move to a completely new build environment with stricter access controls and deploying mechanisms to facilitate reproducible builds from multiple independent pipelines, Ramakrishna said.

And to address software security and integrity, Ramakrishna said SolarWinds is adding additional automated and manual checks to ensure that compiled releases match the company’s source code. The company also plans to re-sign all Orion platform software and related products, as well as all other SolarWinds products, with new digital certificates, according to Ramakrishna.

SolarWinds will also expand its vulnerability management program to reduce the company’s average time-to-patch, and perform extensive penetration testing on Orion and related products to identify any potential issues, he said. Finally, he said SolarWinds will leverage third-party tools to expand the security analysis of Orion’s source code, and engage with and fund ethical hacking from white hat communities.

“In my most recent role as CEO of Pulse Secure, and in other executive assignments, I have dealt with highly visible security breaches,” Ramakrishna wrote in his blog post. “In these instances, I have sought to let humility, ownership, transparency, focused action, and bias towards customer safety and security be my guiding principles. It is my goal to bring this same approach to bear here at SolarWinds.”