10 Bold Statements From SolarWinds MSP After The Orion Hack
From comments on switching up CEOs and weeks of silence to building new IT systems and giving MSPs free security products, here’s a look at 10 notable remarks made by SolarWinds MSP President John Pagliuca and VP of Security Tim Brown.
In The Eye Of The Storm
SolarWinds MSP has found itself under intense scrutiny in the past two months even though none of its own tools were compromised in the widespread SolarWinds Orion hack. The remote monitoring and management services provider acted quickly, telling its 15,000 MSP customers Dec. 16 that it would yank the digital certificates for its MSP tools, revoke them in four days’ time, and force customers to “digitally re-sign” into its products.
But aside from a security advisory on its website, SolarWinds MSP hasn’t spoken publicly about the colossal attack on its parent organization. Until now.
SolarWinds MSP President John Pagliuca and Vice President of Security Tim Brown sat down with CRN to discuss building new IT systems from scratch, safeguarding supply chains and publicly sharing security practices. Pagliuca and Brown also addressed why the company gave MSPs free endpoint detection and response software, as well as why SolarWinds MSP had refrained from speaking publicly about the hack.
Transitions were a prominent conversation topic, both around the impact of former Pulse Secure leader Sudhakar Ramakrishna taking over as SolarWinds CEO last month as well as the security implications of the upcoming spin-off of SolarWinds MSP into a standalone publicly traded company called N-Able. Here are ten notable things Pagliuca and Brown had to say about navigating through these turbulent times.
Why Has SolarWinds MSP Waited Nearly Two Months To Speak Publicly?
Pagliuca: Lies tend to outpace and outrun the truth. And so, there‘s been a lot of FUD [fear, uncertainty and doubt] that’s been thrown out and in the world about the incident. So, then you say, ’Well, why are you so slow to respond to this?’ Well, the reality is we’re part of an investigation, we’re collaborating with these authorities from across the globe.
And our focus, and our priority for SolarWinds now really has been to collaborate with these government agencies as part of that investigation to protect our customers and their customers and to work with the authorities. So, with that as our priority, with that as a lens, it‘s important that we verify and validate everything that we can say. We can’t say things, ’This is what I think.’ We can’t speculate.
And we also can‘t necessarily tip our hands to the bad guys, to these threat actors that are out there to show them all what we’re doing. So, it was more about the priority to make sure that our customers are safe and that we‘re cooperating with the investigators. Will that slow down our communication? Yeah, to some degree, by definition, it has to. Is it the right thing to do? It absolutely is the right thing to do.
Were Your MSP Customers Asking For More Updates And Communication?
Pagliuca: As soon as the news broke, so to speak, there was a lot of misinformation. And there was a lot of things that we didn‘t know. And so, we were working, and Tim [Brown] has been working, along with other teams, quite frankly, around the clock so that we were better informed and we can get our arms around this. And I think the SolarWinds team, that ITOM [IT Operations Management] team, has done a tremendous job working with these agencies.
And now you‘ll see a much more steady cadence and a much more steady rhythm as far as the information that we‘re releasing. The team puts out a blog quite regularly. And we’re a little bit more on our toes as far as making sure folks are informed, because now we’re able to validate. Because now, we know it’s not conjecture. It’s not speculation. We’re still working on the investigation. And as the facts become known to us, that’s when we’ll start to push them out…
Not to get too preachy, but for me, this was everyone in favor versus everyone not necessarily in favor of the free world. And it wasn‘t just a SolarWinds attack. It wasn’t just a United States of America attack. It was across the globe, any enterprise or agency that supports free enterprise, so to speak. That’s what this was about.
So, for us, the goal was to make sure that we‘re cooperating with those folks [authorities], and not necessarily worrying about getting our message out there or spinning this or having some type of propaganda. We have to make sure that we’re focused on the investigation and doing what’s right. And validating before we would speak.
Why Did You Give MSPs Free Security Tools If SolarWinds MSP Wasn’t Hacked?
Pagliuca: We partnered really quick with SentinelOne to give our partners EDR [endpoint detection and response] technology that‘s free for their environments, just to give them peace of mind and an additional layer of security so they can go roll out devices for an extended period of time. Having that EDR technology on their internal endpoints will help shore up their environment…
So, we‘ve had this offering for, I think, close to two years. And the SentinelOne folks have done a good job documenting how their offering has stood up strong against some of the malware that we’re seeing. And so, for us, it was just to give them additional peace of mind. And, you know, EDR technology is becoming more of a gold standard in these environments. So, it was a good opportunity to reinforce this layered security approach and to give them a little bit more peace of mind to put this in their network.
Brown: It gives them strength in their own environment, which is always important. And that‘s one of the things that we’ve learned from this is that everybody is going to be under more scrutiny because of this event. So not just SolarWinds proper, but also all vendors and MSPs as well. So, it’s important that they’re able to show things like, ’Yes, I’m running EDR in my environment. Therefore, I’m inspecting more than what I would have been.’
How Has The SolarWinds CEO Transition Impacted SolarWinds MSP?
Pagliuca: Kevin [Thompson‘s] departure was well-documented and well-planned. He was the leader of this business for over a decade. And like any good leader - and Kevin’s a great leader - there was a transition plan that was well-documented and well-organized. And he and Sudkahar [Ramakrishna] spent a good amount of time together.
Sudhakar has been a fantastic addition to the SolarWinds family. He has already proven to be a tremendous leader. And, quite frankly, with his security background - and we didn‘t know this at the time - but we couldn’t have selected a better leader to bring that business to their next chapter.
And Kevin was world-class with that transition and helped him and continues to help with that proactive transition. So, it was smooth, it was planned, and we find ourselves in very capable hands with Sudhakar.
What Is The Timing Around Your Spin Out From SolarWinds?
Pagliuca: We‘ve always said that it was going to be the first half of ’21. And we’re right on track. For the record, I’ll make sure to say we continue to explore. But that exploration has us targeting Q2 - probably mid-to-late part of Q2 - where we will actually be a separate, publicly traded company. So that‘s one milestone. And that’s a key one, we’re going to start hopefully trading, potentially, at the back-end of Q2.
But what you‘ll see between then and now is what I call a transition to purple. So with the new name - with N-Able - you’ll see us starting to operate in market a little bit more as that N-Able entity as early as the end of Q1, because you need to make sure that you’re presenting to the world this new name before you’re really effectively trading with that new name. So, it’s important.
So the teams have been laser focused on making that transition. In fact, some of our legal entity names have already transitioned to N-Able. Customer bills will begin in February in some regions of the world and with some products with that N-Able name on it. So we‘re beginning to operate as N-Able already as we look to the middle-to-end of Q2.
What Are The Security Implications Of Spinning Out From SolarWinds?
Pagliuca: So, we‘re separating our accounting systems, we’re separating out some of our IT systems, our email. But there were a lot of systems actually that were already separate. Our go-to-market facing, our customer support and success systems and instances were already separate. Our product billings were already separate. So, there’s a lot of parts that were separate, and we are a separate operating entity. So, there was a lot of separation that’s historically been there from the get-go, that’s not a new thing, or an incident thing, or even a spin thing. We’ve always operated separate to some degree.
But, of course, there are certain things that we share, like some IT infrastructure, and some of those other parts. So, the plan always was to take a fresh view on what that N-Able system design would be. And that continues to be the plan... Now, knowing what we know and understanding the approach that these folks took, how do we have a little bit more of a secure-by-design approach for our products, but also for our infrastructure, as we go forward into this new world?
So, in some ways, we‘re actually fortunate in that Tim [Brown] and the team have intimate knowledge and views as to what these bad guys did, what these threat actors did. And as we look to design the new N-Able systems, we’re gonna have the benefit of all that knowledge and these world class experts to help us design this. So, the plan was always to design and build and stand up a separate environment and separate systems.
There was not necessarily any lateral impact from the bad guys jumping into the MSP products. But we got a lot of lateral benefit. And by that we mean the know-how as we go to future-proof and stand up these new systems, these new environments, these new controls for the new business. And that‘s going to be true for SolarWinds, that’ll be true for N-Able, and that should be true hopefully for a bunch of companies across the globe.
Will The MSP Business Benefit From No Longer Having SolarWinds In Its Name?
Pagliuca: I think that for our MSP partners, there was some confusion, right? So, we put them in the position that they needed to answer small and medium enterprises saying, ‘Hey, I see SolarWinds in my computers.’ And so for them [MSPs] to be able to say, ’Hey, look, there’s this N-Able brand, this N-Able company,’ I do think it will take some of the pressure off of our MSPs having to answer that clarifying question. So, in that lens, I do think it‘s beneficial.
But SolarWinds is a company that‘s been around for over 20 years and has always done things the right way. And I’ve said this before and I’ll say it again, it’s a world class organization. So, to be affiliated with that company, that’s something that I’m proud of today, I was proud of yesterday, and I’ll continue to be proud of tomorrow. So that’s nothing that we’re trying to hide from.
What Are The Most Visible Security Changes SolarWinds MSP Is Making?
Brown: I think the most visible is going to be additional transparency around how we build, what we do, and what we share. So, the MSP market and MSP products have always been under ISO [an international security standard], right? We do ISO audits, we do pen tests, we do those things. We know that we‘ve got to up the game from all software providers and all service providers.
And all vendors to MSPs should be expecting that they need to essentially up their game and be able to be transparent and answer the hard questions. So, because of the incident, we are taking that across the entire company, and that includes MSPs as well as our core business, that transparency perspective.
More proof points and audits of, ‘How do you build software? How do you go from build to deployment? Or how do you go from build to service? How do you build services that are, you know, more resilient and open?’ I think that is going to be the big change that you see moving forward.
We‘re going to lead the pack in showing that we can build and do build exemplary software, and that we provide exemplary services, and that we’re open to sharing the models. And that’s going to be the expectation for the industry moving forward. So, we’re just going to lead the pack there.
After The Split, Will Tim Brown (pictured) Be With N-Able Or SolarWinds? What’s The Impact?
Brown: So, the original plan was to move over [to N-Able], but I am going to stay with SolarWinds. And we‘re looking for a good solid CISO replacement right now.
We‘re looking for somebody that has been around security for a long time. We’re looking for somebody with appropriate skills that has been able to build companies and exemplary software providers. We’re looking for somebody who can have influence into the development organizations and help drive architecture and design. And we’re looking for somebody with a great voice that can help partners understand what we’re doing, why we’re doing these things, and how they can convey that to their customers.
Pagliuca: The thing with Tim Brown‘s special sauce is he’s really able to connect with the MSPs and articulate to them what's important and help them run their business and make their businesses more secure. We‘ll, of course, look for a security expert. But we’ll also look for someone that is a trusted advisor to our MSPs, that’s relatable to our MSPs.
[Someone] that can, so to speak, walk a mile in their shoes and give them informed decisions so they can secure their businesses and secure their small and medium enterprise [customers]. That‘s that special person, and Tim’s been a fantastic advisor to the 25,000 MSPs that we have. So, we’re bummed. But we understand. So, we’re looking to see if we can clone him and find someone like that for the MSP business as well.
How Is Your Approach To Supply Chain Security Going To Change?
Brown: So, our mission is producing good software and good services. And in order to do that, in the case of the Orion issues, a supply chain issue occurred, right? So, it‘s not the code, but it was what the product reproduced was. So already, we have gone and fully validated the product. So, we basically have a two-way build process now.
So, we‘re building a product, and then we are installing product, we’re decompiling product, and we’re bringing it back to source code. So, every single component that is within the product has been accounted for. And that was for the Orion system. We’re moving those same concepts to the MSP environment.
We‘re also implementing triple-build environments in both sides, which means that we’re going to build once in dev, build once in lab, and build once in a cleanroom. And then we’ll be comparing those results to make sure that those are correct. Also, no one person will have access to all three of those environments. So, we’re taking the pipeline, making sure that it’s always secure, and making it very, very difficult to have it be circumvented.