Security Theater, Shadow IT, and Insider Threats — SolarWinds TechPod 009

Stream on:
Host Alex Navarro is joined by two VPs of product strategy, Mav Turner and Brandon Shopp, to discuss which security issues, solutions, and strategies are trending topics of conversation at this year’s SolarWinds Government Partner Summit and User Group.  Related Links  
Brandon Shopp

Guest | Vice President, Product, SolarWinds

Brandon Shopp is the vice president of product strategy for security, compliance, and tools at SolarWinds. He served as our director of product management since… Read More
Mav Turner

Guest | Vice President, Product, SolarWinds

Mav Turner is the vice president of product for the network management portfolio and Orion® Platform at SolarWinds. Prior to his current role, Mav held various positions… Read More

Episode Transcript

Announcer: This episode of SolarWinds TechPod is brought to you by Orange Matter. Find it at Orange Matter dot SolarWinds dot com.

Alex: Coming to you from the SolarWinds Government Partner Summit and User Group, I’m Alex Navarro with SolarWinds TechPod. This is Tech Talks. Joining the discussion are some of SolarWinds brightest minds; Mav Turner, VP of Product Strategy of our Network Management portfolio.

Mav: Thanks for having me Alex.

Alex: And Brandon Shopp, VP of Product Strategy for SolarWinds Systems Management.

Brandon: Thanks Alex. Good to be here.

Alex: Great to have you both. How’s the event treating you so far?

Mav: It’s been great. It’s always wonderful to meet with our partners and our customers, hear what they’re hearing and where they’re having successes, where they’re struggling, and how we can continue to make a better product for them to get to market.

Brandon: Exactly. A lot of great conversations and it’s always good to meet people face to face.

Alex: Absolutely. Well, this week we’re focusing on security, which is obviously a complex issue. How would you say strategy and process contribute to best practices and would you say one is more important than the other?

Mav: Yeah. It’s kind of hard to say. One, you can’t have one without the other. And so, to say one is more important, I don’t really think it makes a difference, but you need both right? To be successful. So, you need to have a strategy. What are you trying to accomplish? Why you’re trying to accomplish it? What’s the situation in your environment? And then you have process to ensure that you can actually deliver on that strategy and execute around it. So, a strategy without process and a process without strategy kind of, you know, don’t go anywhere. So, I think you need both. I think it’s important to take time to think through them, but also not overthink them and spend years trying to develop the perfect strategy or the perfect process. There’s a lot of value in just getting started and saying, alright, here’s our process to achieve this goal, or here’s our strategy we want to go after, and then you can evolve your process. So, generally make sure your strategy is the right one and then the process, don’t overthink it. Just kind of get moving and then you can change.

Brandon: What I would say is focus on one problem at a time, as Mav kind of indicated. If you try to boil the ocean and say that I’m going to solve this corporate-wide, you’re never going to get anything done. As an example, focus on one example like, end user email phishing and what is the process around that? How do you safeguard against that and what is the process for your users to be trained, but also to report issues that they see coming in back up to your IT security team.

Alex: I feel like that’s such simple advice, but really sound advice because it’s so easy to overthink things, over analyze things and think, okay, well this is the strategy that’s going to work. And then because that is a plan, you don’t want to stray away because this is the plan that we have in place. But really, when you start implementing it is when you should be a little flexible.

Mav: Yeah, exactly. It depends on where you’re at as an organization, right? If you have nothing, you have no process documented, you have no strategy, keep it simple—one piece of paper, write down a couple of goals, some main problem you’re trying to solve. Larger organizations might already have a lot of processes and official ways to accomplish things and that’s how you go about improving your strategy and improving your process for a larger organization that’s more mature. It’s very different than somebody’s who’s looking at just getting started.

Alex: At the same point though, you don’t want to necessarily rely on legacy just because.

Mav: Yeah, exactly. That’s the worst thing, like, why are we doing this? Because we always have. That’s where if you’re that large organization, you might look at your existing process and strategy and say, alright, is our strategy right? If our strategy’s right, do we have the right process to go achieve that? And that’s really where we want to make sure you’re not wasting time because the worst thing you can do is the security theater, right? We do these things to make it look secure or to make us feel good. Or, I can go up to my executive team and say, look at all these cool shiny things we’re doing, but is it actually having an impact? Or, is it just making everybody think that it’s secure?

Brandon: Yeah. I think people shouldn’t be afraid to, even if they already have a process and a strategy in place for a given problem, to go back and revisit it occasionally. Threat actors are out there constantly changing their tactics and the way that they go and approach and do things. Or you may be implementing a new process and you may have a new idea that is working well and that’s something you may want to incorporate into your existing processes as well.

Mav: The threat landscape constantly evolves. There’re some key things that you need to be doing and being consistent over time, but if you’re using the same strategy today as you did 10 years ago in the same process, you’re probably not really being very effective. But again, there are some tried-and-true things, you know, we talked about it in the context of cyber hygiene, right? These are kind of your basics that you got to do. But, there’s also a lot of things that are very different and how you do those things has also changed. It’s easier in a lot of cases to scale and get automation. If you’re not taking advantage of that, then you’re probably doing a lot of manual work, right? So how you do things, even if you’re trying to accomplish the same goal, could have changed drastically over that timeframe.

Alex: I like that concept because if you take a look at the processes that you have in place and you realize that you could be doing a certain task more efficiently, then just think about all of the other new ideas that you could be implementing to make your security that much stronger.

Mav: Like Brandon said earlier, I don’t think we can emphasize it enough. Don’t get overwhelmed. Just do one thing, right? If you’re listening to this and you’re like, “Ok, I have all these great ideas, I want to go solve all the problems.” Then six weeks go by and you haven’t done any of them, that’s a shame, right? Just, just pick one thing and make that difference and move forward.

Alex: For you personally, would you go with something that you might consider a low hanging fruit, or would you go with something maybe that you’re just naturally more comfortable with? Like it’s already in your wheelhouse?

Mav: The way I think about it is you want to make sure that you’re having an impact. So, sometimes, the cheap thing doesn’t have much value, right? So, make sure if you’re doing something, that it’s actually going to have an impact and not just feel like busy work. Like, okay, I’ve done these things. I did 10 things. It’s like, okay, well what impact did that have? So, there’s that value on the other side of the equation. You want to make sure that you’re actually adding value and finding that great ratio of minimal effort, highest impact, prioritizing based on that.

Brandon: Yeah, and that’s exactly what I was going to say, what is impacting your organization or having the biggest impact today? And start with that. That way you know you’re having a very tangible impact back to the business and something that you can measure. That’s another key important trait to have, make sure that you’re able to measure it. Is it being successful? Are you able to prove it out and show that you’re decreasing? Going back to the phishing, you know, attack examples are the tooling and the processes that you’re putting in place. Are you reducing those—that attack surface for your organization, or not?

Alex: Brandon, you’ve brought up fishing a couple of times now and I feel like you probably have heard some of the hot topics are buzzwords, even just being here this week. Is there anything else that comes to mind that you guys have heard from either our users or the partners during this week, that maybe you weren’t expecting to hear them talk about or maybe that you weren’t surprised at all because it really just is a hot topic that keeps coming up?

Mav: The one thing that kind of comes to mind to me that I’ve heard is that people are buying a lot of solutions and they’re not deploying them. And that’s really unfortunate, because I think everyone has the best intentions. They want to go solve all of these grand problems, but when it comes down to it, they go buy a solution and maybe they didn’t have the services around it, or maybe they didn’t plan out how they’re actually going to deploy it, right? They’re like, let’s just buy the solution. They buy it and it sits on a shelf because like, we have to implement it now. How are we going to implement it? Who’s going to implement it? So I think not having the goals that Brandon mentioned earlier, clearly defined, kind of makes it really easy to fall into that trap where you’re doing something again, kind of like security theater, you’re doing something to help improve it and you say, oh, we bought this great solution. Well, did you deploy it? I was actually surprised, about how many partners and customers talked about different solutions, where they bought something and maybe they didn’t fully deploy it, or they did just the basic basics to get up and running, but then they didn’t come back and tune it and kind of the care and feeding and not just, you know, our products, other products as well, just as a general trend, I was surprised. I think everybody knows they need to make improvements and they kind of have a high-level idea of what they need to do, but being able to get that written down and actually following through and executing on that plan is always a challenge. Just bite off those smaller chunks and you might have more success as opposed to trying to “go big.”

Brandon: Some of this may be just be due to the nature of what’s going on in the world today. There are a lot of folks that are very focused on kind of external threats. Whether it be kind of state-sponsored actors or you know, similar type of activities, but they’re not looking at their internal users and what’s going on there. So, you’re not looking at data exfiltration, you’re not looking at things like shadow IT, where people are standing up new applications or cloud services and then those cloud services are not being properly vetted, in terms of security or if you’re putting data out there. You need to make sure that not just your policies and procedures, but the vendors that you work with, also have very strong and stringent policies and strategies around their own security for their products. That’s just something I see more and more where people are focusing on outside attacks versus insider users.

Mav: Yeah. I think that’s something that’s resonated really well as we’ve been talking to, again, customers and partners and we’ve talked about some of our offerings. And when we talked about access rights management specifically, and we say, hey, you know, do you know who has access to what? And when they’ve accessed it? As part of that insider threat, whether that’s a careless or malicious one, it’s something where it’s really hard to understand what’s going on and who has access to what. And so, that’s something that’s resonated well. I’ve gotten some good feedback and saying like, “yeah, we have that problem, we’re not really sure how to solve it and it’s a pain to manually figure it out.” So we’ve gotten some good responses to some of those use cases, specifically.

Alex: Focusing on malicious insider threats versus careless insider threats, is that something that you feel like we’re going to be hearing more and more about as people kind of start to look inward and focus on, okay, where are our biggest areas for improvement?

Brandon: I think so. Absolutely. I mean, I think If I had to kind of categorize those two, which is probably the bigger threat? It’s the users that just don’t know. It’s not necessarily that they’re trying to be malicious or they’re trying to do something bad, there are those for sure, but people that just don’t have the technical savviness that you know, your typical security engineer or IT professional has, they go off and they do something, and for them they think it’s completely normal and it creates a lot of problems for the organization.

Mav: The good thing about this is there’s a lot of commonalities on how you can minimize exposure to both of them. Right. And so, we talked about data exfil, Brandon mentioned this earlier. If you ensure that people only have access to the resources they need to do their job and not permissions for everything, this actually minimizes both that careless inside user that might be leveraged in an attack, and it also takes care of a lot of the problems, challenges with a malicious insider who has access to things they shouldn’t have access to. Right? And so, being able to ensure that you really limit that scope of responsibility, and that can be network level access, that can be user permissions, if you really tighten that down properly, then you can ensure that you really minimize your attack surface or your risk, right. That fortunately solves kind of both of them and solve them. Right? It’s not perfect and not 100%, but it helps make progress, right? That meaningful progress with that segmentation and proper access management.

Alex: I think that takes us back to the point that you made earlier, which is don’t let yourself become overwhelmed. Right? Like, where is a good place to start? And I think this is a very good example, because if you’re looking at insider threats, this is something that you can use to manage both malicious and just kind of careless or ignorant insider threats as well.

Mav: Oftentimes, some of the malicious insiders will actually leverage their colleagues because they don’t want to be the ones that don’t want to raise your hand and be there like “I’m the one doing the attack.” Right. They’ll find somebody else that they know that they work with. And I’ll go through it through Brandon and I’m like he’s doing the bad thing because he’s the careless insider and I’m the malicious one. And so, you see those playing together. It’s very rarely black and white. You know, where it’s just one thing. And so, and a lot of the tactics you can use, actually applied to multiple ones, but again, what’s your priority? What do you worry about? Did you have an incident recently and you’re worried about that? Do you know that there are some things that are hard to secure and so a malicious insider can have a really large impact and that’s what you’re trying to manage, or you’re just trying to make it harder for somebody to accidentally make a mistake? What problem are you trying to solve?

Alex: Okay. Since we’re on the topic of dealing with insider threats, I feel like there’s a lot of difficulty that kind of surrounds this issue that a lot of people and organizations are experiencing. So, let’s take a look at volume of network activity, increase in use of cloud apps, and infrastructure and configuration. How would you rank these in terms of contributing factors to difficulty surrounding dealing with insider threats, whether they be malicious or not?

Brandon: Personally, myself, I think it’s more so around cloud apps. There’s a growth of the amount of services that are coming out and you know, I kind of mentioned the term shadow IT earlier, and that’s people that are going outside of the normal IT processes and procedures to procure new solutions for use internally. And so, you know, those services may not have been properly vetted, especially cloud services where they don’t have the appropriate certifications like Soc 2, like PCI, or similar type certifications that show that app and service that you’re using do have the appropriate processes and procedures and safeguards in place to best protect your data and your user information, etc.

Mav: For me, there’s two big ones I hear a lot about. One is lack of people, resources, training, right? That’s always a challenge for any organization, right? How do we make sure we have the right people that are constantly trained? We mentioned earlier how the threat landscape evolves very quickly and it changes, right? So, it’s very hard to keep up to date with what’s new. So, even as a security professional, it’s hard to keep up-to-date, much less a user who’s trying to do some other job in accounting or you know, another function and they’re not thinking about security as their primary job. They’re just trying to get their job done, right? It’s really unfortunate when security products get in the way of that. And that’s that balance, right? You want to make sure that you are increasing security without creating a burden for the user to have to think about that.

Mav: The second largest thing that I really hear a lot about is just the volume of network activity, the amount of data that they’re managing and this something that is either, you just don’t know what’s going on, to Brandon’s comment earlier about using more SaaS apps, like what information is leaving my infrastructure? Most people don’t even know what’s leaving it, right? Unless you have some good tools to help you because you can’t manually look at this stuff, right? You have to be able to, at scale, find out what’s happening, where data is going, and if you have a really good view of that, it actually becomes very, I don’t want to say easy, I don’t want to trivialize it, but more attainable, at least to actually understand what’s going on, where your risks are at. Because if all of a sudden you see data going on, you see a communication between systems that shouldn’t be talking to each other and they haven’t talked to each other for years and all of a sudden there’s this communication channel open, was a change made? Did the application actually require that? Or, did somebody hop into one box and now they’re leveraging that to move, to pivot within the infrastructure? So, if you have a good view of that, then I think you can make some really clear improvements in security. But if you have no idea where the data’s going and it’s just exponentially increasing, then it’s really hard to know what’s going on.

Brandon: Yeah, and I think that’s a great point from Mav. I mean you could have the processes, the procedures in place in order to make sure that data that’s leaving your networking, you train your users. But, let’s say you have a 50-page word document. Are they going to read that entire document? And, there could be an account number, there could be a social security number that then gets stored up on a cloud service and all of a sudden, you have a PII or personal identifiable information, that is now out in this cloud service. And if it is not a secure cloud service, then that data can get out into the open and get into the dark web and then be sold or whatnot.

Alex: The possibilities are endless, unfortunately.

Mav: Yeah, the negative possibilities.

Brandon: And that’s why it’s constantly a challenge for security professionals. As Mav said earlier, the threat landscape is constantly evolving and changing the bad actors out there, as soon as, you know, we figure it out, or we put some safeguards in place, then they’re going to go and find another route in which to attack us and come get our data. And so, you constantly have to be very vigilant and, you know, stay up on the latest research and techniques and data points that are out there.

SEGMENT BREAK: Does reporting and auditing access rights take up too much of your time? Gaining visibility into everyone’s access rights doesn’t have to be hard. SolarWinds Access Rights Manager is designed to help you manage and audit access rights across your IT infrastructure. Find a link for more information in the show notes.

Alex: Would you agree that finding solutions that work seamlessly with one another, you know, a vendor agnostic approach, is something that could really kind of help you, help your organization?

Mav: Yeah, I mean it’s, it’s hard to make progress if you don’t have systems that are connected and talking to each other. Now, sometimes there are reasons you would do that, but if you’re trying to understand what’s going on in your infrastructure, you’re trying to understand how your users are interacting with your data to Brandon’s earlier points. You need to have that seamless visibility across. And, often that’s a collection of tools usually for talking about that. It’s not necessarily one tool to rule them all. Usually there will be, you know, there’s kind of two approaches, right, Best of Breed, is another option where you’re kind of getting the best in each specific area, but when they’re siloed off and they’re not communicating, it makes it much easier for an attacker to come in and then pivot to another system, and then there’s an alarm over here in this system and then an alarm over there and that system, each are minor, but if you put them together, now they’re actually critical. And so, if you don’t have that ability to tie those events together, those indicators, then you’re really going to have a challenge in identifying those attacks, which is why, you know, most, attackers are in an infrastructure for a really long time before they get detected. Right? I mean, there’s multiple studies on this and they’re always over a hundred days that an attacker is inside the infrastructure before they’re detected. And you know, most attackers could be successful in a couple of days. Or, if they’re really good, a couple of hours, if they know what they’re doing.

Alex: Usually, they don’t need a hundred days.

Mav: No, no, not at all.

Brandon: There’s a lot of great tools out there these days where, you don’t have to go and spend a lot of money. I mean, there’s a lot of open source, open threat intelligence sharing platforms that will go out there and as new threats or new attacks come out, they’ll go and they’ll post that out there for people to see and they’ll include things like, you know, here are the IOC’s, or indicators of compromise. You know, you see a registry change here, you see, if you see traffic from this IP address, this is a known malicious site. That is constantly, daily, hourly being updated and evolved. And, it’s a community effort to where people are just sharing data, which if you probably went back five, 10 years ago, that didn’t exist. And so, I think the security community has been great about that, in that wanting to learn from each other because it’s a constant battle.

Mav: I love that you mentioned the community. It’s just so important and can have such a difference and if you’re not part of one, become part of one, join one, right? Whether that’s something you’re just doing online, whether you’re doing that, in person. Giving back and just being part of that conversation, will dramatically increase your ability to protect your infrastructure, your applications, if you’re just part of that conversation. So, most people will start off passively, they’ll read things or watch presentations online, you’ll listen to podcasts like this, but I would strongly urge you to move from that kind of passive consumption to contributing back. Right? What are you doing? It’s one thing to listen to advice or to listen to a podcast or a video. It’s another thing to say, okay, I’m going to do this one change that I learned from that, or I’m going to give my experience back out. A lot of people don’t think that there’s value in what they’re doing. They’re like, “oh, well everybody knows this obviously, and what I’m contributing can’t have any value.” But that’s totally wrong. Right? This is where being part of the community and saying, I did this and I totally failed at it, is valuable for the next person that’s trying to do that.

Alex: So, what do you two make of patching being noted most often when it comes to malicious insider threats?

Mav: Well, I think that’s what we’ve seen has helped people actually make progress against malicious insider threats. And, we can go back to kind of basic cyber hygiene and just what you need to do. I think people have started using tools. The tools have become more effective. They’ve started to understand it. A lot of the vendors have really made it easier to patch the automatic patching mechanisms. And, I think there’s been a lot of great awareness made around how patching’s important, because it’s so easy to take advantage of an unpatched system. And attacker tools are moving super fast and everybody talks about zero days but usually you don’t even need a zero day. Most infrastructures, there’s some system, that hasn’t been patched for years, and there’s vulnerabilities that have been announced. And so, it’s been great to see that companies have made progress in patching and understanding the importance of it. And, I think that makes them feel like they’ve made progress. I think it’s a great sign. I think there’s probably still a lot of work to do. I don’t think we’ve solved it necessarily, but I think it’s a good indicator that people are on the right track.

Brandon: Yeah, I agree. I mean, I think it’s still an ongoing issue and I won’t specify any company names or anything like that but if you look in the press lately, I mean, there’s been some very notable breaches that were due to un-patching. There was vulnerabilities, like Mav said, they didn’t necessarily have to be zero day, super critical vulnerabilities but if it gives them an entry point in, then they can start to look to where can I probe inside the infrastructure and find the next vulnerability and sit there and be able to navigate through the infrastructure once they get in. Staying on top of that, but also understanding what you have on your infrastructure, that’s a big challenge from a security perspective. It sounds simple, in that, “oh, I have scanners that go out and look at what assets I have in my environment.” But again, going back to users, not realizing I’ve heard stories of; in my office, I don’t have good Wifi, so I’m going to bring my own wireless access point that I buy a Best Buy or some, commercial, off the shelf, at a department store, and plug it into my office so I get better Wifi. All of a sudden, you’ve now opened a door wide open to your infrastructure. And this stuff still happens today.

Brandon: And that goes back to what we talked about at the start of constantly reinforcing this behavior because as you grow, as you hire new people, you need to make sure that those people understand what, you know, what are proper and authorized policies and procedures for your organization and what you can and can’t do.

Mav: Yeah I mean it kind of goes back to one of the oldest sayings in IT security, which is, if you don’t know what you have, you can’t secure it right. So knowing what’s in your infrastructure, for real, and not what you think, but what’s really there, is what you need to do in order to secure it properly for sure.

Alex: And so, since we’re on the topic of patching and how that is impactful but obviously there’s still a long way that we need to go, would you say that if we’re talking and focusing on security improvement, what do you think is going to be most impactful? Does patching come to mind, is it user awareness, end user awareness training, IT configuration management and reporting? What would you say?

Mav: It kind of goes back to the question you asked at the very beginning about strategy versus process. You can’t just say, alright we’re going to be perfect at patching and then say that means we’re secure. In general, I would prioritize patching just because it’s something that is just so easy. User training is hard. It’s easy for us to say, “oh train your users.” It’s hard, it’s a long time.

Alex: Managing people versus managing devices. Yeah.

Mav: I believe that a patching strategy is a very doable thing, creating a patching strategy, having a process—even if it’s not perfect. I think, again, there are good tools out there, there are better things within the vendor space. A lot of the challenges people have with patching is just downtime, usually have to take the systems down and so, and they might have SLAs, and that’s usually more of a challenge. So, I would generally push to say, hey, if you can, if you’re not doing a good job of patching, if you know this, most people know like, yeah, we kind of don’t have a good strategy. I would generally do patching. I think that’s a more short-term win you can do there, and have a bigger impact. User training is something that she needs to be continuous and ongoing and reassessed over time. So, I’m answering both. You need to do both.

Alex: You’re cheating.

Mav: I’m cheating. Yeah. I’m not answering the question. But again, it’s never one thing in your environment and what you’re currently doing. You have to take that into context, right? You can’t just say, here’s a silver bullet. Everything just works. Right. You say, for our environment, what are our challenges? What are our goals? Did you have an incident? If there’s a lot of corporate support for training and development, as just a corporate culture, it’s going to be a lot easier to make security training awareness as part of that overall training. If your corporate culture is not to invest into its employees and not to train, it’s going to be harder for you to say, “now let’s do the cyber security training.” Well you’re probably not going to have a lot of luck. So, understand the context of the environment that you are in. By the way, if you’re at a company that doesn’t really believe in training, that’s a different problem.

Brandon: I think, to Mav’s point, I agree on all of those points but patching has been around, that’s been a known quantity a lot longer that, you know, you need to have good hygiene when it comes to patching your infrastructure. I think if I go back ten years ago, the amount of electronic devices out there, whether it’s an iPhone, or an android, or a tablet, a lot of people are able to bring your own devices or BYOD onto your infrastructure. And so, I think the growth of the different types of technology out there today is creating the newest or the newer of those two threats. So, absolutely, even though patching has been around a lot longer, and you hopefully have good policies and practices around it, I feel like there’s a lot of new tooling that has come out these days where it’s actually instead of training users, which you absolutely need to do, users are going to be users and they’re going to do what they need to do to get their job done.

Brandon: And they’re not always going to think about security first, so there’s a lot of new technologies out there that will actually take that out of the user’s hands. It will look as traffic leaves the network. What’s in that traffic? And if it sees something, it will actually quarantine it. Think antivirus, you know, it runs a scan on your machine, it finds something bad, it quarantines that file, so it can’t infect the rest of the machine. Similar thing with traffic. There’s a space depending upon the analysts, they call it the CASB or cloud access security brokers, you know, that will go and will actually inspect the data as it leaves your network. And if it sees things like PII, again, you know, personal identifiable information, it will actually take that file and pull it off before it gets uploaded to that cloud service or gets emailed out to another user. And so, I feel like you need to stay vigilant on your patching, but you also need to explore these new types of tools just because of, earlier as Mav said, the amount of volume and data that is leaving the network these days is growing every day.

Mav: Yeah, and one of the things I’ll mention is sometimes there are real reasons why you cannot patch something. And this goes back to having proper network segmentation and policies and access well defined and restricted so that you might have a system that has all ports that are open to it and it’s unpatched because you can’t patch it, that really only needs one port to work but it’s still open to all other network attacks. So limiting that down so it just has the permission that it needs to access the application that it’s running really reduces that scope. So even if you can’t patch, think about how you can implement proper segmentation to minimize the risk of systems that may or may not actually be needed.

Alex: That’s a good suggestion. We were talking about community earlier and how with the landscape constantly changing, speaking about your previous experiences, sharing your failures. I feel like that can also happen in real life it doesn’t necessarily just have to happen in online forums. But, here we are at the Fed event, right? This is a prime opportunity for people to visit with each other and discuss things that they’ve experienced in the past. Would you, you know, for people who have not had the opportunity to visit one of the SolarWinds events, what would you say to just kind of encourage them in terms of speaking to peers and being able to ask, you know, bright minds like yourselves, security questions?

Mav: Well again, there’s a lot of community, so obviously SolarWinds tries to have a very broad community and there’s a lot of different way you can interact with us. We have THWACK which is an awesome community and there’s other spaces. OWASP is another well-know, respected area, which you can get involved with your local OWASP chapter. There’s a lot of other events, so if you can’t make it to one or if there’s not something SolarWinds near you there’s a lot of other industry events I would suggest going to. But also, again, just online there’s a lot of great forms and places that people can visit and share some of their stories, and sometimes people feel better about sharing things anonymously, as opposed to actually admitting in person, which is totally fair. The one thing that I will always recommend it that, if you are sharing your story, there are some details you might not want to share. So sometimes people will post actual IP addresses or things like that. Don’t go to that level of detail. You want to actually just say here’s what happened, here’s the struggle, but you don’t want to give details out in a public form that could actually expose you to more risk. Or people will copy config files up to places and say, “hey this isn’t working, can somebody help me?” So, be careful about that.

Alex: Yeah, just give us the general gist of what’s going on.

Brandon: Yeah, either that or take it offline. What I find valuable about a lot of these events, whether it’s our own, or other vendors is interacting and networking with your peers. And so, yes, it’s a great place to learn information. And this is a specific example from SolarWinds, but I think even better for our end users is, you know, talking about or you know, what challenges they’re facing, how they’re addressing those challenges, what technologies they’re looking to solve some of the challenges and what have been their experiences with those technologies, what’s been good, what’s been bad. And so, I think, you know, networking is a huge part of it. Whether it’s on a community site like, THWACK, or similar, or just, you know, just getting together with folks and just talking about those problems and brainstorming and coming up with ideas.

Alex: Well, I thank you both so much for visiting with us today. I really appreciate your time.

Mav: Great. Thanks, Alex.

Brandon: Thanks for having us.

Alex: And thank you for listening. I’m Alex Navarro. We’ll catch you on the next episode of SolarWinds TechPod, Tech Talks.

Announcer: If you haven’t already, please remember to subscribe, rate, and review us wherever you listen to podcasts. We want to hear what you think!