Secure by Design | Securing the Supply Chain — SolarWinds TechPod 039

Stream on:
The recent SUNBURST cyberattack reveals new threats to the supply chains fueling today’s businesses. SolarWinds and FireEye have raised the alarm for leaders everywhere to reexamine their security, to prepare for threats, and to raise the standards of the supply chains on which they rely.  Securing the Supply Chain features a compelling discussion between SolarWinds® President and CEO, Sudhakar Ramakrishna and FireEye CEO and Board Director Kevin Mandia, hosted by SolarWinds Head Geek Thomas LaRock. These leaders share insight into how organizations should think about securing their supply chains from highly sophisticated cyberattacks.   Related links:  Secure by Design Resources

Guest

We’re Geekbuilt.® Developed by network and systems engineers who know what it takes to manage today's dynamic IT environments, SolarWinds has a deep connection to… Read More
Sudhakar Ramakrishna

Guest | President and Chief Executive Officer

Sudhakar Ramakrishna joined SolarWinds as President and Chief Executive Officer in January 2021. He is a global technology leader with nearly 25 years of experience… Read More
Thomas LaRock

Host

Thomas LaRock is a Head Geek™ at SolarWinds and a Microsoft® Certified Master, Microsoft Data Platform MVP, VMware® vExpert, and former Microsoft Certified Trainer. He has over… Read More

Episode Transcript

[Intro music]

Thomas: Welcome. Today’s topic: securing the supply chain. My name is Thomas LaRock. I’m a Head Geek here at SolarWinds. It’s my honor to be with Sudhakar and Kevin today. Sudhakar could you briefly introduce yourself?

Sudhakar: Thank you, Tom. And thank you, everyone, for joining us today. Kevin, a special thanks to you for joining me on this session as you and I continue to collaborate and work with the industry at one level, our customers, our Partners, and the broader environment to basically inform them on the learnings that we have taken over the last several months, and several years, in two of our cases. And as we apply going forward into a world which is going to be more safer and productive for everyone.

Thomas: And Kevin, if you could take a few moments to introduce yourself.

Kevin: Sudhakar, thank you for this opportunity. And Tom, thank you for this opportunity. I’m excited to take on questions and just hear what is top of mind for folks. But what’s really exciting to me about today is to listen to Sudhakar and SolarWinds talk about their Secure by Design principles that they’re living and breathing on a daily basis right now. When you hear from me today, I’m gonna be kind of with my cybersecurity hat on today talking about what are we learning on the front lines of addressing security breaches, and what are we learning as folks evolve their security programs from point A to point B? And we’re all living that right now. I imagine every single person that’s dialed in right now or attending this webinar, it’s all about how do we improve our security? How do we prioritize that security spend? How do we move forward in an environment that quite frankly, 28 years of doing cybersecurity, I’m not sure I’ve ever seen a worse threat environment to today. So I’m not a FUD guy, but it’s obvious to me that we have a need for shields up right now, more than ever before. So, Sudhakar, Tom, over to you just excited to get started and address questions.

Thomas: Thank you, Kevin. I think shields up is a great way of describing the current landscape, absolutely. So a quick review of our Secure by Design Resource Center. If you haven’t seen this yet, I encourage you to go check it out. It contains all of the resources available for this entire series, but it’s not just for the webinars, which you’ll find there. The on-demand recordings will be there, but it’s also the blogs and articles that we’ve been writing ever since, well, for the last three months. So I encourage you to go check it out, solarwinds.com Secure by Design resources. So let’s talk a little bit about the ever-changing landscape as Kevin kind of hinted what the current situation is. And I think shields up really is a great way of describing it, but I’m gonna toss this over to Sudhakar and maybe give us a little context of where we are right now. What is the current situation?

Sudhakar: Sounds good, Tom. As Kevin mentioned, we are in a unprecedented environment with regards to the threat landscape. That is being contributed to by a variety of factors. And I mentioned COVID-19 here. And the reason I bring COVID-19 here is that it has caused a lot of us to adapt to working from home in a rapid-fire fashion. In fact, it was last year that I was talking to the CISO of one of the largest banks out there. And he basically said, You helped us digitally transform in five weeks what might have normally taken us five years to do. And five years, mind you, was not a slow transformation on their part. It was a much more deliberate and phased transformation, and they had to learn and adapt really, really quickly. So what that has done is that the threat surface has essentially increased for many enterprises because you’re distributing your resources, applications, and people, so to speak, to various locations with different security postures and profiles. Working from home for me might be different than working from home for you. What equipment are you using? What software do you have enabled? And so on and so forth. And that creates fragmentation of policies because there’s not one single vendor that has the ubiquitous answer for every deployment scenario. And so as a result of that, if you think about it from a threat actors perspective, policy gaps, configuration mistakes are all entry points for them to get into an enterprise and traverse and basically cause damage. And so those are all contributing factors to how the threat landscape now has not only evolved but has evolved permanently in my opinion. And that causes many of us to think about what should we do going forward? How should we do it going forward? And then this is gonna be a continuous learning improvement and iteration process, but equally importantly and the reason why you see both Kevin and I on the same stage here, is our belief system is one of sharing and collaborating because no one single vendor can truly address all of these threats by themselves or have all solutions by themselves. And if you’re truly focused on customer success, which is what we all are, then we need to collaborate and support our customers in the same level.

Thomas: And Kevin, maybe you could expand on say your comment about the current situation but I’d also like you to share a little bit about those common industry practices that maybe just aren’t enough anymore.

Kevin: Well, I can tell you first I could talk for two hours just on that, Tom. You know, when you look at, I’m gonna start at the highest-level abstraction, kind of work down. You know, I first started doing cybersecurity. I don’t even remember what we called it. I think we called it information security back in 1993 at the Pentagon. And so much has changed since then. We’ve gone through numerous shift changes in both the threats and how we need to secure ourselves. What’s tolerable on the internet versus, you know, what’s intolerable, where are the red lines. And what we have right now, I feel like 2020 and 2021, I can’t even say it. 2021, there we go. It’s the toughest time I’ve ever seen to be a chief information security officer or a VP of security. And the reason why, part of it’s global events, part of it’s the pandemic, part of it could be economics. Part of it could be because we don’t have a common doctrine that everybody abides by on offense, but attacks are just running rampant. And when you look at what nations are doing, virtually every modern nation is creating an offensive capability in cyberspace. None of them knows what the actual rules of engagement are. Where is that line of intolerance? So the envelope’s being pushed in regards to modern intelligence governments doing offense. And so that’s ever-expanding. And then we had this ransomware issue because we have a digital currency and anonymous ways to being paid. Ransomware’s running rampant, and so much money’s being made by ransomware that you’re seeing the capability escalate as well, so that you can even see some zero day-based activities being exploited by ransomware actors. So right now, if you can be compromised, you will be compromised. It’s unbelievable how much attack traffic there just is on the internet. I think everyone on this call gets that. So what do we do about it? Second level of abstraction. We come down a notch. We’re going from 30 years of trust, period, on the internet. It used to be, we trusted everything outside our perimeter. Then we recognize, Hey we’d better stop that, let’s get firewalls. Let’s get smarter firewalls. Next-gen firewalls, let’s get better endpoint. And when you look at the attacks, they always evolved over time to whatever we were doing on defense. So right now, the top attack is exploiting trust, whether it be human trust or the soft inside underbellies of our networks or our supply chain. So we are continuing to expand our Maginot Line in defense, and we will do so again. And I think I could sum it up with the evolution from the old way we did business, TCP/IP-based security, endpoint with signature-based capabilities, to evolving to less anonymity. Bottom line, we’re all evolving to a zero trust network. So I’ll just leave it at that, Tom, and not bore everybody with a long lecture, but that’s the evolution we’re going through right now. The threats aren’t gonna go away. They’re exploiting human trust and the trust that we have between our applications and the trust that we have inside of our networks once the perimeter’s been breached. And so I’m seeing a lot of companies say, What’s our zero trust policy, and how are we gonna implement that?

Thomas: Kevin, you don’t have to apologize for giving a lecture, we’d be happy to listen to you all day. I’d like to, I wanna highlight that point at the bottom there and for anything that does go to that Secure by Design Resource Center, I think you’re gonna find the common theme as Sudhakar has been leading us through this is that we do see this as an opportunity to learn, improve, and iterate, but importantly, share everything that we’re learning about this with the industry as a whole because security is a shared responsibility and we’re kind of all in this together. So I wanted to make sure I highlight that. Let’s jump now to a little bit about these, the securing the supply chain. And I’m gonna ask you a handful of questions. And Kevin, I’m gonna go right back to you with this. So tell me a little bit the hard lessons that we’ve learned about the vulnerability of the supply chain to sophisticated attacks such as this. And we’ll start with Kevin and then we’ll have Sudhakar.

Kevin: You know, this was, it’s funny. When everybody was dealing with the breaches of late 2020 and then again in 2021, you know I almost saw it as we had a third-party implant to deal with at the end of 2020. We come into 2021, we had another breach into the supply chain at a company called Acceleon that was taken advantage of. And then we see the zero days in Microsoft Exchange. We’re dealing with a whole bunch of stuff that every CISO, no matter how much you braced for impact, these are hard things to deal with. I mean, there’s no magic that can defend you from the zero-day attacks or implants that have been hitting us. So I kept getting the question, Tom, from CEOs, So what do we do? And I had a tactical answer. You know, here’s the three or four things you gotta do about this immediate threat, whatever it may be. But when you got to the strategic answers the first thing was, you know, Hey start your evolution from too much trust and implicit trust to implicit denying zero trust. The second thing went right into know your supply chain. And we had to do this even at FireEye, you know, who is in our supply chain, we’ve been doing this for years, but the first time we asked was several years ago, and I even was shocked when we went to our legal counsel or general counsel and we started looking at, so who do we do contracts with? Let’s get our arms around who do we pay to help us? Whether it be a software vendor or service provider. And we had well over a thousand, we’re not that big a company. So I think the first thing every CEO out there, every CISO needs to do is figure out who’s in our supply chain? And for large organizations, it’s unbelievably complex to get your arms around it. But we started with the billing process. Who’s charging us? Let’s go figure that out. And you may have to go back a few years. So once you figure out who’s in your supply chain, and there’s also places you can go or companies that help you find your supply chain because sometimes you go to your primary providers, but what you don’t realize is they have providers, and then the providers have providers and I get to use fancy words like tertiary providers. I don’t even know what comes after tertiary, by the way, but you have your secondary and your tertiary providers, and it just keeps going down. And then when you get that list of providers, you have to then prioritize them, and you prioritize them based on, you know, what customers depend on them? Are they even our customers? What products do they support? What business processes do they support? How important are they to your business, your reputation? Do you have any concentration risks, where you put like 98% of your eggs in two different folks in your supply chain or not? Then you look at any standards, legislation, and regulations that apply to your industry and what you have to impose. So it’s figure out who’s in your supply chain, prioritize those folks, and then you come down next thing. So how do you wanna interact with them? How do you wanna have a contractual agreement with them? So you can manage expectations and know what their risk profile is and if it abides with and agrees with your company or your organization’s risk profile, and you have to have requirements for your suppliers. This is a long effort for many folks. And a lot of us are already on the journey. We’ve already figured it out, or we’ve got it close to right. We don’t need perfect. And as they say, Perfect’s the enemy of the good. It’s pretty quick where you figure out your most vital providers, and from there, rather than maybe getting your arms around all of them all the time, you make sure you get the most vital providers, and you lock step in risk profile. And I think we get asked it all the time. So I’ll finish with this, Tom. FireEye is a provider of security products. And I’ve been amazed, I guess I wouldn’t say amazed, but it is remarkable how much more cumbersome our contractual agreements are with our customers than say 10 years ago. Even we get audited by some of the financial services. So we’re getting asked more questions. We’re getting demands to show proof rather than just answer the questions. You know, I swear we’ve got access control on these five servers. Not good enough. We gotta show people things, and we’ve even had customers visit our sites to inspect the things that we’re doing to see that we have a risk profile that is in concert with their expectations. So bottom line, it’s a long process. We all should be in that process by now, whether you’re in the first inning or eighth inning, and then there’s a process that you never actually finish because if you nail it with your top five suppliers, you’ll probably just move to your next five, and you’ll keep going down the list creating contractual agreements and understandings.

Thomas: Sudhakar, same question for you. The hard lessons that we’ve learned.

Sudhakar: Yeah, so Tom, on that point, I will start by reiterating what Kevin just said, which is you’re never going to be done on this journey. And it’s simply going to be a continuous iteration, improvement, and evolution, I would say. In terms of hard lessons, I’ll just extend on how Kevin described it all the way deeper into the supply chain process. The age-old way of delivering integrity in software was basically signing with our certificates. What incidents it is, what we experienced through is that that alone is not sufficient when it comes to delivering integrity. And how do you establish a level of non-repudiation in the software that you deliver? So as a vendor in the supply chain and as a producer of software to many customers who in turn also produce software, one of the things that has been predominantly a focus of mine as we engage with customers is not only what are we doing from a Secure by Design standpoint to fortify our software systems, software build environments, and software build practices but also to share it with them because many of them are writing software, and then they have to essentially deliver it to others. Let’s say such as Kevin and others downstream. So ensuring that the software build processes are not simplistic and ensuring that the attacker’s ability to inject malware into software systems and processes is one of the hardest lessons learned I would say here for us and for the industry. Somewhat related to that is the environment that we all develop software in itself, not just use, but the environment itself. And we’ve been driving this notion of least privileged access across all elements of our environment. And Kevin and I were just chatting about this construct, some refer to it as zero trust, some refer to it as zero trust networking. That is somewhat restricted. And what we need to be thinking about is how do we ensure that users, devices, networks, and applications have these zero trust and least privileged access principles implemented in the construct of a Secure by Design-type team that allows customers to have the confidence that we are looking at and environments in a 360-degree construct as opposed to focusing on point problems, which lead to essentially point solutions. So those are, I would say, two broad lessons learned. There’s many more that we have included in our resource center as you know, Tom, but these I would say are more critical and time urgent.

Thomas: Thank you both for your answers. The next question we have, and I’m gonna go with you, Sudhakar, since we started with Kevin last time. But let’s talk about the considerations that IT and business leaders take regarding their own supply chains.

Sudhakar: The way to think about this is it’s a two-phased approach. One is your own downstream supply chain, so to speak, and your upstream supply chain, for lack of a better term, not to confuse matters because you’re both a consumer and a producer here. And the principles apply equally on both sides of the equation, right? For instance, just as you might look at, to Kevin’s earlier point, who are my vendors and what might be their software BOM? The word BOM used to be in previous orders or in the hardware realm, but more and more that’ll become a lingo in the software world, especially because many of us are leveraging third parties for developing our own product. And many of us, and maybe all of us, leverage on some form of open source or another. And the answer to these types of problems is to not shut those down as much as how do you make sure that those are continually secure, and how do you drive the principles of security in the design phase across those elements of the supply chain itself? And so what I would look at is think about BOMs, think about bill of materials, which technically is a arcane term in the software context but the equal of the bill of materials downstream and upstream would be one key aspect. And two is look at zero trust or least privileged as a set of mindset and principles followed by tools and practices, not simply as tools and practices because that might lead to shortsighted answers or restricted answers.

Thomas: So Kevin, same question to you. Talk a little bit about the considerations that IT and business leaders should have.

Kevin: Yeah, I talked a little bit about just, you know, figure out your supply chain, figure out your government’s model form, have a supply chain management that has contractual agreements. But when it comes specific to software, I do see a day and an age and it already is here by the way, for so many of the customers that we deal with, or, you know, both upstream or downstream like Sudhakar referred to, we have to have different types of assessments done. You know, are you SOC 2 compliant? How do you benchmark yourself? When did you last benchmark yourself? Who provided the service that maybe did the benchmarking? And I think you’re gonna see the same thing in software, that over time there’s just gonna be a due standard of care that we can all communicate, whether it be we’ve scanned software for vulnerabilities or we did some other things to make sure there weren’t implants in there because I do believe one of the things, you know, it’s not easy to find an implant. But over time, what we’re gonna see is folks developing means and ways by which we all can kind of verify the software we’re shipping is the software we intend to ship. So you’re gonna see, I don’t know if you wanna call it underwritten, but just the questions you’re going to be asked in contracts. We’ll ask for when was the last time you tested your software for vulnerabilities? When was the last time you had a software review for implants? Whatever it may be. So due standard of care is gonna get up the notch because we’re all gonna start doing it anyway. And that’s why I’m excited to hear SolarWinds Secure by Design because they’re gonna set the bar for all of us. A lot of the concepts they’ve said and will continue to say and communicate, they’ve been around for a while, but at the same time frame, it’s just, now’s the time. We’ve hit a threshold in cybersecurity where all of us that provide folks services or software are gonna have to overtly show the standard of care that we are providing to our suppliers and the folks we supply.

Thomas: Thank you. Thank you both for that. Next question. I’m gonna go back to you, Sudhakar. Let’s talk about the steps that we’re taking with our organization in response to the attack. And also what do you think other organizations can do in response?

Sudhakar: Absolutely. First, Tom, is a pledge of transparency and sharing. It’s just a mindset thing, whatever we learned, we are sharing with the community, even before any resolutions have taken place. Two is engaging and collaborating with Partners such as Kevin here. I mean, they are the security experts, right? I mean, while we are driving a Secure by Design mindset here, it’s critically important for us to leverage the knowledge and the expertise of our Partners here. And we have assembled a very strong set of Partners and industry experts as we go through this journey because we want to learn as fast as possible and do as best as we can going forward. And as I said, this is not like a one and done thing. It’s a continuous improvement, continuous iteration process. And three is structure and discipline. And the reason why I say structure and discipline is the construct of Secure by Design, it does not touch simply one aspect of our enterprise. It touches how our infrastructure is secured, how our build systems are secured, how our build processes evolve, and, broadly speaking, how our behaviors and training and enablement changes to ensure that we are addressing security at every step of what we do as opposed to simply an afterthought or a set of patches that you apply after you release. So these are some of the sequence of things that we are doing both from a behavioral standpoint as well as from a recommendation standpoint. We’ve obviously detailed what Secure by Design means, what are the various constructs of that in other forums. And there are significant resources available for everyone to leverage as well.

Thomas: And Sudhakar, I know that we’ve talked about this in previous Secure by Design webcasts, specifically the work with the partners like KPMG. And we’ve also talked about the Orion Assistance Program, where we also have Partners helping remediate. So there’s a lot of that information available in the Secure by Design Resource Center is basically what I wanted to say. So Kevin, same question to you. Steps that you feel that your organization did, FireEye did, and what do you think other organizations can do in response?

Kevin: Yeah, we actually, Tom, published a document on this. It was 36 pages long. We updated it to be about 40 pages. It was written by our consultants that do remediation at many different companies that have to go through a security incident or full-blown security breach, and that’s available online. So I’ll hopefully get that link to you and we can provide it to the folks here because it covers both the tactical things you do in regards to the implant, you know, safeguarding your SAML tokens, refining your security to actively look for SAML token theft, identify and procure your anonymous DNS lookups. It had a whole bunch of things in the 40 pages, but when we come up from the tactical to the strategic, at the highest level of abstraction, yet again, you know, when I’m briefing CEOs or CIOs, Hey what do we do based on the new threat environment and what happened with the SolarWinds implant, what happened with the Acceleon implant, or excuse me, zero day is what that one was or what happened with four different Exchange zero days coming out March 2nd? And what do we do about all this stuff? Step one, I always tell folks, begin or continue your evolution to zero trust, that’s a presentation in and of itself. Second is test the risk to your business. Like, you gotta know unvarnished truth. And so many of us are the recipients of well-intentioned CISOs briefing us on, Hey here’s our 132 different compliance requests. Here’s the technologies we’ve bought. Here’s who we’ve assigned to manage those technologies. Here’s our processes. And you got a four-dimensional compliance dashboard that you have no idea how to feel about it. What I mean by test is just figure out how to shoot real bullets and do purple team exercises, red team exercises. You know, the military has done these for forever. You have a red team on offense, you have a blue team on defense, and you just test yourself. You test your processes, you test your security infrastructure because you get binary results. And that’s very important, Tom and Sudhakar. So many of us in leadership roles are wondering, So how good is our security? Well, test it. Can somebody break into our network and get to an industrial control system? Find out. Do the test and then adapt to it, adjust accordingly your security infrastructure. Most of us have the products we need to defend ourselves, but we get this environmental drift over time and we have to tweak our process, update some things, and make sure all our software that we bought we’re using it to its fullest capacity and we can defend ourselves with it. You know, so we have it set to its best, most effective manner. So that would be number two. Evolution to zero trust, number one, continue it or begin it. Two, continually test your environment to know you’re making progress, you know, with red teams. Three, understand the supply chain. We already addressed that one. And then fourth, and always, you know, as a military guy, I was always taught have three main points and stop there. Well, I’m messing up because there is a fourth that I learned from this incident for many of the organizations going through it. You do wanna have Partners. You do wanna have people you go to to get help, to share information, maybe even before you disclose publicly about different events. And that means have a relationship with the FBI, have a relationship with the Department of Homeland Security or CISA, and it’s all done confidentially. So you can take care of problems in the most appropriate way. So I always say the fourth thing ensure you have good relationships with folks outside your organization that in your time of need, you can get help. Again, CISA, the FBI, Secret Service if they’re closer to you, and other Partners in the private sector.

Thomas: All right, I think one aspect of that I’ve always advocated for for years is the simple concept of assume compromise, right? Just start with that. Just assume that something is broken, that you’re not perfect, and test, like you said. It’s a simple test, and just verify. Trust but verify. And don’t be afraid to learn that maybe you’ve made a mistake, and then try to make things better. I have a couple of extra questions that have come in. So we’re gonna see if you guys, see how you think on your feet here. I’ve got one. I’m gonna start with you, Kevin.

Kevin: Sure.

Thomas: For the customers you’ve investigated and remediated, what protections did they have in place already that helped speed their return to business?

Kevin: Yeah, well, let me sum up for the folks that went through, you know, we call it uncategorized group 2452 cause we don’t have clever names. For the folks that were impacted with stage two from the SolarWinds implant, for the most part, the investigations are going rather quickly because we have such a footprint on what the attacker was doing. And so what we learned on this is folks are getting their arms around the what happened very quickly. Here’s the systems that were accessed. Here’s the accounts, here’s the people that were targeted, and folks like Microsoft have a good top-down view on the cloud assets. And we’re getting, bottom line, to the totality of the circumstances rather quickly. The bigger challenge would be damage assessment, which will take a long time reviewing all the content of what was taken, but the bigger issue for most of the CIOs and the technical folks, Tom, is, So what do we do about it? And each one of the organizations we’re assisting exists in a different phase of security. So I think you’re going to see things like we have to get better visibility on our network. We have to have better identity management. We need to be able to do password resets very quickly. We gotta evolve to zero trust. We have to have better endpoint protection. We have to think about some of the cloud services, cause quite frankly, it’s a lot easier to go to cloud services to try to get zero trust in my opinion than having hybrid environments or legacy on-prem environments. And we’re dealing with a lot of government agencies that we all know have 20-, 30-year-old systems and processes built around these that are trying to figure out how do we go from 1985 Unix machines and apps to tomorrow. So it’s gonna be a long journey, and the what to do about it is gonna be specific remedial plans ultimately gearing towards zero trust, better identity. Nothing’s anonymous on the inside of your network, cause so much of us trust what gets on the inside. Little things that we’re even doing is we’re using YubiKey on the inside. And you have to do multi-factor to get into our network and then you’re multi-factoring inside as well. So it’s just constant barriers to make sure that threat actors if they can hack a machine, it’s only one. You know, so micro-segmentation is also a big portion of this. And hence we have that 40-page document on so what do you do about it? We’re describing multi-year migrations for most of the organizations we’re working with. It’s gonna take time. Now, everybody’s gonna say, How could it take years? It may not. Everybody’s trying to compress it, but, you know, I’m gonna give us, afford us the time because some of the changes are literally part of the acquisition life cycle.

Thomas: Yeah, the two-factor authentication, I think I’ve come to a realization these days that I spent so much time authenticating myself, even, like you said, inside a network that I think I need to have that as a line item in my time sheet. So, Sudhakar, same question for you. Talk to us a little bit about, you know, for the customers, our customers that we’ve helped remediate, what protections did they have in place that helped speed their return to business?

Sudhakar: Absolutely. As Kevin was highlighting, the whole notion of visibility is a very, very important thing for customers. I mean, we talk about in the SolarWinds context as monitoring, and we monitor to provide visibility. And what’s important is to do monitoring and consolidated visibility that might touch a number of downstream elements. So, for instance, you don’t want to only support network monitoring or only support app monitoring. You want to be able to give them insights to the customer. So you evolve from visibility to insights, such that they can actually action it. And here’s where, kind of expanding the construct of sharing and collaborating amongst vendors, we need to open up our interfaces a lot more such that we can integrate into customer environments more effectively and truly give them actionable insights. So that’s one area where I would say there’s a lot of room for innovation, growth, and, most importantly, ensuring customer success. That would be an area that I tend to focus on quite a bit. Because even if you think about constructs like least privileged access, audit trails, specific user behaviors, anomalies, et cetera, at one level, they all boil back to the construct of visibility in a increasingly complex world. Going back to the very first slide that we discussed with the audience in terms of the various trends that are going on, in a hybrid world where your infrastructure, people, applications, resources are increasingly getting more and more distributed, visibility becomes an even more important cornerstone of IT and security strategy.

Thomas: Yeah, so any last words of wisdom for the audience today?

Kevin: Yeah, absolutely. One of the things that I’ve done, and you heard me refer to it earlier, is just constantly test. One of the cheapest and easiest ways to get unvarnished truth is take some of your smartest guys and say, Hey, attack us. You know, simulate some of the attacks, and war game it because people enjoy those drills. You purple team it, and you all learn from it. A lot of times we underestimate the amount of environmental drift we get over time as IT is rushing as fast as possible to get things done. As your companies grow, as your customers ask questions and ask for services. So long story made short, be proponent, do red teaming, purple teaming, adjust your security architecture all the time to the attacks that are happening today.

Thomas: Thank you. Sudhakar, words of wisdom.

Sudhakar: I agree with what Kevin said, and we are actually implementing those constructs here. For instance, the red team construct that Kevin highlighted. I mean, here’s the way I would say it. If you truly want to improve, you need to face the truth. And you need to seek the truth, right? And to me, this is not something to be embarrassed about. It’s about if you take it in the spirit of learning, if you take it in the spirit of iterating, if you take it in the spirit of improving and finally continue to share, I think we can all be very, very safe going forward, notwithstanding the sophistication of threat actors, which continues to increase. Equally, I like to believe I’m an optimist. I like to believe that we have the resources. We have the conviction. We have the talent to be able to do a much better job going forward as an industry, as a company, and as individuals.

Thomas: Wonderful. So on the screen is some key SolarWinds resources. The Secure by Design Resource Center that I mentioned earlier. We touched upon and briefly mentioned the Orion Assistance Program. If you are a current customer, I encourage you to check out the Orion Assistance Program. We have a security advisory, the security advisory FAQ as well, and information about the new digital code-signing certificate and a link to our SolarWinds Trust Center. I wanna thank both of our speakers, Sudhakar and Kevin, this was a real treat for me to be with both of you today. It’s not often I get to hang out with a couple of CEOs, so this was a lot of fun for me. Kevin, we’d love to have you back. If you have the time in the future.

[Outro music]

Kevin: You bet, Tom. Thanks for having me. Sudhakar, hats off to you, and it’s a tough challenge ahead, but very respectful of how SolarWinds is handling what happened there and sharing the information with all of us. And it is an opportunity for the whole community to get better at what we do. So we’ll do that.