Secure by Design | The CISO Perspective — SolarWinds TechPod 044

Stream on:
CDW Technology Vice President and Chief Information Security Officer Ruben Chacon, SolarWinds® CISO and VP, Security Tim Brown, and SolarWinds Head Geek Thomas LaRock talk about what CISO need to know to face today’s escalating cybersecurity threats – and what it’s like to be in the “hot seat” when challenges inevitably arise.  Related Links:
Ruben Chacon

Guest | Technology Vice President and CISO, CDW

CDW Technology Vice President and Chief Information Security Officer Ruben Chacon, SolarWinds® CISO and VP, Security Tim Brown, and SolarWinds Head Geek™ Thomas LaRock talk… Read More
Tim Brown

Guest | Vice President of Security, SolarWinds

Tim Brown is at the front line of the most vexing challenge facing organizations today: IT security. Tim is currently the VP of security for… Read More
Thomas LaRock

Host | Head Geek

Thomas LaRock is a Head Geek™ at SolarWinds and a Microsoft® Certified Master, Microsoft Data Platform MVP, VMware® vExpert, and former Microsoft Certified Trainer. He has over… Read More

Episode Transcript

Thomas: My name is Thomas LaRock, I am a Head Geek here at SolarWinds, and with me today, I have Tim Brown and Ruben Chacon. So for the agenda today we’ll start with introductions here in a second. Then we’re going to talk a little bit about our Secure by Design Resource Center and the Trust Center. I want to highlight those two SolarWinds properties. Then we will get into the discussion the ever-changing landscape, securing the supply chain. Okay, let’s get started. First, I want to introduce our SolarWinds CISO and Vice President of Security, Tim Brown. Tim, why don’t you introduce yourself and talk a little bit about our relationship with CDW. 

Tim: Absolutely. Thanks Tom. So Tim Brown here, I am the CISO for SolarWinds. You know, the — I’ve been around security for many years. When we think about how security is growing and changing, every year is different. Yeah, last year, and into this year the pandemic changed a lot of things that we’ve had to do. The threat actors are getting more sophisticated. It’s just a, you know interesting environment for us to proceed in. So I’m looking forward to talk to talking to everybody. You know, we have CDW with us. So CDW has been a great partner for us. And their CISO is going to talk about a number of different things and help us answer questions and give us a lot of different perspective. So Ruben is here as well. 

Ruben: Thank you team. And my name is Ruben Chacon. I’m the VP and CISO for CDW, as you, as you mentioned. So let me give you a little bit of my background if you don’t mind. So I was born and raised in  Mexico City. So that’s why you hear an accent, heavy accent. So I have the privilege of working for large global organizations. I started my career, of course, working in Mexico for the German company Siemens, and I was assigning and implementing a voice and data networks. Then I moved to Kraft Foods and in back in 2005 Kraft brought me into the US as a Senior Manager for Information Security for the Americas. So the CISO organization was about to be formed and I deal my own security group, you know, for all the way from Alaska, Canada, the US, and Latin America. So you also got different security risk management and privacy certifications when we separate you know, and then, you know, over time in October 2012 we separated Kraft into two standalone companies Mondelez International and Kraft Foods. So I stayed with international unit Mondelez International, who is a maker of delicious products such as Cadbury chocolates, Oreo cookies, and many more. In May 2015 I went to the Coca-Cola Company. So I came back to Mondelez in 2015, and then, you know the June 27, 2017, you know the company Mondelez was hit by a NotPetya malware. It was a nightmare. We will talk about it. And at some point, you know, but I was responsible for the containment, the response, the forensics, and also the recovery of the global company. I also designed the new plans and the strategy to help the organization to be more resilient. So the company ended up losing $300 million making significant investments in information security improvements. All this is public information. So after Mondelez went to Constellation Brands as a VP and CISO eh, and and now I have the privilege of working for CDW. Also, as a VP and CISO. I have found an extraordinary culture a great team that fully supports information security and that’s a plus. 

Tim: Perfect. 

Thomas: Yeah. Well, yes. Welcome. Great to have you here. So I’m going to spend a minute. I want to talk about one of our new properties here called the Trust Center. So if you go to the solarwinds.com/trust-center you will get the latest and greatest up-to-date information regarding our products. And Tim, I think you wanted to take a moment to highlight some of the features here on the Trust Center. 

Tim: Yeah, absolutely. So Trust Center’s a landing page for a lot of things to do with security and our products, talks about our SDLC, talks about the certifications that we have and how to get them, how to get linked. One of the new additions is that we have just become a CNA. So as a certificate numbering authority we can now assign CVEs. So if you want to look and see what vulnerabilities exist in the products, those will be listed on the Trust Center pages. Another important thing that that’s added here is or added for customers is the ability to have a security direct contact for us. And that’s inside your, your Salesforce record for us. So that when we do communications about security about releases, about information that’s coming in release of about, you know, security changes that have occurred or a security incident that occurred we’ll be able to contact the right people, you know to date prior to the incident, we had, you know good information on your sales contact but not necessarily the security contact within the company. So that’s another addition. And the Trust Center will be, will be driving people towards that, for, you know additional value and additional information on the security of products and yes, security in general. So it’s an exciting property for us and it’s where, you know, current information will be held. 

Thomas: Perfect. Thank you, Tim. We also still have the original Secure by Design Resource Center and there is where you’ll find the security content regarding, well, all of our products, I was going to say back to the incident, but it really covers everything going forward. And so you’ll find the previous webinars we’ve done. You’ll find links to podcasts, links to articles and blogs and everything we’ve been basically producing since December. It’s a valuable resource if you’re looking to get up to speed and caught up along with the Trust Center you pretty much get covered on everything you need to know about our secure by design principles. Okay. Let’s get into it. So the recent threat landscape. I’m going to ask both of you and I’m going to start with Tim to talk a little bit about what’s happening right now with regards to threat surfaces increasing, and just in general give me an idea of what you’re seeing and maybe speak to how it leads up to President Biden’s executive order. 

Tim: Yeah, so you know, when you look at the landscape, it really, it we’ve had — every year, we have different shifts, right? All the time we’re going through shifts and landscape shifts. And, you know, last year has been unprecedented, right, from a COVID perspective sending everybody home, working from different places anytime you have shifts, your risk changes. Every time you have like major shifts of, you know people, of focus, you know, shifts, new hybrid world. Each one of those just generates a different level of risk, additional level of exposure for companies. So yeah, last year, incredible amount of change. Now, one of the biggest changes is that people are going to start heading home, heading back to work. Some won’t, some will still be in a hybrid. So our world two years ago we’re not going to go back to that. We’re not going to go back to everybody being away from an office, but we’re going to be in a different space in a different time. And a different model. Threat actors are also changing a great deal. So if you look at the attacks that have just made the news recently, they haven’t been quiet. They have, they haven’t been, you know, little attacks. They’ve been big, bold, aggressive attacks. And I think we’re going to see more of those. So from a threats landscape, I think we’re in the world of the patient attacker, the more thoughtful attacker, the attacker that’s getting to look at, you know, more effective at what they’re doing. So that’s what I see for you know, today and, you know, in the short-term. Ruben? 

Ruben: So I am completely in agreement with you. So in fact, you know, I want to say this, you know we know the increase, decrease threat surfaces continue to expand and continue to change. And there are increasingly more sophisticated adversaries. And if you think about it, you know for those who are defending the organization we have to be right 100% of the time. For those attacking they just need to be right just once. Right. And they also are against us. So, and therefore, you know we have our monumental challenge in front of us. So now in regards of the executive order that, you know signed by President Biden in May 12 just recently. So it’s a great step forward to improve the nation’s cybersecurity posture and to protect federal information assets. It does remove arrears for reporting breach, breaches in different companies, right? So there, they will not get penalized. So there is a step forward to sharing information with the government. And it also calls for a specific technology such as the use of encryption, multifactor authentication, endpoint detection and response, and others. And also in the improvements, including a standard software development playbooks for responding to incidents et cetera. However, organizations should take these as a baseline security. I think of this executive order as a foundation of a security program, right? So there are many other things that we have to do in all aspects of people, processes and technologies when it comes to security, understanding our security posture. 

Tim: Yeah. The executive order is a good, is a I think it’s in some ways a symbolic change but it’s also, you know, if they are actually going to go forward with, you know limited number of exceptions and they really truly put the US government puts its money where its mouth is essentially and really does control who they spend to it can make a big change. It can make a difference. And, you know, we’re fully in favor of it. It has a lot of good, good information in there. The devil is going to be in the details, right? The devil’s gonna be in the frameworks the devil is gonna be in what gets defined and how well it’s defined and whether it is achievable by many to be able to achievable enforceable and then, you know, really do they stop buying from entities that don’t prescribe to it. But I think from a symbolic perspective I think it’s important. It says, hey, we’ve had enough. We expect change. We expect things to happen. We expect, you know, companies to address what they’re doing and ourselves to address what we’re doing as well as the US government. So I think it’s a great symbolic approach. And I think that we will get some meaning from it. It’s just going to, you know, it’s aggressive and what it’s trying to do in a short timeframe. But yeah, it, it is a good direction for us to start moving. 

Thomas: Great. Oh, thank you both for that. I think on a previous webcast, I think it was Kevin Mandia and you can find a link to that in the resource center he talked about the, the specific new wave, so to speak of the threats is attacking trust. And that’s where the adversaries are really going after the it’s just attacking trust. It’s, it’s not somebody sitting in their basement hacking away through a firewall that’s that isn’t anymore. It’s a matter of attacking the trust. And as a result, I think it underscores a need that security is a shared responsibility. You can’t just rely on the vendor to provide everything you need. You’ve got to do some things for yourself. And I think the executive order tries to encapsulate a lot of that. You’re going to build a piece of software. It’s got to do X, Y, Z. You’ve got to tell us this, and then we’re going to do these things on our end as well. And as you said, I think you said it’s a good first step, right? It’s yeah, it’s a good first step, but there’s still more work to be done there. So let’s talk a little bit about some lessons learned and Ruben, we’re going to start with you since you kind of teased us with it. Talk a little bit about the incident you and your teams faced. 

Ruben: But in my case, it was malware. It was disguised as ransomware but way more powerful. It was called NotPetya. So, and there was not even the possibility to pay ransom to get the decryption keys or anything like that. It wasn’t possible. So it brought down the entire organization, more than 27,000 end user computers and servers Windows based were impacted in only 45 minutes. So you can see the speed, right? It was very, very fast and you know it ended up costing the company as I mentioned before, $300 million in global revenue and a significant investment to improve the security posture. So that’s in a nutshell, you know, what happened. Now many people think this was the lack of patching from the company. You know, perhaps, you know… No. We did have great patching practices. It was well beyond, you know, patching, right? So you want me to jump in into the lessons learned about the scene that I faced? 

Thomas: Absolutely tell us a little bit about the lessons learned. 

Ruben: So many times the security group and overall organization have the wrong priorities when it comes to cybersecurity. Very often we focus on the wrong tools or processes, you know mostly aiming to improve prevention and protection and we minimize the possibility of those issues happening to us. Or it doesn’t happen to this type of company because we don’t produce any critical type of you know, product or, or we because we don’t have that of the confidential information of course, until it happens, right. A cybersecurity issue can happen to anyone at any time. So we just don’t know when as I mentioned before, we cannot be right 100% of the time. Something will happen at some point. So it can disrupt an entire organization’s operations, or it can be invisible to everyone you’re assigned to steal information and to spy, right? Regardless organizations don’t know when and when it will happen in this space, but they can prepare to improve its detection and response. And more important is recovery. The focus has to shift from prevention and protection to improved detection. Think of the new tactics techniques and procedures used by advanced adversaries. Are your capabilities up for those new tactics, techniques, and procedures? Have you tested them? Right? So quick response and recovery is also a must, in other words given current times, organizations have to focus on becoming more resilient because something will happen and they will have to recover very quickly and they cannot rely on paying a ransom. That’s wrong. So that’s in a nutshell, my, my perspective. So, you know, when it comes to critical considerations you know, that we should take, you know I think is something very basic. You know, we need to have a very good understanding of our environment, that we are trained to manage and protect. So as a CISO I cannot have the luxury of not knowing how many exit points do I have to the internet, to vendor providers you know, where they are, who controls them, et cetera. Sounds very basic. But I have seen many situations where the security groups and the CISO do not even know their environments very well. If you’re trying to effectively protect your house you need to know entry and exit points. How many windows, doors, chimneys, you know how many people have the keys, right? If your basement isn’t secure or has weaknesses, have the blueprints. Know how to, you know how safe your neighborhood may be the context where you move you’ll know your law enforcement officials, right? You have a good relationship with them. How effectively can you manage and protect something that you won’t even know? So that’s, that’s basically, you know, some of the key learnings that I have as, as I as I went through this breach. 

Thomas: Tim, same question for you. Why don’t you talk about the incident we faced and some of the lessons? 

Tim: Yeah great. First, we have Ruben. I agree, you know resilience and knowledge are critical right to everything. So our incident was a little bit different right? So, you know, December 12th, we found out that we had shipped tainted code and that code was shipped to you know, a number of different clients. So upwards of 18,000 got the code. You know, luckily the way the code was written it needed to connect to the internet, it needed to get back home. So although everybody had to do research and everybody had to figure out whether they were truly affected. Now, the numbers that were attacked was, you know much lower under a 100 but you know the fact they’re shipping tainted code is really where the incident started. Right. And, you know, figuring out, you know how did that occur, right. How did that happen? How did that get into the code then? How did it get distributed? Yes. All of those things, you know, really were critical in the amount of sophistication that went into the attack against, you know, SolarWinds in order to have that occur was pretty great. So it was, yeah, it was stealthy. It was quiet. You know, one of the things that, you know, as a as a development house, we’re focused primarily on you know, developing the products making sure that our infrastructure set, making sure that we have vulnerabilities management in place making sure that, you know the infrastructure is taken care of but the products as well are taken care of and all of those processes were, were, you know really in place and doing well. The, you know, environment itself was that, you know a good level of security, but as you said, you know one mistake is what you need to be able to get in. And this threat actor and what they did was were like extremely patient, extremely motivated. Extremely targeted. And that’s what we’ve seen with other attacks from this threat actor. So, you know, lessons that we’ve learned a number of different ones, right. You know, when we look at that, that a nation state is at a completely different level than others, right? They’re able to put people in play. They’re able to use people to look at data where you’d say, well I can’t automatically look at, you know everything that is associated with certain device right. Well, way too much data. You know, these guys really did look at a lot of information a lot of information without automation on the back end but with people and they took their time, they were quiet. They did a lot of smart things. You know, they left after a certain period of time. They did a test run. Then they came back with, you know 3,500 lines of code, never changed it put it into product for three months and then left and cleaned everything up. You know what that means is they said, oh, well, you know software companies don’t usually test backwards. Right. We don’t look in the back. We don’t go back to the older version. So he did that. Yeah. Then left and shut down their command and control servers in October. So they had a very short window that they said, hey we can activate at this point in time without anybody knowing, without being discovered. They made the code so it didn’t run inside of our environment. Again, smart. They made the code so that it didn’t start up for 14 days. So a lot of thought and I think that’s one of the big messages that and that your adversaries thinking to a whole nother level. So you’ve got your basic attacks but then you have a extremely, extremely thoughtful attack. And back to Ruben’s point, that’s where you need visibility across the entire environment. That’s where you need resilience in the entire environment. And, you know, you really moved towards, you know assume breach process posture and say, hey, What effect would this happen? What effect would this take on? What effect would this take on? Yeah, the obvious of saying, oh they were going to interrupt our source code. That would have been the obvious ones that they would have been able to go at. We would have found them. We have visibility, great visibility into our source code control system but they said is, oh, well, if we go there we know we’re going to get caught. Let’s go the next step. Let’s go to that build process before we ship that final step in the chain. So again, the threat actors of the future are going to be more thoughtful. And that’s kind of one of the things that we’ve got to focus on. 

Thomas: Thank you for that. I can’t stress that enough. That there’s really two words I think everybody wants or needs to take away from this is that is to assume compromise. And that’s everybody listening to this. You just, you need to assume that at some point you’ll be compromised because you really can’t prepare for every possible attack vector. You just can’t. What you can control is how you will respond and recover. So the first step is to just assume compromise no matter what, no matter who you are. So Ruben back to you. Let’s talk about specific steps that you or the organization took in response to the NotPetya or just in general, you know, going forward. What things have you been doing say at different companies or what other organizations should be thinking about doing in response? 

Ruben: So you, you said you mentioned a very important point: assume compromise and not only assume that you are going to be compromised assume that you are already compromised. How do you work in an environment like that? Right. So what I do every two years, without exception I go back to the basics. I have to analyze, again, my endpoint protections my patch management, et cetera. So all those basic things not because it’s an advanced threat protection today. That is great. And it’s working fine is going to be the same in two years from now, because all this is evolving. So you have to go back to the basics once in a while. Do you have the right technical security baselines to secure your operating system to your endpoints? This is like the basement of your house. So you might think that putting the cameras on the front door and the keypads on the on the biometrics, et cetera, will secure the house but you don’t realize that you have the basement, and the basement might have weaknesses. You know, how do you expect to protect the house? So go back to the basics of very dry work. Nobody, nobody likes it but it has to be done. Right? So, you know, you have the technical security not only for endpoints, but also for your firewalls, your database, your applications your server development, your data environments. Is it consistent across your environment or is good for the one or two that your, your review, right? Are you effectively monitoring changes and exceptions right? In many cases, we’re expecting that the latest technology, you will be effective as you know, protecting your information assets. But reality is the real homework is mostly process-based more than technology based. So secure by design zero trust models. Those are important that just aren’t thinking about it and even implementing them, you know from the language you use, you know here’s something important. We need to simplify things, you know for our key stakeholders as well. So from the language you use all the way through, you know processing your deployment, make things making things over complicated, doesn’t work. So you have to simplify as much as possible. And that’s that that’s key. So that’s my advice. 

Tim: Yeah. I mean, I agree, right? The technology side of the world is great. We can make a lot of advances on technology but the implementation, the processes around it, right? Zero trust is a, not a product as much as a concept and a process around the outside of how you get to really truly zero trust. You know, data leak protection is not a product. It’s a process. It’s a understanding of how you’re going to have data you know, protect data in general and your visibility right? As you said, the visibility changes how much you see from the outside changes. You know, it, you should always look back to the basics and make sure that you’re doing well across your entire environment and understanding the environment and having the right partners throughout the environment is important because you know, the CISO teams are only one component of the organization. So you do have to have trust but verify across those other environments as well. Do you want me to go into my answers to your questions Tom, or we can go anywhere you want.  

Thomas: I thought we were going to go, let’s just move forward and talk about how, and we can stay with you, Tim, how do we evaluate other vendors moving forward? 

Tim: Yeah, absolutely. So we’ve absolutely beefed up our vendor evaluations because third-party vendors especially those that we’re either sharing access with or sharing data with are a big risk for us. Right. So we’ve gone back in and looked. Things like making sure that any product, no matter who any service provider that we’re utilizing third party or our own people, right. They have to meet our security requirements to get into our systems. So yeah, all of them are now running Falcons. So we’re running Falcon, endpoints. They’re getting monitored they get monitored under secure works. They get monitored for everything whether you’re a third-party or an employee. So things like that. But then just also software that we’re we’re acquiring our questionnaires have gotten tougher. Our evaluation has gotten harder, you know, depending on what the solution is, depending on what it’s giving us we tier the level of evaluation that we’re doing. But just as we’re moving towards more openness, more visibility more sharing of how we develop software, how we protect it how we protect our environment, our expectation of software vendors is greater than what it was, you know six months ago as with, you know our customer’s expectations are greater. So that’s another part of I see the world going to that, you know your evaluations should get harder and your vendors should be willing to share more and your vendors should be more open to, you know how they protect their environment how they build their software how they audit their software, all of those things should be much more open inside of the environment. So we’ve definitely moved forward. And we expect a lot of when we’ve seen a lot of our customers moving forward, too. 

Thomas: Okay. I do have a question for you. 

Ruben: I do have a perspective on that. Let me tell you, we don’t live in isolation, right? So we are part of an ecosystem and everybody has to do their own part. And of course, every piece of the ecosystem has to evaluate the two parties vendors, partners, you know, contractors, et cetera. Now, having said that we have seen that traditional frameworks and questionnaires are for the most part in my opinion, useless, completely useless. You know, so many questions, you know 300 plus questions that lead to nothing because they the breach has continued to happen. They reflect a moment in time. It’s a question at this particular moment but who knows afterwards, while this is important. And again, I am I have nothing against framework, but the opposite, right. They can be used as a good reference. Right. And to my prior point, I think we have to simplify. And, you know, we have to ask for things that we think is important for the organization in light of the evolving security issues and our business goals, you know and the context, of course, in my case in my particular case, I am simplifying all that. So I can focus on what is important to me and my organization. So I am getting rid of the useless question. So as you said, team is becoming tougher but not necessarily means that we’re adding questions. Yeah. You’re going to the point the questions that are really really help the organization to be more secure, right? So I’m holding my vendors of course accountable for their own part as I hold myself accountable. Right. And while also helping them to be successful because not only to say, you know, you’re accountable for this and that’s it, I want to help you. Right. So you can help me too. Right. We’re living in an ecosystem as a nation, nobody’s affiliated anymore. What happens to you will also affect me at some point. So let’s share more and let’s create a win-win relationships. 

Tim: Yeah. Absolutely. So, you know, I think that being tiered, right? If you’re going to buy a marketing app that you’re not going to share any data with $50 is a very different evaluation than something that you are sharing your company’s data with or giving access to. And those, I agree with you, the questionnaires are not as a conversation, a architecture view and evaluation of the same thing you do is something internal. Then you get to a real level of valuation and you’re also helping the vendor get better right in that process ’cause again, nobody’s perfect but I think it’s important to be able to put the work in for those most important vendors for you because then you get and the acceptance of saying, well, hey don’t expect perfection, but I do expect that you’re doing the right things to be able to protect my data in the right ways and move forward in the right way. So I agree with you on the questionnaires. They don’t just necessarily help enough but tiering your, tiering, your vendors understanding which ones are truly, truly the most either mission or business critical or also the most risk centric. 

Thomas: So Ruben tell us, what’s one thing you know now that you wish you had known then. 

Ruben: Back then, I was very wishful thinking let’s say before the incident. Right. So I was thinking that certain technologies would be a really great a part of the puzzle to help us protect the company. Now I can tell you, you know, I think I think I have a lesson focused on what works and what doesn’t work. So basically again, you know, I would like to go back to get to know your environment is very important. If you don’t know your environment, you are losing from the beginning. So, and second, do the dry work, the work that nobody else wants to do the homework, who likes homework. Right? So, so you have to like it a little bit because you have to do it. 

Tim: Yeah everybody likes a cool new toys, cool new toys. But yeah, often, you know, you look at it and, you know patching, vulnerability management, other things which is the dry work is so important still right. It, no question that the dry work is still there and important. Yeah. I think you brought up visibility is super important understanding what’s there you know, the hindsight’s 20/20, right. So you can look back and say, hey, if I had done this it would have made an adversary’s life harder. Right? The bottom line for us is we had checked source code control. We checked everything. We had great controls around, you know, who could check in and double checks on check-ins and, you know had peer reviews for things. And all of that side of the world was covered. And then yeah, that build process in the middle that build process in the middle of it is, you know what got us, that was a big one that we did not have resilience in that step of the process. So we’ve gone back and looked at our entire build process and, you know, changed a number of things, right? So we kept and improved our build check-in and our source control systems. We’ve added architect reviews there. We’ve also moved our build environment up into a separate environment, completely that’s transient that comes up and down. We’ve made it auditable. We’ve made every step of it auditable. There’s a great set of standards that are getting published. And we’ll, we’ll, we’ll do whitepapers on how this does but the resilience of our build environment is yeah unquestionable right now. We have made it so tight. And, you know, to the place where, you know we do three builds one in the build, one in the dev, one in the lab, and no one entity has access to all three. So you’d have to get collusion between the three in order to do that. So tremendous amount of resilience put into what you know, our key mission is to produce great software right? And so that’s one of the biggest, you know wishes that we had thought about. It’s like, you know, we thought about source code. We thought about vulnerabilities that that center spot of resilience in the build environment was the big one. And that’s where a lot of effort has gone in. And a lot of changes have occurred is to make sure that that is in a complete assumed breach model both from an insider or an outsider. 

Ruben: And Tim as I mentioned before, to you and Mr. Subramarian as well, you know when the incident you recently happened you were doing things well, right? You were adhering to the best practices for software development and however this happened. And of course, you know, it could happen to anyone, but I wouldn’t be surprised if SolarWinds becomes a leader in software development and security. So and it’s exactly what is happening. And I want to encourage the audience to really go to this Secure by Design Resource Center because you have so valuable information there and you’re making it public. So that’s, that’s a gift.  

Tim: Thank you. And we’re really trying to share, right. We shared information early on, on SUNSPOT. We’ve shared information on our coding practices. We’ll be sharing a whitepaper very shortly on the new build processes where, you know moving towards internal audit of that build process which usually does not occur and looking for external audit eventually once the auditors catch up. So that’s audit everywhere from a line of code all the way through to product because that’s one of the luxuries that we have as a software development and a service providers. That’s what we do, right. We build software and provide services and that whole line of, you know, source code to product can be audited and should be audited and should get scrutiny beyond your SOC twos and scrutiny beyond your ISO, as it should get specific scrutiny. I think the executive order starts down that path. We’re going to take it to that complete next level of that scrutiny.  

Thomas: That was the last question. Let’s just let yeah, let’s wrap up and we can wrap up and what I want to do. So I’m going to ask you for some, we’ll start with Ruben we’ll ask for some last words of wisdom. What’s the biggest takeaway that you’d offer your CISO peers and yeah, there, well, let’s wrap up with that. 

Ruben: You know, these days with the breaches happening all around us, it’s relatively easy to move the point across about security, you know but it’s important to remind people non-technical people in particular, you know, the importance of having the right controls in place and you have to find creative ways to actually do it. I was in an executive meeting, you know and back in the day. So, you know, a few years ago, eh and I remember being there in the, in the boardroom right. And, and we were discussing security and somebody in the audience mentioned, well, you know I think security is stopping us from, you know, from achieving our goals, our sales goals, whatever. Right. So it’s, it’s the brakes of my car. So I thought about it and I said, yeah we’re like the brakes of your car, you know you take your family and friends on a trip on a road in a car with no brakes or think about it. You’re racing the Formula One race. So you had the best pilot, the best car. You have the, you know, the best team to help you get there. Do you think you can achieve that without the brakes? Brakes are enabling you to go maximum speed. So we are here to enable the business and that’s what will come, what we do in the security space. That’s why we see security. 

Tim: Yeah. Brakes make you go faster, not slower. And you know, that’s one of the things that, you know people asked us with all this work we’re spending on security and all of these things, we’re changing security in the, you know, looking at the security of the products. It costs me so much less to fix a security issue and a product prior to release. And it does when it’s released just like a normal bug. So by putting the effort in, you know now it’s going to save me and speed me up in the future. You know, one of the things that people need to think about security is is really about your team and extended team. From a CISO perspective nobody has full insight to everything. So it’s really important that you engage that you are the champion for security across your organization, that you have good plans secure by design, I think is also, you know, you can’t think of security by happenstance, security by luck, security by whatever. It is secure by design. So therefore, you have to design it. You have to make sure you have visibility. You have to have the right team across your organization. And then you need to coordinate it, measure your risk and make sure people understand here’s the risks that we face in different areas, but that comes with visibility across the organization. So it’s important to bring everyone up and get to that next level. And you know that that’s the biggest one is don’t expect you can do everything by yourself. You have to do it with the team. And you know, don’t think security is just going to come, but it really is secure by design 

Ruben: And Tim, let me make a quick analogy about security by design. So it’s more expensive. Like you mentioned, you know, to do it afterwards think about your new house, you’re building a house and then you have all the cabling system very well-planned, et cetera. You build a house, you put the cables you put the walls painted this perfect right. And suddenly you realize, oh, I forgot to put this cable from here all the way through the basement. How do you feel when somebody is making the holes and everything in your new house to put up that cable is more expensive, right? And now it’s costing you also the looks. So it doesn’t look good right? So just your sample, but that’s security by design. Do it well the first time. 

Thomas: Yep, thank you both. Another question for you is about public-private partnerships. So Tim, we’ll go with you. What do you think about these public private partnerships and how can they address today’s security challenges? 

Tim: You know we’ve had had a hard time sharing information forever really, and we’re making strides to try to gain some trust in the governments of the world, so that we can share more. And that information that’s shared will not be used against you. You know, I’ve worked with the CISOs around the world because of this incidence. And that’s one of the big things, right. Is how can we help, right? How can we help either bring up your message? How can we help, you know, go after the bad guys if we need to, or how can we get law enforcement together and work together with law enforcement? So it all starts with trust and through our incident one of our trusted public entities was CISA, right. If you look at our guidance that we put out and the guidance that they put out, they were matched. They were matched not without a lot of work together to get them matched, but they were matched. And you know the information that the public sector can provide is and the value that they can provide is phenomenal. We just have to get to a level of trust that says, hey if something happens, I can share it appropriately. And from the private sector, the public sector and the public sector will do the right thing with that data. So I think the executive order and others are trying to help us get there. There’s always a level of discomfort and a level of you know, questioning how much you share and what you share. But I think we’re starting to get down some paths that say that we can make it happen. Just not gonna be an easy, oh yeah, it’s done. We’ve just written it down. Therefore, we’re going to always share everything with everybody, but I am encouraged. I think that we will get there. And I think it’s a good thing for the world. If we can share more because you know, one of the things to know, threat actors have no problem sharing. They have no, no, no problem whatsoever sharing. Yeah. So we have to get to the point of being able to share appropriately. 

Ruben: I would like to add, you know, because Tim just know experience also my, my thinking as well the other factor is speed, you know, don’t wait too long for sharing that information. So we have to share it as it happens because you know the bad actors are exploiting those vulnerabilities or doing that damage while we are still thinking to share. So I think it’s a great thing that we can share. It’s not only one way, right? From the private to the public, also from the public to the private sectors. So those are the two points. 

Thomas: To circle back real quick. When we talked about how attackers are going after trust and we’re talking about sharing well, as it turns out that’s also an attack vector for say, law enforcement who are handing out the cell phones to criminals and they were unwittingly using them. And they were completely unencrypted. So I found that kind of humorous to a certain degree that law enforcement is going to just use the same tactics. And so anyway, I wanted to bring that up, that it we’re sharing everything. If that’s how you can attack us, that’s how we can attack you. So last question here, the most common mistake by CISOs or the most common mistake made by users, Tim let’s go with you. 

Tim: So I think that the most common mistake from a CISO perspective is simply the lack of visibility within their organization and be able to get enough, right in order to assess the overall risk of environments. So visibility becomes extremely important and really it is the basis for what we need to do and then understand the risk tolerance and getting enough information about the risk tolerance all very, very important from the CISOs perspective. So getting that visibility understanding what that visibility means, taking action building a team internally, as well as broadening it to their, all of the parts of the organization. And that being that leader across the organization is important. Users still make silly mistakes, right? And I think there’s no way we’re going to be able to stop the silly mistakes from happening, but we can’t control the effect of those mistakes, right? We control the effect of mistakes that are made within the environment. You know, user mistakes are, yeah, there’s no way that we can stop them all, but we can stop the effect that they are going to occur by putting as much resilience especially into the critical components of an environment. So can’t stop users from making mistakes but we can make our environment much more or make our environments more resilient. 

Ruben: In my case, eh, almost basically, you know, I mentioned two of them, you know, get to know your environment very well get back to the basics once in awhile don’t assume that everything is okay. You know, I think we have also to realize that our users are the weakest link in the security chain, right, ’cause there are many, and and somebody will make a mistake but don’t underestimate the fact that they are also our first line of defense. So continue investing in training is very important to have a very well-trained user community, right. And finally, you know, when you mentioned maturity. I have seen many many times this mistake and it’s misleading, you know because it creates a false perception of security. So CISO go to the board of directors or to the executive committee management. And they say, well, we want we are in these level of maturity. We want to reach this level of maturity. And we are going to invest X amount of money but they don’t talk about the time. Right. And maturity is not about investment. I cannot pay a baby to become a teenager in three days. Right. So I have to wait time. I have to measure my controls and over time this might trend in the right direction and I will reach my maturity levels but just by paying for it, it will not work. Not only about the money. 

Tim: Yep, absolutely great points, Ruben. Thank you. 

Thomas: Agreed. And that’s going to do it for us here today. I wanna share with the audience a few key SolarWinds resources, again the Trust Center, the Secure by Design Resource Center. Also information about the Orion Assistance Program. If you are in support, you should know about that and you should be engaged in order to make sure we can remediate from the incidents and Security Advisory Security Advisory FAQ, all made available. All, you can find all of these resources. I think they’ll be linked from the Secure by Design Resource Center if you start there but I want to make sure I call this out again. I did mention this was recorded, and I forgot to tell you that all registrants will receive a link to the recording, and you will receive the slides. So you don’t have to remember those URLs. You’ll be able to just click on it and it’ll take you there. So I want to thank Ruben and Tim for your time today. Thank you so much, gentlemen. I appreciate it. 

Tim: Thank you.  

Ruben: Thank you. Thank you for an invitation. 

Thomas: And I do want to thank the audience for taking the time today to spend with us. We know that in this virtual world, that we have you have many options to attend webinars these days. And I want to thank you for your time specifically sharing it with us here today and for SolarWinds Secure by Design Webinars, my name is Thomas LaRock and thank you again for joining.