At the end of 2020, the American company SolarWinds was the victim of a major computer attack. The latter had paved the way for attackers to many corporate clients and US administrations.
A textbook case of supply chain attack: attackers managed to modify an update of the Orion monitoring software to deploy malicious code in the environment of enterprise customers. An attack that remained under the radar for several months, before being identified by the cybersecurity company FireEye. A shame for a company whose products promise customers better supervision of what is happening on their computer system.
The discovery of the attack was like an explosion in the world of computer security. The new CEO Sudhakar Ramakrishna, who took over at the start of 2021, therefore began his reign in an unenviable situation: organizing the response to an incident that potentially caused casualties in more than 1,800 organizations, including US administrations. high-flying, while restoring the image of his company suddenly brought to light in the worst way.
Go back up the slope
The internal investigation was completed in May 2021, and the findings were shared by the company in a blog post providing an update on how the attack unfolded.
A first step taken, but the year of Solarwinds was not limited to this investigation. “We spent most of 2021 setting up and implementing the “Security by design” practices that we had defined. It’s one thing to define a strategy, it’s another to implement it. But I think we got it basically. We are now entering the second phase, which consists of continuously improving the practices implemented by this strategy, ”says the manager, interviewed by ZDNet.fr.
Behind these main principles, the publisher has sought to strengthen the security of its development approach, in order to prevent a malicious actor from again taking advantage of an intrusion to send malicious code to its customers.
A completely redesigned development process
Thus, the software development process has been reviewed, as explained by Sasha Gliese, pre-sales engineer at Solarwinds: “In a traditional company, the developers create the program, probably test it in a virtual machine before creating an executable which is then sent to the client. We don’t work like that anymore. For each project, we create three parallel development chains, on which several teams work, each taking care of a different part. And we run comparisons of the code to verify that everything is in order before sending it to our customers”.
Among other measures implemented, the company says it uses the open source tool Tekton Chains, which offers better monitoring of the development and delivery of applications via Kubernetes.
“In 2021 alone, we invested no less than $25 million in strengthening security within our company,” says Sudhakar Ramakrishna. According to the leader of Solarwinds, these new methods represent an additional cost for the development of software, but which remains “marginal” and does not prevent Solarwinds from investing in other areas.
Security, a necessary but not sufficient investment
For the leader, if security is essential, it cannot nevertheless be the only argument of a seller.
“Today, when I look at my clients, the main challenge they face is the increasing complexity of their IT systems, and budgets that are increasing, but not sufficient to deal with this complexity. And above all, we must help them solve these problems. Providing software that’s secure but doesn’t allow customers to meet these challenges is simply not enough,” he said.
Are these efforts enough? The CEO wants to believe it, and relies for this on the company’s figures for the first quarter of 2022: “Our results for the first quarter of 2022 show that our customer renewal rate was back to its historic level before the offensive. This indicates to me that we have managed to answer the questions of our customers regarding the attack. »
Strengthen cooperation between public and private actors
Sudhakar Ramakrishna also used a recent speech at the RSA conference in the United States to call for greater cooperation between the private sector and government cybersecurity agencies.
“The current cooperation is insufficient in my opinion. We face increasingly numerous and sophisticated computer attacks. No company today can consider itself immune to this type of attack, and we are forced to constantly improve ourselves. One of the possible improvements is to strengthen cooperation between the private sector and the public sector on these subjects”, insists the leader.
Among the avenues mentioned, the CEO would like, for example, to be able to put one of his employees at the disposal of the American cybersecurity agency, CISA (American equivalent of Anssi). And the CEO does not say he is closed to strengthening partnerships with agencies in European countries, such as Anssi in France.
Go forward
For the leader of Solarwinds, the attack is now to be stored in the chapter of closed cases. The company now hopes to return to growth and accordingly strengthens its teams and its activity in the Asia and Europe/Middle East region.
A new director, Laurent Delattre, has been appointed for the Europe region. The company is also strengthening its teams in France and Europe: the main R&D centers are based in Poland and the Czech Republic, while technical support is provided from Ireland. But the publisher promises that French interlocutors are available to answer customer questions.
The leader does not detail the volume of investments in the different regions, but Asia seems to be the priority development axis for SolarWinds: the company has notably reinforced its workforce in Japan and opened a new office in South Korea.
No question of hiding the dust under the carpet
For many, SolarWinds will remain synonymous with an unprecedented attack that shook the United States at the end of 2020, a textbook case of attacks on the software supply chain. But society wants to make it understood that it emerges from the test grown.
And when asked if there was any consideration of renaming the company to get rid of this symbol, Sudhakar Ramakrishna shakes his head: “We briefly touched on the subject, but we never took this option seriously. »
“Our main goal was to solve this problem, and marketing does not solve problems. If it is necessary to invest, I prefer to invest our money to solve the problem rather than on marketing. We don’t rule out changing the brand name one day, but we want to do it for the right reasons. For strategic reasons, for example. Not to hide dust under the rug. »