SolarWinds statement on the hacking

Just got this in my email:

Dear THWACK Member,

I joined the SolarWinds family earlier this week as the new Chief Executive Officer. Although I accepted the position to become CEO before the Company was notified of the cyberattack, I feel an even greater commitment now to taking action, ensuring we learn from this experience, and continuing to deliver for our customers.

In my most recent role as CEO of Pulse Secure, and in other executive assignments, I have dealt with highly visible security breaches. In these instances, I have sought to let humility, ownership, transparency, focused action, and bias towards customer safety and security be my guiding principles. It is my goal to bring this same approach to bear here at SolarWinds.

It is in this spirit that I have made it a priority to support and continue the SolarWinds investigation of this incident in cooperation with important stakeholders – including industry colleagues, third-party cybersecurity experts, law enforcement, and intelligence agencies around the world.

By far, my most important commitment is to help our customers and partners navigate this challenge with the help and support of the entire SolarWinds team.

Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies. I am doing that by working directly with the SolarWinds team to lead the immediate improvement of critical business and product development systems, with the goal of making SolarWinds an enterprise software industry security leader. These transformative efforts will require tremendous focus on security programs, policies, teams, and culture.

We have engaged several leading cybersecurity experts to assist us in this journey and I commit to being transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements to ensure we maintain what’s most important to us – your trust.

As we seek to evolve SolarWinds into a company that is “Secure by Design” our internal efforts are focused on three primary areas:
Further securing our internal environment
Enhancing our product development environment
Ensuring the security and integrity of the products we deliver
Key immediate steps to further securing our internal environment which we are committed to prioritizing as a central part of our operational fabric as we move forward include:
Deploying additional, robust threat protection and threat hunting software on all our network endpoints, including a critical focus on our development environments
Resetting credentials for all users in the corporate and product development domains, including resetting the credentials for all privileged accounts, and for all accounts used in building the Orion® Platform and related products
Consolidating remote and cloud access avenues for accessing the SolarWinds network and applications by enforcing multi-factor authentication (MFA)
Key steps to enhancing our product development environment include:
Performing ongoing forensic analysis of our product development environments identifying root causes of the breach and taking remediation steps
Moving to a completely new build environment with stricter access controls and deploying mechanisms to allow for reproducible builds from multiple independent pipelines
Key steps to ensuring the security and integrity of the software we deliver to customers include:
Adding additional automated and manual checks to ensure that our compiled releases match our source code
Re-signing all Orion Platform software and related products, as well as all other SolarWinds products, with new digital certificates
Expanding our vulnerability management program to reduce our average time-to-patch and to better enable us to work with the external security community
Performing extensive penetration testing of the Orion Platform software and related products to identify any potential issues which we will resolve with urgency
Leveraging third-party tools to expand the security analysis of the source code for the Orion Platform software and related products
Engaging with and funding ethical hacking from white hat communities to quickly identify, report, and remediate security issues across the entire SolarWinds portfolio
We expect these efforts and plans to guide our journey to becoming an even safer and more secure company, and we understand that there is much more work to be done. In the coming weeks, we will plan to share further plans and programs that we believe will help us achieve that goal.

Over 20+ years, SolarWinds has earned the trust of our customers by delivering powerful and affordable solutions. My mission is to continue to build on that relationship by delivering powerful, affordable, and secure solutions. I am confident in this future.

Sudhakar Ramakrishna
President and CEO