The US Securities and Exchange Commission (SEC) appears poised to take enforcement action against SolarWinds for the enterprise software company’s alleged violation of federal securities laws when making statements and disclosures about the 2019 data breach at the company.
If the SEC were to move forward, SolarWinds could face civil monetary penalties and be required to provide “other equitable relief” for the alleged violations. The action would also enjoin SolarWinds from engaging in future violations of the relevant federal securities laws.
SolarWinds disclosed the SEC’s potential enforcement action in a recent Form 8-K filing with the SEC. In the filing, SolarWinds said it had received a so-called “Wells Notice” from the SEC noting that the regulator’s enforcement staff had made a preliminary decision to recommend the enforcement action. A Wells Notice basically notifies a respondent about charges that a securities regulator intends to bring against a respondent, so the latter has an opportunity to prepare a response.
SolarWinds maintained that its “disclosures, public statements, controls, and procedures were appropriate.” The company noted that it would prepare a response to the SEC enforcement staff’s position on the matter.
The breach into SolarWinds’ systems wasn’t discovered until late 2020, when Mandiant found that its red-team tools had been pilfered in the attack.
Class-Action Settlement
Separately, but in the same filing, SolarWinds said it had agreed to pay $26 million to settle claims in a class action lawsuit filed against the company and some of its executives. The lawsuit had claimed the company had misled investors in public statements, about its cybersecurity practices and controls. The settlement would not constitute any admission of any fault, liability, or wrongdoing over the incident. The settlement, if approved, will be by paid by the company’s applicable liability insurance.
The disclosures in the 8-K Form come nearly two years after SolarWinds reported that attackers — later identified as Russian threat group Nobelium — had breached the build environment of the company’s Orion network management platform and planted a backdoor in the software. The backdoor, dubbed Sunburst, was later pushed out to the company’s customers as legitimate software updates. Some 18,000 customers received the poisoned updates. But fewer than 100 of them were later actually compromised. Nobelium’s victims included companies such as Microsoft and Intel as well as government agencies such as the US departments of Justice and Energy.
SolarWinds Executes a Complete Rebuild
SolarWinds has said it has implemented multiple changes since then to its development and IT environments to ensure the same thing doesn’t again. At the core of the company’s new secure by design approach is a new build system designed to make attacks of the sort that happened in 2019 much harder — and nearly impossible — to carry out.
In a recent conversation with Dark Reading, SolarWinds CISO Tim Brown describes the new development environment as one where software is developed in three parallel builds: a developer pipeline, a staging pipeline, and a production pipeline.
“There’s no one person that has access to all of those pipeline builds,” Brown says. “Before we release, what we do is we do a comparison between the builds and make sure that the comparison matches.” The goal in having three separate builds is to ensure that any unexpected changes to code — malicious or otherwise — don’t get carried over to the next phase of the software development life cycle.
“If you wanted to affect one build, you would not have the ability to affect the next build,” he says. “You need collusion amongst people in order to affect that build again.”
Another critical component of SolarWinds’ new secure-by-design approach is what Brown calls ephemeral operations — where there are no long-lived environments for attackers to compromise. Under the approach, resources are spun up on demand and destroyed when the task to which they have been assigned is completed so attacks have no opportunity to establish a presence on it.
“Assume” a Breach
As part of the overall security enhancement process, SolarWinds has also implemented hardware token-based multifactor authentication for all IT and development staff and deployed mechanisms for recording, logging, and auditing everything that happens during software development, Brown says. After the breach, the company in addition has adopted an “assumed breach” mentality of which red-team exercises and penetration testing are an essential component.
“I’m in there trying to break into my build system all the time,” Brown says. “For example, could I make a change in development that would end up in staging or end up in production?”
The red team looks at every component and service within SolarWinds’ build system, making sure that the configuration of those components are good and, in some cases, the infrastructure surrounding those components is secure as well, he says.
“It took six months of shutting down new feature development and focusing on security alone” to get to a more secure environment, Brown says. The first release SolarWinds put out with new features was between eight and nine months after breach discovery, he says. He describes the work that SolarWinds has put in to bolster software security as a “heavy lift” but one that he thinks has paid off for the company.
“They were just major investments to get ourselves right [and] reduce as much risk as possible in the whole cycle,” says Brown, who also recently shared key lessons his company learned from the 2020 attack.
