The US Securities and Exchange Commission (SEC) appears poised to take enforcement action against SolarWinds for the enterprise software company’s alleged violation of federal securities laws when making statements and disclosures about the 2019 data breach at the company.
If the SEC were to move forward, SolarWinds could face civil monetary penalties and be required to provide “other equitable relief” for the alleged violations. The action would also enjoin SolarWinds from engaging in future violations of the relevant federal securities laws.
SolarWinds disclosed the SEC’s potential enforcement action in a recent Form 8-K filing with the SEC. In the filing, SolarWinds said it had received a so-called “Wells Notice” from the SEC noting that the regulator’s enforcement staff had made a تصمیم اولیه برای توصیه اقدام اجرایی. یک اطلاعیه ولز اساسا یک پاسخ دهنده را در مورد اتهامات مطلع می کند که یک رگولاتور اوراق بهادار قصد دارد علیه یک پاسخگو وارد کند، بنابراین دومی فرصتی برای آماده کردن پاسخ دارد.
SolarWinds maintained that its “disclosures, public statements, controls, and procedures were appropriate.” The company noted that it would prepare a response to the SEC enforcement staff’s position on the matter.
The breach into SolarWinds’ systems wasn’t تا اواخر سال 2020 کشف شد، زمانی که Mandiant متوجه شد که ابزارهای تیم قرمز آن در حمله دزدیده شده اند.
تسویه حساب کلاسی
به طور جداگانه، اما در همان پرونده، SolarWinds گفت که با پرداخت 26 میلیون دلار برای تسویه ادعاها در یک پرونده موافقت کرده است. دادخواست اقدام طبقاتی filed against the company and some of its executives. The lawsuit had claimed the company had misled investors in public statements, about its cybersecurity practices and controls. The settlement would not constitute any admission of any fault, liability, or wrongdoing over the incident. The settlement, if approved, will be by paid by the company’s applicable liability insurance.
افشای فرم 8-K تقریباً دو سال پس از آن منتشر می شود SolarWinds گزارش داد که مهاجمان - بعداً به عنوان گروه تهدید روسیه شناخته شد نوبل — had breached the build environment of the company’s Orion network management platform and planted a backdoor in the software. The backdoor, dubbed Sunburst, was later pushed out to the company’s customers as legitimate software updates. Some 18,000 customers received the poisoned updates. But fewer than 100 of them were later actually compromised. Nobelium’s victims included companies such as Microsoft and Intel as well as government agencies such as the US departments of Justice and Energy.
SolarWinds یک بازسازی کامل را اجرا می کند
SolarWinds has said it has implemented multiple changes since then to its development and IT environments to ensure the same thing doesn’t again. At the core of the company’s new secure by design approach is a new build system designed to make attacks of the sort that happened in 2019 much harder — and nearly impossible — to carry out.
در گفتگوی اخیر با Dark Reading، تیم براون، CISO SolarWinds، محیط توسعه جدید را محیطی توصیف میکند که در آن نرمافزار در سه ساختار موازی توسعه مییابد: یک خط لوله توسعهدهنده، یک خط لوله مرحلهای و یک خط لوله تولید.
“There’s no one person that has access to all of those pipeline builds,” Brown says. “Before we release, what we do is we do a comparison between the builds and make sure that the comparison matches.” The goal in having three separate builds is to ensure that any unexpected changes to code — malicious or otherwise — don’t get carried over to the next phase of the software development life cycle.
“If you wanted to affect one build, you would not have the ability to affect the next build,” he says. “You need collusion amongst people in order to affect that build again.”
Another critical component of SolarWinds’ new secure-by-design approach is what Brown calls ephemeral operations — where there are no long-lived environments for attackers to compromise. Under the approach, resources are spun up on demand and destroyed when the task to which they have been assigned is completed so attacks have no opportunity to establish a presence on it.
“Assume” a Breach
As part of the overall security enhancement process, SolarWinds has also implemented hardware token-based multifactor authentication for all IT and development staff and deployed mechanisms for recording, logging, and auditing everything that happens during software development, Brown says. After the breach, the company in addition has adopted an “assumed breach” mentality of which red-team exercises and penetration testing are an essential component.
“I’m in there trying to break into my build system all the time,” Brown says. “For example, could I make a change in development that would end up in staging or end up in production?”
The red team looks at every component and service within SolarWinds’ build system, making sure that the configuration of those components are good and, in some cases, the infrastructure surrounding those components is secure as well, he says.
“It took six months of shutting down new feature development and focusing on security alone” to get to a more secure environment, Brown says. The first release SolarWinds put out with new features was between eight and nine months after breach discovery, he says. He describes the work that SolarWinds has put in to bolster software security as a “heavy lift” but one that he thinks has paid off for the company.
“They were just major investments to get ourselves right [and] reduce as much risk as possible in the whole cycle,” says Brown, who also recently درس های کلیدی مشترک شرکت او از حمله 2020 آموخت.
