Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

SolarWinds bolsters cybersecurity in wake of hack

Reprints
SolarWinds

The hack of SolarWinds Inc. that compromised customers including U.S. government agencies has led to a more robust cybersecurity program at the company, SolarWinds officials said Thursday during a webinar.

The party behind the hack at the Austin, Texas-based company was identified only as a nation-state during the webinar sponsored by Marsh LLC, although news reports have identified Russia as the instigator. The cyberattack was discovered in December.

SolarWinds CEO Sudhakar Ramakrishna, who noted the hack occurred before he had officially assumed his position as CEO, said the malware entered the company’s code during a “mini-second of opportunity” and that traditional detection methods may not have been able to detect it.

“This was a very sophisticated group of hackers who must have been highly trained and very well resourced,” he said. The investigation is ongoing, he said.

SolarWinds general counsel Jason Bliss said, “We have 80 terabytes of data,” which means investigating the equivalent of five Libraries of Congress when “we’re really looking for a few sentences in a book.”

“This was a different and unique attack” on the supply chain, not a “run-of-the-mill virus” whose job is to spread as fast as possible and get as much visibility as possible, Mr. Ramakrishna said. 

The attack was “the price we pay” for being ubiquitous, Mr. Ramakrishna said

With SolarWinds having 300,000 customers, the hackers wanted to make as “broad a footprint as possible,” Mr. Bliss said.

He said the company “immediately escalated to mobilize our folks around the world” and quickly developed cleanse code and patches, and notified customers about the situation.

Mr. Ramakrishna said the company has now developed a “secure by design” approach that involves making its system more secure and more consistent with the broader information technology policies at many companies.

“A lot of times, security is an afterthought after products are released or deployed. Our view is, we have to inject it right at the design we are evolving,” he said.

Mr. Ramakrishna said this includes providing the fewest number of privileges for access and a more formalized incident response team to enable the company to be better prepared.

He added, however, that if a nation-state does want to compromise your work, “it’s going to be a matter of when and not so much if.”

This session was moderated by Liz Walker, Chicago-based strategic claims and client engagement leader for Marsh Advisory.

 

 

 

Read Next