SolarWinds Faces Potential SEC Enforcement Act Over Orion Breach

  /     /     /  
Publicated : 23/11/2024   Category : security


SolarWinds Faces Potential SEC Enforcement Act Over Orion Breach


In the nearly two years since the company discovered the cyber intrusion, SolarWinds has fundamentally rearchitected its development environment to make it much harder to compromise, CISO Tim Brown tells Dark Reading.



The US Securities and Exchange Commission (SEC) appears poised to take enforcement action against SolarWinds for the enterprise software companys alleged violation of federal securities laws when making statements and disclosures about the 2019 data breach at the company.
If the SEC were to move forward, SolarWinds could face civil monetary penalties and be required to provide other equitable relief for the alleged violations. The action would also enjoin SolarWinds from engaging in future violations of the relevant federal securities laws.
SolarWinds disclosed the SECs potential enforcement action in a recent Form 8-K filing with the SEC. In the filing, SolarWinds said it had received a so-called Wells Notice from the SEC noting that the regulators enforcement staff had made a
preliminary decision to recommend the enforcement action
. A Wells Notice basically
notifies a respondent about charges
that a securities regulator intends to bring against a respondent, so the latter has an opportunity to prepare a response.
SolarWinds maintained that its disclosures, public statements, controls, and procedures were appropriate. The company noted that it would prepare a response to the SEC enforcement staffs position on the matter.
The breach into SolarWinds systems wasnt
discovered until late 2020
, when Mandiant found that its red-team tools had been pilfered in the attack.
Separately, but in the same filing, SolarWinds said it had agreed to pay $26 million to settle claims in a
class action lawsuit
filed against the company and some of its executives. The lawsuit had claimed the company had misled investors in public statements, about its cybersecurity practices and controls. The settlement would not constitute any admission of any fault, liability, or wrongdoing over the incident. The settlement, if approved, will be by paid by the companys applicable liability insurance.
The disclosures in the 8-K Form come nearly two years after
SolarWinds reported that attackers
— later identified as Russian threat group
Nobelium
— had breached the build environment of the companys Orion network management platform and planted a backdoor in the software. The backdoor, dubbed Sunburst, was later pushed out to the companys customers as legitimate software updates. Some 18,000 customers received the poisoned updates. But fewer than 100 of them were later actually compromised. Nobeliums victims included companies such as Microsoft and Intel as well as government agencies such as the US departments of Justice and Energy.
SolarWinds has said it has implemented multiple changes since then to its development and IT environments to ensure the same thing doesn’t again. At the core of the companys new secure by design approach is a new build system designed to make attacks of the sort that happened in 2019 much harder — and nearly impossible — to carry out.
In a recent conversation with Dark Reading, SolarWinds CISO Tim Brown describes the new development environment as one where software is developed in three parallel builds: a developer pipeline, a staging pipeline, and a production pipeline. 
Theres no one person that has access to all of those pipeline builds, Brown says. Before we release, what we do is we do a comparison between the builds and make sure that the comparison matches. The goal in having three separate builds is to ensure that any unexpected changes to code — malicious or otherwise — dont get carried over to the next phase of the software development life cycle. 
If you wanted to affect one build, you would not have the ability to affect the next build, he says. You need collusion amongst people in order to affect that build again.
Another critical component of SolarWinds new secure-by-design approach is what Brown calls ephemeral operations — where there are no long-lived environments for attackers to compromise. Under the approach, resources are spun up on demand and destroyed when the task to which they have been assigned is completed so attacks have no opportunity to establish a presence on it.
As part of the overall security enhancement process, SolarWinds has also implemented hardware token-based multifactor authentication for all IT and development staff and deployed mechanisms for recording, logging, and auditing everything that happens during software development, Brown says. After the breach, the company in addition has adopted an assumed breach mentality of which red-team exercises and penetration testing are an essential component.
Im in there trying to break into my build system all the time, Brown says. For example, could I make a change in development that would end up in staging or end up in production? 
The red team looks at every component and service within SolarWinds build system, making sure that the configuration of those components are good and, in some cases, the infrastructure surrounding those components is secure as well, he says.
It took six months of shutting down new feature development and focusing on security alone to get to a more secure environment, Brown says. The first release SolarWinds put out with new features was between eight and nine months after breach discovery, he says. He describes the work that SolarWinds has put in to bolster software security as a heavy lift but one that he thinks has paid off for the company. 
They were just major investments to get ourselves right [and] reduce as much risk as possible in the whole cycle, says Brown, who also recently
shared key lessons
his company learned from the 2020 attack.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
SolarWinds Faces Potential SEC Enforcement Act Over Orion Breach