SolarWinds: It’s time to get secure by design

Lisa Stash

Partner content: The last two years of pandemic lockdowns and instability have required a rapid shift in the way everyone works, from the smallest family-owned company to giant government departments.

Work has never been more online or required more remote access points, and this trend is unlikely to reverse. We have officially let the work from home genie out of the bottle, and there’s no going back.

But this behavioural and cultural shift comes at a cost. For many of the biggest organisations – governments included – turning the ship takes time; time during which bad actors can attempt to take advantage of gaps in security.

Chrystal Taylor is a head geek at SolarWinds. She reflected on the fact big organisations are traditionally not great at rapid change.

“Any kind of big transformational change like that takes a really long time,” Ms Taylor said. But time is of the essence when you’re deflecting cyberattacks.

SolarWinds suffered a breach in 2020. The company has chosen to speak publicly about the attack and responded to the experience by implementing a ‘Secure by Design’ approach.

Secure by Design is key

SolarWinds believes it’s important to speak with your partners and even competitors in your industry about attacks on your systems – the bad guys are working together, so the good guys need to as well.

Ms Taylor said the company had a lot of wisdom to offer around avoiding and learning from attacks.

“It’s a responsibility for all entities to own this problem,” said Ms Taylor. “We’ve had several discussions with the Australian Cybersecurity Centre (ACSC) about the importance of sharing and collaboration, and the ACSC agrees with us: sharing and collaboration are the key.

“We’ve been refining our approach to security to set us apart from the existing industry standards. We aspire to be the new benchmark,” she said.

“Since the incident, SolarWinds has implemented its ‘Secure by Design’ initiative, a top-down set of guiding principles since designed to strengthen and protect their network by implementing additional security practices, from software build process and enhanced endpoint protections to increased employee training.

Ms Taylor said there were some key learnings everyone could take away from their experience.

“Individual end users are an organic source of threat to cybersecurity,” she said.

“How often do you hear stories of someone losing their laptop while commuting on a train? They bring in USB devices, and they don’t think anything of it. And it’s not necessarily malicious. It’s more like negligence, or just general human error.”

Ms Taylor said something SolarWinds has really internalised is the importance of a company culture cultivating a security mindset for every member of the organisation.

You can never remove human error from your environments completely, so training your staff to consider themselves part of the security system and testing their responses to potential attempted breaches so they’re prepared for this inevitability is a key bedrock for any ‘Secure by Design’ environment.

“The thing I really want to emphasise is security is everybody’s responsibility,” she said. This is particularly important in the post-COVID business environment after rapid acceleration to distributed workforce arrangements.

“It’s up to every individual to continue to raise their own awareness and to raise their own stakes in the game,” she said.

“I feel like we can disassociate a little bit. People think to themselves, ‘I just work there, what’s the worst that’s going to happen?’ But the worst can happen, and it’s your responsibility to be aware and vigilant.”

Every person in an organisation is like a plug in one hole in a giant sieve full of water. If even one person fails, the container is breached.

Ms Taylor says the best way to ensure human error is kept to a minimum is whole-staff training backed up by non-visible testing.

Cybersecurity instincts are skills needing to be honed and practiced in real-world environments, so people get used to identifying and rejecting well-crafted phishing emails, for example.

The porousness caused by natural human error is also the reason permission management and a zero-trust environment are so important.

Ms Taylor says many organisations still have a manually managed access permission system where once a staff member is granted a particular access, no one ever revokes it—even if the job they were working on ends or they move departments.

These kinds of leaky permission structures produce a heightened risk environment.

“Imagine your IT systems as a hotel, but every time a guest checked out, you didn’t collect their key,” she said.

“Or worse, your janitor has one of those old-school keyrings with access to all the rooms. If the janitor no longer works here, you’d make sure to get the keyring back, right?

“In the digital world, sometimes those keys can get lost because they’re not inventoried and audited properly.”

Ms Taylor says you need a good access rights manager and to make proactive efforts to maintain only the accesses each employee really needs for their specific job: “Least permissions, constant verification,” she said.

Core takeaways: implement a zero-trust environment; train your staff to view security as everyone’s job; test them regularly with surprise, non-visible security challenges; and automate processes (where possible) to remove human error.

This article was produced by in partnership with SolarWinds.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories