Will SolarWinds permanently change the way you approach supply chain management?

It runs almost juxtaposed and counter to the culture that we've developed around supply chain management. When patches come in, we have a pretty quick and regimented process to move things through when they're high risk. Particularly these zero day vulnerabilities. We've gotten really good at it, but that seems to then turn out to be harmful. We could be taking on some pretty nasty stuff in the process and only find out months later that we ingested something that wasn't good for us. Each time I'm thinking now, retrospectively, what am I injecting myself with when I rush these changes in? Even though we test them, of course, we run them through the change management process. We do it at a much accelerated pace and I'm not even sure we would be able to detect if there was something that was similar to the SolarWinds breach or vulnerability in that accelerated way. I'm not sure we would see it. I would've never suspected SolarWinds to be a problem, or FireEye for that matter.  And I think you're now seeing it creep further into Microsoft, which is a pretty big supplier. And then, as you think about the cloud and adopting these cloud technologies, particularly the more robust, SaaS applications where you're not into the infrastructure or any of the lower level code, you're just configuring right on the outside and trusting that everything in their stack, the hardware all the way up is safe and sound and secure. Are you going to end up in a situation where you either have an information security issue that impairs your operation, or that you actually have a vulnerability that causes a breach and puts you in violation of regulators?

Anonymous Author
It runs almost juxtaposed and counter to the culture that we've developed around supply chain management. When patches come in, we have a pretty quick and regimented process to move things through when they're high risk. Particularly these zero day vulnerabilities. We've gotten really good at it, but that seems to then turn out to be harmful. We could be taking on some pretty nasty stuff in the process and only find out months later that we ingested something that wasn't good for us. Each time I'm thinking now, retrospectively, what am I injecting myself with when I rush these changes in? Even though we test them, of course, we run them through the change management process. We do it at a much accelerated pace and I'm not even sure we would be able to detect if there was something that was similar to the SolarWinds breach or vulnerability in that accelerated way. I'm not sure we would see it. I would've never suspected SolarWinds to be a problem, or FireEye for that matter.  And I think you're now seeing it creep further into Microsoft, which is a pretty big supplier. And then, as you think about the cloud and adopting these cloud technologies, particularly the more robust, SaaS applications where you're not into the infrastructure or any of the lower level code, you're just configuring right on the outside and trusting that everything in their stack, the hardware all the way up is safe and sound and secure. Are you going to end up in a situation where you either have an information security issue that impairs your operation, or that you actually have a vulnerability that causes a breach and puts you in violation of regulators?
0 upvotes
Anonymous Author
I have been involved in some advanced persistent threat investigations in my career that were the results of supply chain compromises. I'm used to vendors playing ends of the spectrum. I've been around where vendors have flatly said, "No, there's no supply chain compromise. All of our software is secure, but thanks for talking to us. Now go away." I've also been around the SolarWinds company. Pretty much the direct opposite. It didn't take a whole lot for them to say, "Hey, look. Here's what happened. Here's what you guys need to know. How can we restore faith in what you guys have trusted us with to control your network performance?” I've been around both sides of the conversation. There shouldn’t be anybody who's in the incident response field at this point who is naive enough to think that it's not going to happen to them. It's a matter of time when something bad is going to happen to them. And you've got to be able to have that open dialogue and that open communication and say, "Yeah. Here's what happened. Here's what you need to know." It sure sounds easy, but it's like better than a company saying go away or not returning phone calls or emails. It's a whole lot better than that.
0 upvotes