SolarWinds attack makes us distrust the software we buy

TechRepublic’s Karen Roby spoke with Manish Gupta, founder and CEO of ShiftLeft, a code analysis software company, about the SolarWinds attack and its effect on cybersecurity. The following is an edited transcript of their conversation.

Karen Roby: Manish you’ve been in security for a long time now. And the SolarWinds attack is one we’ve heard a lot about, of course, all this information coming out about maybe how it happened, why it happened, what can we learn from it? As a security expert when you look at what happened, how do you boil this down into what went wrong and why is it such a big deal?

SEE: Identity theft protection policy (TechRepublic Premium)

Manish Gupta: Look, software is driving innovation all around us. We implicitly trust our software like the water supply. Consumers and enterprises alike have limited ability to inspect the software. The software upgrades performed by our software vendors. Therefore, once we start using the software, we implicitly trust it to receive upgrades so that we can continue to get new feature functionality. I assume, for example, if you use a phone, a smartphone, you download applications and then just on the background you allow these applications to be upgraded. But the SolarWinds attack was novel in that the attackers infected the very software that we trust. The very downloads that we implicitly allow our software vendors to perform. And that software became a way to steal confidential information. The key is unbeknownst to both the software in there and the customers using the software. This breach of trust of software is huge because software is driving everything around us. And history also teaches us that once nation-state attackers show us the art of the possible, the attack techniques, which seem sophisticated today are leveraged by less clever and less-resourced attackers motivated by financial gain.

Karen Roby: When we look at this particular attack, SolarWinds has many high-profile clients. This information of thousands upon thousands of people were targeted. Unfortunately, I think so many people hear about breaches and attacks, and they’re like, “Oh, well, there’s another one.” It’s so concerning how often we’re hearing about it and certainly on this scale.

Manish Gupta: Indeed it is. We’ve talked to some of SolarWinds’ customers. As I mentioned earlier, because of the implicit trust that we place and what perhaps makes the problem worse is if, for example, we as consumers or enterprise companies, when we download software, when we buy software from a third party, there is a very limited ability we have to inspect what is in that software. And the challenge is that with modern continuous integration, continuous deployment, the pace of software development is ever-increasing, which makes the problem even worse because any change, any one change out of the 100 changes that are perhaps being made in a given day could come from a potential hacker. So, how do we tell the difference between a change that was made legitimately versus not? And even the companies who are writing the software don’t have this ability today, let alone their customers who largely get a black box.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Karen Roby: What needs to happen, Manish? When you talk about the hackers on the other end of this are very sophisticated, they know what they’re doing and they find vulnerabilities and they get in. But the people on the other end so often are just everyday people that are victimized when their information is stolen or whatever it may be. So there is this trust level there in between that we just kind of take for granted. What needs to happen so another SolarWinds doesn’t happen.

Manish Gupta: Indeed a great question, Karen. The first thing is, look, as a security industry, cybersecurity industry, we are struggling with this problem. We have been using for the last two decades all kinds of network and endpoint technologies like FireEye and CrowdStrike to detect the malware. And we should. But a key part of this attack for the first time as we discussed was the attackers planting malicious code in software itself. As an example, we spend about $30 billion a year on endpoint and network technologies to protect the perimeter. And we constantly keep getting breached still. So, where is the outrage? Where does the question like, “Enough is enough.” The very software that we develop that drives innovation all around us, by the way, did you know that we spend about $1 billion a year in finding and fixing vulnerabilities.

[That’s] $1 billion a year relative to $30 billion that we are just trying to protect the perimeter, knowing fully well, that it is fairly trivial for attackers to breach the perimeter. Once they’ve breached the perimeter, they’re essentially an employee of yours, a software developer, and we just got to get better. We have to come to this realization, otherwise the world is going to get increasingly vulcanized. The U.S., America has the most to lose. And we cannot continue to say, “Yes, we are going to continue to protect the perimeter and let other nations come in and continue to steal what we’ve taken years and decades to develop.”

Karen Roby: Most certainly. And like you said, where is the outrage? Are they numb to it? They don’t understand it. I think a lot of times, as far as concern, outrage, where do you think people are those that are in positions of power, whether that be government officials, people that can actually make a difference and sound the alarm. Where are they? What is the temperament of that group?

SEE: Incident response policy (TechRepublic Premium)

Manish Gupta: The good thing is every time something like this happens, one of the first things that we hear about is, “Oh yeah. Once companies get breached, they should share that information.” And that’s great. Just the other day, without naming names, I was reading an article from a retired general, who said, “A SolarWinds-like attack has happened amongst multiple government agencies. Yet, we don’t know about them.” And knowing is of course, acknowledging that this has happened is the first step, because it allows the average consumer, a cybersecurity company to be aware of the magnitude of the problem. But, great, so we are now well aware of the magnitude of the problem, which we all should be, who are in the know. So the next part is how do we get better at finding and fixing vulnerabilities, which is the very underlying cause for the majority of the breaches?

I realize this is a non-trivial problem because while we have the knowledge of the last two decades that teaches us how to detect vulnerabilities in software, we have no prior knowledge of how to detect malicious code in software. But this is where at ShiftLeft we’ve innovated. And we have an offering that we call Illuminate. The key innovation that we’ve had is to realize that the attacker is the same attacker that used to conduct traditional targeted attacks. But for the first time, the vector of attack has changed. It has become the software. So when we test this hypothesis, because we have many, many years of knowledge of the attacker’s TTPs standing for Tactics, Techniques and Procedures. If we leveraged this knowledge to now look for these elements in source code, we are successful. We at ShiftLeft can show that using our unique technology which is called the code property graph, we can find multiple individual elements of the attack kill chain and string them together to show that this is an insider attack.

Karen Roby: When you look at the outlook for, say, the next couple of years, and we hope that things will be better. We’ve lived in a lot of negativity, Manish, the last year with everything going on because of the pandemic, so kind of final thoughts here. Do you feel like a change is, can, will happen or are we kind of stuck in a bad cycle?

Manish Gupta: I’m an eternal optimist. I’m an entrepreneur, I love to tackle hard problems. I think one of the key reasons why people are realizing is if we take a modern software company, let’s say a SaaS, Software as a Service company, 100% of their revenue comes from the software that they’re hosting in the cloud. So, nothing is more important for them to protect. SFive years ago when I started this company, we called it ShiftLeft because we wanted to put the focus on instead of constantly deploying reactive technologies like network, like end point, etc., that we need to shift left. We need to start getting better at finding and fixing vulnerabilities. Five years ago no one had heard about the term shift left. Five years hence, it has become sort of an industry best practice that is being planned or way under planning by most companies.

Also see