N-able, the imminent rebrand of SolarWinds MSP, continues to march forward. And it's a reasonably safe bet that N-able's spin-out from corporate IT software provider SolarWinds will also proceed, ChannelE2E believes.
So, what is the path forward for N-able and MSPs (managed IT service providers) that run the company's software? The simple answer involves clear, concise, regular communications between N-able and those MSPs.
Admittedly, the MSP industry has been on heightened alert ever since SolarWinds disclosed a major hacker attack in December 2020. To be clear: The hack hit the SolarWinds Orion software platform, which is more of a corporate IT product. The company's forensics investigation says SolarWinds MSP's software was not targeted or hit by the attack.
Still, SolarWinds MSP President John Pagliuca (soon to be CEO, N-able) concedes: The company realizes it can't rest on a "No news is good news" approach with MSP partners. Amid that realization, the business unit has changed its communications cadence with MSPs -- speaking even more regularly with partners, and proactively repeating the established statement that SolarWinds MSP's software was not attacked, Pagliuca tells ChannelE2E.
It's natural (and smart) for MSPs to ask questions about the attack. But it's also important to separate facts from speculation. So what are the facts?
- A comprehensive ChannelE2E timeline traces the entire SolarWinds Orion attack -- from its apparent start in 2019 through this week's expected hearings in Washington, D.C.
- SolarWinds continues to update a SUNBURST / Orion Security Advisory here;
- a related SolarWinds SUNBURST FAQ about the incident is here; and
- a SolarWinds MSP statement is here.
Read through all of the reports, all of the documentation and all of the investigation findings and that same conclusion emerges: SolarWinds MSP's software was not hit in this attack. (If new information ever surfaces suggesting otherwise, we'll report it.)
KPMG and CrowdStrike: Forensics and Threat Hunt Findings
Meanwhile, SolarWinds MSP -- soon to be known as N-able -- isn't resting on its laurels.
In addition to the cyber investigation (which involved third-parties such as KPMG and CrowdStrike) SolarWinds corporate and the SolarWinds MSP business unit took a hard look at their software development practices, Pagliuca and VP of Security Tim Brown told ChannelE2E earlier this month.
Among the takeaways from our conversation:
- Threat Hunt Findings: A CrowdStrike threat hunt -- involving CrowdStrike's software and threat hunting team -- took a look at the cyberattack against SolarWinds. The threat hunt saw no evidence of attackers making a lateral move from SolarWinds corporate into the SolarWinds MSP business and associated software, Brown says.
- Forensics Findings: KPMG performed a forensics deep dive on the SolarWinds and SolarWinds MSP Build environments. Again, KPMG found no evidence of hacker movement from SolarWinds corporate into SolarWinds MSP's software.
Still, SolarWinds MSP isn't resting on its laurels. Among the security-related changes the company is making:
- Shifting to a triple-build software development model that spans lab, development and clean room silos. No one person has access to all three silos, among other security steps here.
- Staffing up a fully functional, complete, well-staffed cyber team for the expected spin-out of SolarWinds MSP (i.e., N-able). The idea is to ensure both SolarWinds corporate and the N-able spin-out have all the dedicated security resources they need before N-able is a standalone company. That includes the search for a CISO (chief information security officer) to join N-able.
SolarWinds MSP Briefs Partners On Security Investigation, Further Risk Mitigation
SolarWinds MSP earlier this month also briefed partners on many of the updates mentioned above. Moreover, the company recapped SolarWinds MSP's initial six-step response to the Sunburst attack. The six steps, mentioned during a partner briefing, spanned:
- Scanning all code to ensure SolarWinds MSP products did not include the SUNBURST or SUPERNOVA vulnerabilities.
- Obtaining new Digital Certificate with unique thumbprint for SolarWinds MSP products -- which is different from the SolarWinds Orion platform.
- Regenerated and deployed signed binaries with new Digital Certificate for MSP products that previously use the SolarWinds Digital Certificate.
- Communicated immediately with MSP partners about the new Digital Certificate.
- Tracking adoption of automated and manual deployments.
- Scanned binaries to detect unexpected executables.
SolarWinds MSP apologized for the challenge MSPs faced amid the forced Digital Certificate update, but the company reinforced the need for such a step in order to further mitigate potential business risk.
Present and future SolarWinds MSP security activities, according to the MSP partner briefing, involve:
- Further securing the internal environment via global password resets, threat detection deployment and enhanced MFA (multi-factor authentication)
- Enhance development environment including separate of duties, clean rooms and review of code changes over the past 18+ months;
- Further ensure security and integrity of products through expanded vulnerability management, threat modeling and reassessing security backlog.
- Achieving secure by design mandate that involves new, start of the art processes and deep transparency.
What's Next for N-able (the Former SolarWinds MSP)
Amid those cybersecurity initiatives, SolarWinds continues to "explore" the potential spin-out of SolarWinds MSP. Take a closer look at that process, and it's a safe bet SolarWinds MSP will switch to the N-able brand even before the proposed spin-out is officially completed.
Yes indeed, SolarWinds MSP will essentially operate as N-able by the end of March 2021 or so, current timelines estimate. Parent SolarWinds is targeting Q2 or so for the official spin-out of the N-able business, assuming it happens.
Still, there are some challenges on the near-term horizon. They involve:
- Hearings In Washington, D.C.: SolarWinds CEO Sudhakar Ramakrishna is expected to testify in Washington, D.C., this week, as part of an investigation into who attacked the software company, how the attack happened, and what the fallout has been.
- Quarterly Earnings Results: SolarWinds is expected to announce quarterly results on Thursday, February 25.
During the earnings call, ChannelE2E suspects SolarWinds will:
- Offer an update on the SolarWinds MSP (i.e., N-able) spin-out.
- Potentially describe some of the costs associated with the SolarWinds Orion hacker attack.
In addition to the breach investigation and cleanup costs, ChannelE2E is curious to see if or how news of the hack impacted SolarWinds' overall quarterly revenues. The key wildcard: Did the hack pressure only the Orion software business, or did the security event pressure other portions of the software business while customers pursued more information about the attack? We'll be listening closely to see if any specifics emerge on the earnings call.
Bottom Line: What SolarWinds Earnings, Hearings Mean for MSPs
No doubt, MSPs should expect a flood of media headlines about the SolarWinds earnings plus the hearings in Washington, D.C., this week. If customers read those headlines and raise questions, what exactly should MSPs say?
MSPs should start (and stick) with the truth. Such as:
- A forensic investigation by KPMG and CrowdStrike says the hack did not involve SolarWinds MSP's software.
- Nevertheless, SolarWinds MSP is taking more steps to safeguard its software development and business from attacks.
- SolarWinds MSP is nearing the completion of a rebrand and will soon be known as N-able.
- A spin-out of N-able as an independent company in Q2 is likely (ChannelE2E believes -- so technically, this bullet is a strong opinion rather than fact).
- No software company is fully immune to cyberattacks.
- Every business in the MSP supply chain -- from software company to MSP to end-customer -- should regularly perform a risk analysis using the NIST cybersecurity framework.
- When's the last time your business underwent such a risk analysis?