Introduction (00:38)
You are listening to KBKast, the Cyber security podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host. Karissa Breen.
Karissa (00:53)
Joining me today is Chrystal Taylor, Head Geek from SolarWinds. Chrystal, thanks for joining.
Chrystal Taylor (00:58)
Thanks for having me.
Karissa (01:00)
Now, I want to start with an interesting question. With the SolarWinds breach, which occurred like back in 2020, it actually that feels so long ago now, but at the same time it doesn't. So maybe if you can just remind our listeners what happened with that breach at a high level, I think it'd be really into here from your perspective.
Chrystal Taylor (01:19)
Sure, absolutely. The Sunburst Attacks is what the actual name of it is. I think we definitely got associated with solar winds. It became known as the Solar Winds Breach, for better or worse. But the Sunburst attack was a highly sophisticated supply chain attack by a foreign government entity that targeted software companies. And to us specifically, what that meant was that the attackers entered our build environment, monitored the software build postros, and inserted malicious code that provided a backdoor which they then could activate in customer environments that had downloaded that code sample. That's effectively what happened in the very specific and also very general sense of what happened back then. So some entities were compromised by using that back door, unfortunately, and that happened. You said 2020 and I've had the same thought. It feels so long ago, and yet not very long ago at all.
Karissa (02:10)
Now, you guys were coming up a lot, obviously, in the media, as you know. So talk to me a little bit more about how do you handle that then as an employee, because there's been a recent breach you probably heard of here in Australia. It's a tough conversation. And how do you handle that mentally as well? Because I'm really curious, because some things I think we do maybe wrong in this space is we really go to town on people. And again, you're not totally and solely responsible for everything that happens in SolarWinds. And I guess I don't know what it is. Maybe people want someone to blame. Sometimes it's easier to be like, oh, you're the scapegoat, Chrystal, because you work there. So I'm really curious to just understand and get in the mindset of what that was like for you?
Chrystal Taylor (02:51)
Oh yeah, absolutely. So I think you're right, we are quite harsh when it happens and I think realistically it's a matter of when and not if a company is going to be breached. I mean, things are getting changed and adapted and transformed constantly all the time and there's less and less patience as a whole that I think we as a general global society have. So we expect things to happen now, we expect changes to happen now. What that means is sometimes things get missed or sometimes updates can't happen because there's all this red tape to go through or you only patch every so often. I mean, there's been so many breaches in the past several years especially I feel like it's gotten a lot more high profile than it maybe used to be five years ago or whatever. It's definitely being talked about a lot more because even the general public is more aware of them, whereas in the past it would have been relegated to infosec and like C suites, maybe knowing them. And now it's definitely become highly publicised. And I think what happens a lot of times is that they are looking for a scapegoat.
Chrystal Taylor (03:53)
And as an employee going through the process, I found it quite fascinating, actually, which I don't know what that says about me, but I found it quite fascinating to kind of see not only on the Internet, I didn't have anybody come after me personally, which I was quite glad of, obviously, because I don't want to deal with that. But I didn't have anyone try to come after me personally. I definitely saw a lot of things coming after the company. A lot of questions came out about it and I think as best as we could, we tried to answer questions we were allowed to answer in the time we were allowed to answer them because obviously there was federal investigations and that kind of stuff. So there was a lot of questions we weren't allowed to answer or where we didn't have answers for because the investigation wasn't completed and all of that stuff. So you have to reach a consensus of where you're going to have to say, I'm sorry, I don't have the answer, and then direct them to somebody who can answer in a different way or direct them to any of the things that we've published about it.
Chrystal Taylor (04:45)
Because I think one of the things that I personally appreciated was how transparent our CEO was during the event, right? He was talking about things all the time, making sure to inform the wider tech industry so that we can all get better, right? We can all understand what's going on, we can try to improve because I think the stigma that's attached to it, it means that people don't want to talk about it, right? It's a crime in many countries to not disclose an attack, sure. But they don't generally talk about it as it impacts the industry. And I think that was one of the things I really enjoyed seeing, was how our CEO kind of came up and started talking about how it affects the industry and how we can get better, and worked on collaborating with our governmental agencies and also with other tech industry enterprises trying to improve. And I think we see breaches all the time, right. The log four J, one that's another recent, semi recent one that was really big deal. And I think if we constantly stigmatise and go on the attack, that we're not going to learn as we should.
Chrystal Taylor (05:46)
And I think the more high profile it gets, I think the less that people are trying to blame an individual and the more they're realising that it can happen to anybody. And I like to think that we're all learning that it can happen to anybody, especially in our case where it was a nation state attack. What are you going to do about that? If a nation state decides to attack an individual company, there's only so much that you can do about it. We don't have 10,000 people looking through all the lines of code all the time. Right. So get to a point where you have to accept that there is a possibility and even a probability that a breach is going to happen at some point and you have to just prepare for that. And I hope that that's what I've learned out of this as well. As an individual being part of the company and just kind of I think the important thing was keeping an eye on how we as a company were responding to that. How we helped our customers afterwards was really important to me. And I did my level best to interface with our customers and help them update and understand what was going on.
Chrystal Taylor (06:44)
And that's all I can hope for.
Karissa (06:46)
Yeah, that is really interesting. I love to hear definitely the employee side of it. Okay, so there's a couple of questions coming up in my mind now. I did see CEO. He was quite open, vocal. I've read a lot of things online about, this is the mistake we made, this is what we're doing to fix it. Do you think that because the Solo and CEO did that, it disarms a lot of people? They're not like, looking for answers because, as you mentioned, a lot of people don't want to talk about it, but then when they don't want to talk about it more, people are really drilling for answers.
Chrystal Taylor (07:15)
Yeah, I definitely think that it helped sway things a little bit. Right. Him being transparent and sharing what we could share and sharing, that was all we could share, helped answer people's questions right out of the gate so that there weren't so many people that were just you make assumptions in your mind, right. Even as an individual watching the news or whatever, you see a headline or you see the way something is presented and you hear it from someone else, and you start to make assumptions in your own mind. And I think that kind of cut that off before it could really take off and gain a lot of steam. So him answering things and sharing what we knew and what we could share cut all of that off before it could get too out of control. Because we're in the age of the Internet, of course. Everything can and will get out of control, most definitely.
Karissa (07:57)
Each with a trial start. And then all of a sudden it's prolific out there. So you said that you were on the front line at the coal face of all your customers, which is excellent. How do you handle these conversations? Were people very open to what you had to say? Were people a little bit disgruntled or talk to me a little bit more about the dynamic?
Chrystal Taylor (08:13)
Yeah. And I talked to during the time and even since then, for the most part, has been really understanding and just wanting to get it to a point they're not looking for the individual to blame. We did have customers that left that's understandable. We did have customers that stuck around. And I think that the conversations that have happened in the two years since or almost two years since that happened have been really interesting for me. It's been a lot of them were loyal customers for years and years, and they're not about to walk away just because something like this happened. It was really an answer of, how quickly can we fix it? What is happening to be fixed? And sharing the information that we're doing to prevent a similar attack in the future really secured in their minds that we weren't taking it lightly. We weren't just saying, oh, there's been a breach. Here you go. Change your passwords. Move on with your life. We're taking drastic steps and changing the entire way we build software. That was what we were doing. So sharing that information and being able to be transparent with what was going on, or as transparent as possible, I think really helped undercut a lot of the hostility that maybe could have happened.
Chrystal Taylor (09:16)
And people were really just interested in getting to a position where they weren't vulnerable as quickly as possible and then starting to ask questions after that. That was generally how it went, and for some of them, it was just disconnect everything from the Internet or turn it all off. And not that long ago in June, I was at Cisco Live in Las Vegas, and I had several people who were very excited to hear where we'd come since then because their service had just breen off since the breach. They didn't get rid of the software. They had just been off. They had to take it offline and till it could be dealt with, until they felt comfortable. So the more information that we've been able to share and all of these individuals were lovely and open to having conversations. Some of them are quite critical because something happened and they were vulnerable and now they have to answer to all of their customers and all of that. Right. So the criticality is going to happen, but as long as you can maintain a professional conversation about it, I think that we've been in a really good space.
Chrystal Taylor (10:08)
It's been really positive for the most part.
Karissa (10:12)
Yeah, that is really fascinating to hear because this is the stuff that I'm really interested in. Because again, like how how did you guys manage to rebuild trust and repair trust in the market? And do you think as well, additional to that point, after a while the dust settles because now 2020 was relatively a fairly long time ago because look at all the other breaches that have happened. Do you think not necessarily people forget, but then the next breach will come up and then that company is on the radar.
Chrystal Taylor (10:42)
Yeah, I definitely don't think they've forgotten. I see it mentioned all the time or comparisons and that group is often referred to as the solar winds hackers. It's definitely not gone away. I think part of that is because we took responsibility at such a vocal and kind of visible level and we were talking about all the things all the time, which I see only as good things. But it does mean that we're associated now with that whole thing very visibly, people remember it. Even individual people who have nothing to do with tech remember it. Right. Because government agencies were vulnerable at the time and so it was a big deal. I don't think that they're going to forget about it anytime soon. I think that we would like to take it as a learning lesson and we have done a lot of learning from that. And hopefully the wider three also has taken that as a learning lesson. I think that people do sometimes forget after a while and eventually something brazier will happen that they'll forget about us for a while. But I think for the near future people are still there for them.
Chrystal Taylor (11:42)
Because like I said in articles and news articles and anything that group are involved in, you see the reference as right back to. So even if people were to forget, I think it still keeps getting reminded us, remember when this happened, it was bad and these are the same people and now they're doing something else. So I think we've become matched up with them in an unfortunate way, but I don't necessarily think it would be a good thing to forget. I think that we have to maintain those lessons, we have to maintain that learning and say this thing happened, but we don't want it to happen again. So what did they do about it? How did they handle it? How are they making it to where that type of attack can't happen again and what are they doing about it. And that helped us rebuild trust. All of our collaboration with the governmental agencies, with other industry, other industry tech companies and all that, where we're trying to share what we've learned and improve that. And we built a whole new build process, first of its kind, in the industry, in order to combat this type of a threat and hopefully other threats as well, because it is much more secure.
Chrystal Taylor (12:47)
And that's what we've done. And we've shared not the individual details, but as much as we can share without you making ourselves vulnerable about how we have combat that and how we're continuing to evolve as we go. And I think that's really interesting. We haven't stopped updating people, right? We continually update our customers on what changes we're making for security, why we're making those changes. And I think that that's where we should be going as an industry. I think that oftentimes can get on the back foot, right? Individuals that work at companies and that they see it as an obstacle almost, right? Like they don't want to do multi factor authentication for everything. I have to do it even whenever I try to put PTO in, right? I have to do multi factor authentication for everything. But people see it as like an inconvenience. And we've reached the point where we've taken a learning from that. We've rebuilt everything, we've made a new build process, we've implemented red teams, we've done a whole lot of other things that are designed to make us more secure. And not just us, but our customers by comparison, right?
Chrystal Taylor (13:48)
Because it involves our software. So all of that stuff, everything we've built since then, everything that we've focused on, has been on improving all of that so that our customers don't have to worry about it. And I think the transparency and the sharing of as much information as we have been able to share has been helpful in rebuilding trust. And that's what I've seen personally talking to customers as well.
Karissa (14:08)
So, Chrystal, in the Australian market, there was a large telco breach. Now people online have been claiming the company didn't respond well. So I'm curious to hear from your thoughts and with your experience that you've gone through, what does responding well look like and then what does not responding well look like from your perspective?
Chrystal Taylor (14:28)
I think that I've seen some examples of not responding well and some of them not responding well to me looks like shifting blame. And it looks like when you see an email and it's too late. Right. Sometimes they delay a long time, they don't want to address it right away. But the problem with that is that unfortunately, people find out these things and then they spread that news around and then you're starting off on the back foot with them. So I think that one of the things that, like I said earlier, I think what we've done really is that our CEO came out at the forefront, talking about all the things that we're doing, very transparent, sharing everything that we can share and not trying to blame anyone, right? Maybe that's a product of it being a nation state attack. Is that what are we going to do about that? That's a lot of people that would be part of that, theoretically, but I don't know that it helps anyone to blame people. And I think that when you start to see that, you start to make jokes, right? You'll see jokes online, you'll see the memes, you'll see the trolls, and when you give them fodder, it doesn't help your cause.
Chrystal Taylor (15:34)
And it looks like bad response. And another bad response is just that I've seen is sweeping it under the rug almost where you are forced to say that there was something that happened, but you're not explaining what you're doing to prevent that thing from happening again. It's just so we fixed it, it's over and it's done. And they don't give any details. And I think that's a mistake. I think that we have reached a point of technological understanding where even if you're not part of an infosec group, even if you're not part of a security team, you have some amount of understanding where you then say, I don't know that this isn't going to happen again. They haven't given me any information that says they're doing anything about it, so I don't want to work with them anymore. And I think that's poor response, I think a good response is like meeting them at the forefront, answering the questions before they're asked as much as you possibly can. Like I said, I know some things are delayed because of investigation, but even if the answer is we're currently investigating that, that's more than I've seen in some screenshots of emails received from companies.
Chrystal Taylor (16:35)
It's just interesting to see how people respond. I think being responsible and being transparent as much as possible is the way forward. I think honesty is appreciated by everyone. Even if there is something that happened that was an individual's fault, for instance, you're not going to solve anything by shifting the blame or by saying it's this thing or that thing. Maybe you'll answer some questions and I think people end up using it as like a scapegoat. Like I don't have to answer any other questions if I tell you whose fault it was and that's, I think.
Karissa (17:11)
A mistake, yeah, no, that's excellent. I love your answers. I think that's a really great way of looking at it as well. Do you think if I look at it a different way, I mean, it was an awful thing that happened, but do you think there was maybe the silver lining that as you mentioned before, Chrystal, that it's enabled SolarWinds to change the way you guys build software now? Like it was the sort of the catalyst or there was an impetus there to change because you were forced to. So do you think that maybe that's like a nice silver lining with the awful thing that did happen? Of course, but there's good things to come from this.
Chrystal Taylor (17:44)
Yeah, I definitely wouldn't wish it on anyone. But I do think that the learning that we took from that and the sharing that this whole new mindset of the Secure By Design platform and sharing what we can to help everyone improve and working and collaborating with others in order to improve Cyber security stances in the software build process and even just in our company. I mean, there were a massive amount of changes not just to our software build process, but to every aspect of security in our company. So I definitely think that was a good thing. I think one of the problems that generally comes about is that like I said, security is an inconvenience. So a lot of companies and companies I've worked at before, you can work your way around things, right? You can say I don't want to do this or I don't want to do that. And so you find ways around things. And I think that this has sharpened our senses in a way, right? Like everyone is more aware, everyone at the company. And one of those things that is the most difficult to raise awareness is in the non It people, right?
Chrystal Taylor (18:46)
We've got people in sales and marketing and operations and wherever else, like HR, whatever those are. People that don't generally have unnecessarily a good awareness of good cybersecurity Practises as an individual user. And I think one of the things that came out of this is that you everyone has a heightened awareness and I think that can only be a good thing right there. It improved everything about our security posture or it caused us to improve. It didn't improve it. It caused us to take a step back and really sit there and ask questions about how we can prevent things and how we can improve things in any way. And I think that's been wonderful. I love to see new things come about right, that are explained and why we're doing those things. And I think that's really important to our company culture as well because it shows that we didn't take it lightly. And even internally, as an employee, I think it's really important to see that stuff, see the changes that they're requiring of us and why we're making those changes. What's important about it for me to see that because I constantly am talking to non technical people about improving their personal security posture.
Chrystal Taylor (19:54)
I think that it is lovely to see and to know that those things are things that are raising awareness among non It people.
Karissa (20:03)
So I'd like to switch gears now and talk about 2020. Started a large conversation around supply chain attacks and then I guess additional to that, COVID created more strain on supply chains in general, we couldn't get things in the country, especially where we are here in Australia, because we're so far away from like, other parts of the world. Talk to me a little bit more about this from your perspective.
Chrystal Taylor (20:25)
Yeah, the pandemic really screeched a lot of things to a halt in the beginning and it really was hard for everyone to recover. I think just in general, right, there were labour shortages, there were product shortages, factory shutdowns, there's all this geopolitical things going on and all of that is causing problems in the general supply chain. And then you also have on top of that, the accelerated digital transformation that was caused by having to send everyone home. Right. You didn't want to stop your business, so you had to find a way to get everyone to work from their house. And that's been really fascinating to me to watch the people, because now you're starting to see where everyone's starting to look back and say, oh, maybe that wasn't the right fit for us. We had to make a decision. You had to make a decision at the time. You had to adapt. That's what we do in the tech industry, you adapt. And it's very interesting to watch how quickly everyone was able to adapt. But that also means that there are increasing vulnerabilities, right? So adding all of those factors in and also in turn the CICD has become more and more popular.
Chrystal Taylor (21:33)
Right. As I said earlier, people have expectations that things are going to happen more and more quickly. Not only your response to things needs to be faster, but your changes, your release schedules needs to be faster. The expectations are so high and they continue to get shorter time frames. Right? The expectations are high for that stuff. Even with the supply chain things, right? Even with all the things that they've seen in the regular supply chain, like, I'm not getting my packages and as quickly as I used to, we still have the expectation that we're going to get those and then we get so irritated when things take longer. And even though it's obvious that those things are happening, it still doesn't stop us from trying to make things faster. But the problem with becoming more quick, right, we have faster pace of business, we've got more rapid software release cycles, you have to continuously update and improve and all of that to remain competitive. That means that security vulnerabilities can make their way in and a little bit more easier. They don't have the same amount of time to look through everything and find all the problems and all that.
Chrystal Taylor (22:42)
And even still, even five years ago, the likelihood of them being able to find all of those things, bugs or bugs, they're going to happen, vulnerabilities are going to happen and really it should be more about what you're going to do to prevent that. And also how are you responding to those things. So I think that it's been really interesting to see how all of that has happened. But I think the biggest thing that happened for tech specifically that added vulnerability was the rapid acceleration of digital transformation. So even companies that normally would have had two or three year plans where all of a sudden having to make decisions and implement things instantly and a lot of that is still in place, right? They maybe haven't done assessments to decide if that's really the right fit for them or if it cheques all the boxes or if their security is in the right place or if everyone has the right mindset to make sure that there's no negligence and that's a struggle. User negligence, human error is a thing. It's going to always be there and we are able to address these things a little bit better now with Observability and with AI and machine learning.
Chrystal Taylor (23:48)
That helps augment us a little bit because we need it, we need something else to help us out when we're trying to be faster and faster and faster.
Karissa (23:57)
Yeah, that's interesting because you are right, people do get irritated now when things are like 1 second late. There's this expectation now. So do you think that when people get this expectation of the velocity of how things are being deployed, it then puts additional strain on security then? Because we just got to rush this out, we've got to push this release, we've just got to do the next thing. Our sprints are getting shorter and shorter because we need to get these things quicker to market but then with that can sometimes create oversight from a security perspective. Are you seeing a little bit of that as well?
Chrystal Taylor (24:27)
Yeah, absolutely. I think that's the case. I think that as with things like accessibility, the more you involve it, the less time it wants take. I think the problem that generally we have is we don't want to deal with it and so you put it off and you put it off until the last minute and then all of a sudden it adds like X amount of time and so you don't have time maybe to go through all of that. But if you're continuously checking and updating and going through your cheques with your security cheques and making sure everything is going through, if you set up your processes to where you're doing it continuously instead of waiting to do it at a certain time, or waiting until the end or any of that stuff, it will actually take less time overall. So hopefully businesses are making better decisions on including their security posture, right? Including that as part of whatever they're doing, if they're building software, if you're performing services, whatever they're doing, if they make security a part of it from the beginning and have that kind of conversation channel be an open thing instead of it feeling like a burden, if we can see them more as.
Chrystal Taylor (25:27)
A partner, then I think that our security posture as a whole will all improve. But it will also take a lot less time because then we'll know expectations. One of the things that I think happens a lot is you don't really know what the security team expectation is for you. You don't know all the things that you need to do. You're just in a mindset of someone told you to build this thing or do this task or whatever and you're head down doing that thing. So you maybe don't take into consideration until later when someone says well what about this or what about that? And why haven't you done this to this specification or whatever? And I think that if you can have that kind of open door conversations and see them as a partner because I think that your security should be your biggest partner, if you see them as a partner and you keep that kind of continuous conversation going, then we'll be all in a better place and you won't have as many vulnerabilities. May still happen. Obviously I do think it's when, not if, but you can prevent a lot of the more common ones and you can make sure that you're doing your upgrades and your updates and keeping up with things that need to be happening.
Chrystal Taylor (26:30)
Because I think that's also a problem, especially with the things that are enclosed environments in that they don't do updates as often and that also creates vulnerabilities. Right? Yeah, they won't do it until it's like a critical thing, until someone has already discovered a breach. By then it might be too late. I just find that all very interesting and I wish we saw we as a whole in the tech industry saw security as our partner in everything so that we can all kind of improve.
Karissa (26:55)
So I'd like to talk about secure bot design. SolarWinds CEO has publicly spoken about what SolarWinds will do to further ensure security for their customers. I've read a whole bunch of literature online. I've seen some videos that your CEOs come forward to talk about in quite extensive detail as well. So maybe talk to me a little bit more about this. And is this adjacent to what happened with the breach in 2020?
Chrystal Taylor (27:18)
Yeah, absolutely. I definitely think Secure by Design came about as maybe the breach was a catalyst, as you said earlier. The silver lining is we learned a lot from it. And the new build process, I do believe that part of Secure By Design was in direct response to that because it involves the way we changed the way we build software. The way we built software before, which was like an industry standard, is how we got compromised. And in that we have taken and learned and created a whole new build process which is all about building in parallel environments in containers that self destruct effectively. So you have a developer working on this part of the application and then they completely document all of it. And they pass the documentation to another developer, who then builds it in a different container just on the documentation. Neither has access to the other environment. And then throughout the whole thing, you have a whole different validation pipeline. That's a highly secure environment that's checking the security on both sides the whole time, making sure that everything is matching up, that we're seeing the expected information at both. They need to be signed and sealed and delivered exactly the same and that's definitely different than the way we used to do it, for sure.
Chrystal Taylor (28:33)
So that is a direct result of the attack because our supply chain, our build process was compromised and so we took a look and said well, how can we prevent this same type of thing from happening? And this is what we developed as the new build process. Additionally to that, because we weren't able to determine the exact point of the point of ingress where the person was able to compromise. So it could have been a third party application, it could have been a phishing attack, but we still don't know. Even after the investigation, we still don't know exactly what the point was. So basically we just started to protect against all of those things, which is all to the better I think. Now we have implemented processes for enforced policies based on CISOs scoring. We are validating third party dependencies, haven't changed underlying the code the whole time, we have ramped up access control, we are in a zero trust and lease privileged environment now. Everything is that. I think that those are all wonderful things and that's not even to mention that's all the software side of things, just employee side of things. We also as I mentioned, we ramped up a lot of things.
Chrystal Taylor (29:37)
Multi factor authentication for everything. We have increased training for employees across the board and it's just been increasing our endpoint protections and data loss prevention solutions. And we have just done so much over the past two years and continuing to make improvements right as we go, as we've seen new things that were like, oh, that might be a problem future, let's take care of it right now. So I definitely think that's really important and has created a more secure environment both for us as employees and for our customers. The way we build software has fundamentally changed in a way that we can ensure that it is more secure and that the type of event that happened to us is not going to happen again.
Karissa (30:21)
So how do you sort of start that conversation from a leadership perspective? Because all these things that you just mentioned, there's a lot of things going on there and it's not just super easy, just like flick on a light, okay, we're done, we've implemented secure by design. I mean there's a lot of factors that need to be considered as well as taking different teams on the journey to make sure that, hey, we've got all these 500 things to do, team by team. So how do you sort of navigate that and manage that? Because you take a step back, it can be quite overwhelming because there's a lot of things going on here, a lot of complexity to it as well.
Chrystal Taylor (30:53)
Yeah, there certainly is for us. We had a catalyst, right? But I think for others, if you need to use other events as a catalyst to help make your argument, I don't think there's anything wrong with that. You definitely don't want to be in that position to be vulnerable to a nation state attack or the lock for Jwin, which was really big deal, or any of the other attacks, right. You don't want to be vulnerable to that. Not only because you don't want to be in the spotlight in that negative way, but also because theoretically you care about your customers, whoever they are, whoever your customers are, if they're internal customers, external customers, whatever you're doing as a business. And whenever that happens, right, everyone has customers and hopefully you care about that enough to care about these things. And I think to start having the conversation, you just have to look at the threat landscape right now. In the last two years, there has been more high profile breaches than I can remember in the last ten years. And not only that, but the same supply chain attacks have become more common, right? They're happening more often than they have in the past.
Chrystal Taylor (31:58)
And not only supply chain attacks, but other types of attacks, you can go out and basically pay a service to do it for you. Now, I've definitely seen conversations around that and it's wild to me that at this point, after the last several years of high profile things, that you're not going to take security seriously. So I think you just have to start somewhere. We, for instance, are crafting software, so it made sense and we had our build process compromised, so it made sense to start there. But it was a simultaneous effort, right? It was a simultaneous effort. Immediately we went to multifactor authentication everywhere, not just in the places we already had it, but everything got updated and it takes time, but you have to be committed to improving those things so you can move forward. And like I said earlier, it all builds trust as well. I mean, if your customers are feeling more confident in their security and their data security with you, then they're going to be more willing to spend more money with you. So I think that is a good argument to go to leadership with if they're having some struggles making conversation about it.
Chrystal Taylor (33:02)
Build trust. Building trust and ensuring that everything is more secure so that your end users, your customers, whoever feels your stakeholders feel more secure and that you're less vulnerable, I think that you'll find that they're more willing to have conversations with you, more willing to expand. Maybe whatever they're spending with you now, maybe they're more willing to expand it because they can see that you're taking steps to keep them secure.
Karissa (33:29)
So I'd like to look on the horizon now in terms of the roadmap for secure by design within SolarWinds. What can customers expect moving forward from you guys?
Chrystal Taylor (33:39)
Yeah, we recently released a hybrid cloud observability product, and I think observability is a good place to start on how we're improving security posture. And that's not just our own security posture, but helping customers improve their security posture. Right. Being able to look at all of their data together, use AI and machine learning to determine when things are anomalous, for instance. That is all where we're going. That's what we're working on. That's what we're improving upon our existing 20 plus years of software experience and monitoring experience and taking all of that lovely data and learning from that and being able to be more proactive and not just reactive, because that's, I think, where we all want to be. We want to be more proactive. We don't want to have to deal with them after the fact because then you have the questions of how do I respond to these things? You don't ever have to respond to them. You don't have to think about those things to think about it that way. But yeah, digital transformation has been happening and so everyone's kind of in. There are some distributed, some hybrid, some people are still fully on premises.
Chrystal Taylor (34:41)
And wherever you are in that place, you need to have visibility and observability in there. You need to be able to see what's going on. You need to be able to make informed decisions about what you can improve to prevent problems on your side. And that's not just for vulnerabilities, but that's where we're at and where we're going. And as far as secure by design goes, our software is now built in this new software built environment. And I think we're only going to continue to improve and make adaptations as we see necessary based on the threat landscape. And we definitely want to be more preventative than anything else. We don't want to go through another situation like that. Although, as I said, sometimes it's a matter of when and not if. I think that those actors are going to find if they find a way in or there's phishing attacks and phishing attacks and all of that. There's so many different vectors for threat actors these days that you need to be able to be as proactive as you can and make sure you're using good endpoint protection and to make sure you're doing training and visiting Zero.
Chrystal Taylor (35:38)
Trust and least privilege and all of these things are ways that we can limit and do our level best to prevent those things and hopefully prevent problems from, like, employee negligence and those kinds of things. We definitely want to do what we can to be as secure as we can, and we're continuing forward in that vein.
Karissa (35:56)
So, Chrystal, in terms of closing comments or any final thoughts, would you like to or what would you like to leave with our audience today?
Chrystal Taylor (36:04)
As I mentioned earlier, I do like to talk to people about security, and I would like to encourage everyone to talk to people who are not in it about improving their personal security. It's a real problem that they don't understand, right? Everyone downloads a bunch of apps to their phone and all that, and they don't necessarily cheque permissions. They're not understanding lease privilege and all of that. And aside from the person, I think that's important to talk to them about it and to make sure that they know what's going on, reduce their risk. And aside from the personal factor, I think that we do access controls as well. And I didn't bring it up, but I want to bring it up now. Access control is a real problem. People move teams, and their access are not changed. You need to do regular assessments, you need to do regular changes and visit least privileged access because those things are where vulnerabilities sit just due to negligence. And I think that if we can prevent the negligence based things, we'll all be in a better state.
Karissa (36:59)
Excellent. Wonderful thing to leave our audience on today. Chrystal, so thanks very much for sharing your thoughts, being very open as well about the SolarWinds breach that happened. And I really wanted to get inside your mind to understand from your perspective as an employee, how did that look for you to give perhaps our audience something different to consider? So I really do appreciate your time for sharing your thoughts and your insights today.
Chrystal Taylor (37:22)
Yeah, absolutely. Thank you for having me.
Karissa (37:24)
Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit mercsec.com to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI. Digital. Podcast was brought to you by KBI Media, the voice of cyber.