SolarWinds security chief on the risks and rewards of being a CISO

As the chief information security officer of SolarWinds, Tim Brown had a front-row view of the company’s 2020 Sunburst incident — where the Russian Foreign Intelligence Service inserted malware into a version of SolarWinds’ Orion IT monitoring application.

The hack gave Russian operatives a foothold into high-value targets including several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy and more.

In the aftermath of the incident, Brown found himself at the center of a landmark decision by the Securities and Exchange Commission (SEC) to charge him and the company with fraud for their role in allegedly lying to investors by “overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks” from 2017 to 2021.

The case became a rallying cry for CISOs, and last year a judge threw out most of the case, arguing that the SEC’s charges against SolarWinds “impermissibly rely on hindsight and speculation.”

At the RSA Conference in San Francisco this year, Brown spoke to Recorded Future News about the protection CISOs need, Russia’s continued attempts to launch attacks and how companies can navigate the treacherous waters of cyber incidents.

The conversation below has been edited for length and clarity.

Recorded Future News: What advice would you give to organizations going through a breach or cyberattack?

Tim Brown: One of the things I think that we could have done better, from a news perspective, is to have some really trusted news partners from day one that we could call and be very transparent to them and say, ‘Here's what's happening. Do your own research. But here's what the truth is.’

A number of things that were written, since we weren't talking to the press, were from people who had left the company six years ago. It was explosive, and they wanted it to be explosive. They wanted to say everything was terrible.

During an incident, you're just so overwhelmed. Every news outlet in the world was looking at us.

But the transparent communication that came out of this was something that I think we took forward. And the fact that we still have 97% renewal rates because of our transparency during that has helped us maintain that trust. 

We also brought in great help. We were lucky in many ways. I know this is strange, but we were lucky because the incident was so large and so public that we got the best of the best help. Sometimes real bad ends up being good for you.

[The Sunburst incident] had been leaked to the press and it was going to come out on a Sunday, so we had a day to prepare. Time is not always on your side. Did we have a choice to go public? No. But the approach was very important. 

Our primary focus was that our customers were potentially in very much danger, so how do we get them out of danger? We're gonna make sure that the customers get healthy. We didn't know how many [victims the Russians] went to the second stages with. We just knew 18,000 customers so we got to take care of all these folks. 

One of the things that we also proved is that you can get through a major incident and still come out healthy. It's not an extinction event if you do it right.

RFN: What do you tell CISOs who look at what you went through and say ‘Why would I want to deal with that?’

TB: The job is still great. You're making a difference and working through things. It could be one of the most rewarding things to do. We expect change. We like change. We like to redesign. We like to modify things. We like to have things moving around. We'd be very bored if we just did the same job every day. So as new technology comes in, AI, how are we going to fix it? What are we going to do? 

The job itself is still one of the best jobs in the world. The position is very young. We're 30 years old, that's it. The first CISO was maybe 32 years ago, so the industry is just maturing. I tell people to be patient. 

I tell people to make sure that they have the conversation about liability with their company. I tell them to use me as an example and say, ‘Here's what happened to Tim. The company stood by him, but he had very large legal bills and had to have a personal attorney. What are we going to do in that situation?’ Just ask, ‘How are you going to have my back if this happens?’ 

RFN: The CISO community is very close knit and largely backed you through your SEC trial. What was it like to go through that and have the support of other chief security officers?

TB: The community was very understanding from day one of the incident. If you're in the field, you realize that it can happen and it's not under your control, and you don't ever want to see it.

You can't expect a town to combat the Russian army. A well run mission can get through and bad stuff can happen. Most CISOs realize that. I remember conversations with one of the guys who said, ‘Boy, Tim, you look terrible.’ And the next day he said, ‘I'm glad it happened to you and not me.’ 

I think we all share a mission. Our mission is to protect our company. Our mission is to do the best we can. Our mission is to try to combat the adversary. We're not each other's adversary. I've got a couple of initiatives going on with CISO groups to make it so that we can share more non-proprietary things that we do because we're always starting at zero.

RFN: There has been significant debate about the U.S. Securities and Exchange Commission’s role in cybersecurity and measures it has taken to penalize companies for various failures. Looking back on what you went through, what role, if any, do you think the SEC should have in regulating cybersecurity? What do you think about larger efforts by other federal agencies to govern cybersecurity?

TB: From an agency perspective, CISA is extremely helpful for us. They were an incredible partner for us. They were there the morning of the [SolarWinds Sunburst] incident. They were with us for weeks after at 2 a.m. and at 6 a.m. One of the biggest roles that they played was in amplifying the truth. 

There was a lot of noise going around everywhere. We were trying to explain what versions were safe, what versions needed to be updated, what you would need to do for each version, what you would need to do if you saw activity from Russia. They put together with us documentation that outlined that.

Their documentation referred to ours and our documentation referred to theirs, so it wasn't SolarWinds and Tim Brown saying, ‘Do this.’ It was CISA. It was ‘Here's proof that this version is safe. Here's proof of these things. Here's our internal threat hunt team or external CrowdStrike validating that what we said was true.’ 

With that independence and power and kind of authority behind what we were saying, it really helped give people comfort to upgrade or to investigate or to tear down a system and bring it back up. They were an incredible partner through this. The FBI was also a good partner. They were collecting information. I'm sure they had a part in the attribution to Russia as well. So a lot of folks helped in this whole thing. 

RFN: Throughout the conference, in both off-the-record and on-the-record conversation, there is a tacit effort among some government officials to downplay Russia as a nation-state cyber threat. As someone who dealt with a Russian attack, do you still think Russia is a significant threat to U.S. businesses and government agencies?

TB: The way that I described the activity that Russia did was a very thoughtful, extremely well-run mission. They were stealthy. They were quiet. They did what they needed to do. They didn't make noise around the outside. For example, they did a test run in October with 10 lines of code, and then they came back in February with the 3,000 lines that were Sunburst and they kept that in play for four months — February, March, April, May, June. 

In June, they left, pulled everything out, and they shut down their command and control server in October. But their idea was to taint certain versions and then not get discovered. So for them, the thing about leaving was just brilliant, because we're on to our next version. How often do you go back and look at the old [version of software]? 

They blocked it from running inside of our domains and blocked it from running in about 100 different domains so our testing would never find it. A lot of thought went into the attack and then the aftermath of the attack. 

It lasted a couple years, so that's also patience to be able to do that. Do I think some of those have happened in other places? I'd be naive to think that they didn't. 

Do I think they are continuing? I think they have maybe slowed down because of the situation in Ukraine right now, but to think that they're not still doing things [is wrong.] 

But what I've heard here and in other places is that China is increasing their ability to do very mission-centric attacks and very thoughtful attacks and patient attacks. So it's the level of their maturity. People have said that it's increasing as well. So you've got Salt Typhoon — very scary, right? 

I think we have a lot of focus on China, but let's not forget Russia. They're still important. Their motivation was information stealing. But one of the very important inflection points of the [Sunburst] incident was the payload. It could have been anything that they put in. 

RFN: We were talking about how long you’ve been a part of this industry. When you look ahead, what are some things that give you hope and some things that terrify you?

TB: When you’re in it for a long time, you see things others don't. People think zero trust is new but we were talking about it 15 years ago with deperimeterization.

We have always made changes, we have always adapted well to change. It takes time to adapt, to change, but we adapt, we utilize. We get better, we get better. We get better. We really perform our mission of protecting our companies, protecting people, protecting the nation, and we keep that in mind. We just have to be a little patient with the amount of time some things take. Just like the CISO role, we're just going through a maturity curve.