When a cybersecurity breach happens, expect things to go crazy. You will have to deal with legal teams and an all-out investigation with the authorities. You will have to find out who did it as soon as possible. Is it an attack from the outside or due to neglect from someone from the inside? How are your customers doing? How can you circumvent future attacks? There are a lot of things that you can learn from a cyberattack, and the guest today has been through a massive one himself.
Join Matthew Stephenson as he talks to the Vice President of Security and CISO at SolarWinds, Tim Brown. Discover what he has learned from the Russian attack on their company in 2020. Find out the lessons he learned from addressing, mitigating, and resolving such a serious incident. Tune in and learn what to do when a crisis strikes your precious data.
Listen to the podcast here
Tim Brown: Lessons Learned When Crisis Strikes
We are excited to welcome Tim Brown to the show. He is the Vice President of Security and CISO at SolarWinds, where he oversees internal IT security, product security and security strategy. Previous lives, many years in security and technology. He has had executive leadership positions in security and product at some companies you have probably heard of, including NopSec, Dell, Computer Associates and Symantec. Tim, welcome to the show.
Thanks, Matt. It is great to be here.
We should get the elephant out of the room up front. Given the list of companies on your CV and what you do, you went from Symantec to CA at the peak of their rivalry. That feels like going from the Lakers to the Celtics or the Packers to the Bears. What is it like making that cultural change as a part of senior leadership?
It is a shift, no question. At Symantec, we decided early on that we were the world leader in security. That was not a tagline. We decided that was what we were. We built up a good solid security portfolio and a reputation around security. I remember at Symantec, IDC did a study and it said, “Who are the leaders in encryption?” We got to number three. We didn’t have any encryption solutions. How do you like that?
Our marketing worked extremely well. People believed that since we were the world leader in security, we had encryption solutions. The jump to CA was an interesting one. Symantec had gone through its transition. We bought Veritas. We had edged a little way away from our security monitoring to some other places.
I ran a CTO for the security unit for CA, and we had a lot of good identity solutions. Identity was where I was prior to Symantec. I built identity products and ran those businesses. We decided to divest them. When I got to Symantec, I was going back to my roots of identity. It was a good move over to there. I was there for several years, and we built out a good security program there.
I promise we are going to get to the questions everybody’s dying to know the answers you are tired of talking about. I do find that shift between those two companies in that era interesting because, as you said, Symantec was in acquisition mode. They went from being pure security play to data protection.
CA is reading and reacting. To make the sports analogies, it is like when the Yankees and the Red Sox are both signing big-time free agents to add to the portfolio. As you are building that thing and the reputation of a company with acquisitions, what pressure does it put on you? Let’s say you are one and be one. We are the leader in security because we said so. How hard is it to execute on that, deliver and not come out on the other side the following year?
Delivering is the hard part. I did, for both companies, a lot of thought leadership, driving direction, patents, innovation, and those types of things. Both companies didn’t have a lack of vision of where they would be going, but execution was the issue. Execution from a number of different stuff. I feel bad that Symantec lost its cache and allowed it to happen. Its technology was as good as many. They didn’t talk about it. They didn’t move forward. The ideas that were in place were not executed as well as they could have. Sometimes that is the result of size, complexity, and a number of different things, where you get small companies that have come in and eat your clock in the end.
The CA focused on the top 60 customers of the world, the Fortune 60 and Fortune 100. They did well with those sets of customers, but they let the rest of the world go away. That is where they fit. It is important to understand what markets you are going after, where you are trying to head, and what you are willing to give up to get there and try not to sacrifice the innovation as you move forward. That gets harder the bigger that you get.
Full disclosure, I spent time at Symantec and as a reseller for CA. I have a little bit of the ink from both of those companies on my finger. In your tenure, is there anything interesting happening since you have been at SolarWinds?
I spent a lot of time building engineering teams, doing a lot of things, working on security products and working on security solutions. It helped a lot of CISOs through their journey. I said, “On my next gig, I wanted to go off and do one and get into the weeds of the operation.” I joined this smallish software company. It is a $1 billion software company called SolarWinds several years ago. I was doing some great things and moving towards zero trust, building up the security program, making it stronger, and doing a lot of good things.
I had a little disruption a few years ago. That changed everything. That changes the role that you need to play. That changes what went on. We had a good program, and the program wasn’t good enough to combat the Russians. It wasn’t good enough for that level of the threat actor. We are spending about 110% of what the industry spends on an average for security. It wasn’t like we didn’t have a program in place and that it was easy. Russians run a tight and solid mission. You could see that in their attack against us. You could see that in the secondary attacks against our customers.
The code they designed is thoughtful in what it did. It is mission-centric in what they were trying to do. That is a type of adversary we face now, and good can come out of this. It is us realizing that these actors exist, are out there, and after larger control or bigger payday. They are willing to be patient, take their time, and run a solid mission to get where they need to get. The good part of it is, hopefully, we use this as an inflection point to change the world in some ways.
How difficult is it when an event happens that you had to deal with at SolarWinds? I’m going to try not to always make it about sports. We could talk about it as chess, poker, or bridge, where you have played a brilliant game match, whatever chess is called. Sometimes you get beat. That is the tough thing. You are spending 110% of the industry standard. Sometimes, somebody outspends you, outbound you, or out-verb you. You have to answer these questions. What does that do to your position, both internally and externally?
It is always a tough situation. As a defender, you need to be right 100% of the time. The attacker only needs to be right, 1%.
Not even 1%, once.
You shut all the windows and doors, and they find a crack. Is anything perfect? Perfection does not exist. Smart defenders realize that perfection doesn’t exist. We do the best we can during times. We do what we can to protect the environment. We do all of those things. Sometimes, depending on the adversary, it is not enough.
How do you deal with that? First off, you own up to it. That is step one. We did not deny it happened. We came out and said that it had happened. We try to make it a learning event for others. You tried to make sure that people realize that here is what the effect of that was. Take customers first. Make sure that you can give them help. You can get them into the right place. You can make sure that they are as affected as little as possible.
Sometimes, depending on your adversary, doing your best is not enough. Therefore, you just have to own up to it and learn from it.
We did things like the Orion Assistance Program. We paid for upgrades for customers. We tried to work with them. CISCO was a great partner in amplifying the truth and saying, “None of this BS. Here is what the truth is. These versions are safe. These versions get off of them. Here is what you should do if you saw the initial when you were running it. You didn’t see any effect. Therefore, you are okay. You were running it. You saw communications back and forth to a commanded control server. You have to be able to rebuild. Here is what you need to do.” Get partners early in the process so you can tell people what to do, give them the right information, and get themselves safe. You take on the secondary activities of how you reinstall confidence in the world.
You got a little bit into the next question that I wanted to ask, and you tell me if this is repetitive, but how do you balance the reaction? You have to deal with remediation and handle the security aspect of it. Reputation repair is also something that you are going to be part of, whether you are front-facing for all of it, for any of it, the strategy, but both internally and externally. How big was your plate? People say, “I got a lot on my plate.” How big was the plate that you suddenly had to deal with?
The plate gets you full quickly. I remember on a call with a few hundred folks from a large corporate entity. We are talking about the incident. I got my general counsel on the other side. He was like, “Tim, I need you right now.” That is what the first few weeks were. They were all like that. There are constant pressures from many different areas.
I was a translator. Think about translating the technical aspects of what happened to something that a legal team, the FBI, a company, or a national defender could understand. The translation is extremely important. One of the things that I was able to provide is the translation and what this means. The answer or question, especially at the beginning when you don’t have a script defined, and you don’t have as much information, you have to leave it to somebody to be able to talk about what you knew, what you didn’t know, what you should do, and what it should look like.
You need to know when to start and when to stop. You don’t want to necessarily go beyond what you know as fab and go into what you believe at certain points. You want to be able to measure that and measure how much you talk and what you need to talk about. That is the type of person they needed at that point in time. Luckily, I had skills from all of those prior jobs that allowed me to put those skills to use in this type of event.
If I were a backroom CISO and didn’t have those skills, I would have replaced myself because that is what you needed at that point in time. What I tell a lot of CISOs is you have to develop those other skills to be able to talk, explain, take that ownership, have the technical expertise to be that translator, and take people yelling at you. I have been yelled at by the best throughout several years. It doesn’t bother me to get yelled at.
You get people asking all sorts of stuff and being mad because you disrupted and killed their Christmas. Never forget that you may be going through hard times, but your customers are also going through some serious times. Whether they were affected or not, if we ruined Christmas, they were looking at, “Am I affected?” That is what everybody is asking.
Many didn’t know what versions they were running. They didn’t know where they were running our software. They didn’t know what we were running. Keep that in mind when you are going through stuff. Customers are going through something as bad. There are a lot of things there. I don’t know if I answered your question.
You said a couple of things. I’m trying to remember them in order. They were getting stuck in my brain. I love what you said about facts versus assumptions. I want to tie that into the idea where you mentioned the FBI because this was a nation-state attack. There are governmental but military organizations getting involved. When you start doing forensics, how soon do you consider the notion of insider risk, whether it is unwitting, someone is messing up, not being good enough, or malicious as opposed to an attacker being better than that particular chin in the armor that we saw?
The first we did was we got our legal partner. We have a global legal firm, DLA Piper. They are the largest legal firm in the world, but they have a great cyber team. They were our first folks to get involved. We ended up putting a lot on their paper to get others involved quickly. DLA ended up acting as our quarterback for a lot of things. There is a fantastic team there.
We brought CrowdStrike in. We got the B team on Saturday. We got the A team on Sunday. We found that we needed another investigative partner. In that, we needed to have somebody that understood development. Where CrowdStrike was focused on investigations around the outside, we needed somebody that knew how we developed software. We knew this was the code that was dropped was not in our source control system, but it ended up in the product. That is why we call this the supply chain attack on day two.
We needed somebody that understood TeamCity, how builds are done, and the development process. We brought KPMG‘s cyber team in as that secondary partner to help with the number of those investigations. All that leads back to the insider. We investigated everyone and everything that was an anomaly. We looked back for every check-in into code, check-ins for several years, and activity that occurred. We tried to trace it back. Was this person working for us? We didn’t find any signs of an insider but it was apparent that it could have been.
When we looked at those who potentially took action in a chain that we discovered, they would get an investigation, and we would dig deep into what they were doing for several years. Do we see any anomalistic behavior in them? After something would trigger, “Go look at Tim Brown. Look at this.” Threat actors compromised email. They compromised 365 using what is now known as an illicit consent grant.
Microsoft said we were one of 60. When they testified to Congress, they said, “240 had been affected by this model.” They got privilege, somehow. They inserted that illicit consent grant model into our 365 tenant. We are able to watch emails. By watching emails, we were able to get a profile of what we looked like, how builds are done, and who does what. They launch their attack. The insider was on top of our minds. It was like, “Was this an insider?” We didn’t end up seeing an insider component to it, but it could be next time. We put safeguards in place to cover the insider.
I almost think of this because I’m a big movie guy, but this Scorsese classic casino with Sharon Stone, Robert DeNiro, and Joe Pesci. In the beginning, when the two guys are working on their thing, De Niro is looking around. He says, “I could see the dealer wasn’t in on it, but he was weak.” That is what I wonder. As you do the investigation, you have to keep the faith of your organization, so they don’t think everybody is suspicious. As you are doing the investigation into the notion of an insider threat, is there a line between somebody that is weak on this particular thing and the idea that they are acting maliciously? Is there a point of demarcation where you look at it like, “He or she had to be on it?”
That is the stuff we were looking for. Is there a place where somebody made a mistake? Did they make multiple mistakes? Did they do things that showed intent? Was it a mistake that was simply done? Were they coerced?
When you are doing this research and looking at their behavior and their actions, what are the signifiers of intent? That seems huge. Is it a judgment call, or is there statistical data you can look at and say, “This has to be intentional?”
When we look back, we have tickets for everything. We have actions that result in tickets. Were there places where somebody was taking actions that didn’t have tickets for them, where they were misses and blocks of what they were? As a public company, it does not have people that have cleared or have background checks and all. We have regular background checks but not a top-secret clearance background check. There are limits to what we can look at, but we can look at behavior. We can look at what it was and does it look correct. All of those things come to play.
We were limited by what we had from computer logs. You are limited in what scope you have, but you can investigate the actions of an individual for what you have logged. Would I say that we were complete with all the data that we needed or had? No. Did we collect the obs and gobs of data? Yes. Did we get data from Microsoft and others? Yes.
What intended activity and appropriate activity for projects? We would check back in and say, “Was somebody working on this to do this?” We would do manual checks for people to say, “That was part of this project that was going on for them to go through and log into those systems.” Some of it had to be manual and had to be people. Was there a project going on that meant somebody would attend to access or update this server? A lot of it was manual checking. When I saw KPMG’s forensic team, they helped with a lot of those investigations.
DLA acted as the quarterback, and they spun up multiple streams. We had an IT stream, communication stream, legal stream, marketing stream, and engineering stream. All those different streams were run by our exec teams. The head of the engineer ran the engineering stream. CIO manages the key stream. Each one of them helped coordinate them. It wasn’t that I needed to be incident commander here, which would have been impossible. I wouldn’t have done a good job at it. I had to be part of all of these streams.
Making sure that you have somebody running those types of things is incredibly important because there are many little pieces that need to get done and things that you need to highlight. We didn’t focus on attribution. I didn’t spend one minute on attribution, and most of the team didn’t spend any time on attribution. We left that up to the US government. We never publicly said to anybody that it was the Russians. It was the US government that attributed it to the Russian SVR.
We provided data and information, but the attribution was something that was great. We got somebody else that is focused there. We won’t focus on that at all.
This is where I’m acting as one of the students in the lecture hall while you are giving this lecture on what happens. As far as attribution goes, was there pressure on SolarWinds on your team specifically to find out who or did you say, “You guys find that, we are going to fix things, handle the why and make sure it doesn’t happen again?” Who does not matter right now for what we need to do?
We didn’t know this was happening, but we assumed it was going to happen. We are going to focus on attribution. We were clear that we are a smaller software company. We don’t have the capabilities to figure out who does that. We are happy to share information and give you whatever we need to do, but we were not the ones that were going to do attribution, and it wasn’t our place to do that. We need somebody larger to be able to go off and accuse another nation of cybercrime.
As a small software company, attribution is not your job. You just need to provide the data and the information.
We talked about this on our first call getting ready for this, and the term that I like is, “It is not where the rock hits the water. It is where the ripples hit the shore.” For what you and your team had to deal with and the ripples coming out of there, does who even matter? We all want revenge and punishment, but does it matter what you have to do?
This could have been anybody. The resulting actions that our customers and we needed to take, we had to get the world into a better place. We had to get our customers comfortable. We had to keep the company going and do all of those things. The ‘who’ didn’t matter that much. The fact that it was a sophisticated nation-state was an attribution that came to them. It didn’t matter much about the actions that we were going to take.
Here is a dumb question. Was there a little bit of relief to be able to think it was Russia? It wasn’t two twenty-year-olds on a lark in Northern Utah who said, “Let’s see if we can do this.”
If the program fell to an unsophisticated actor, that would have been much worse on the other side. It would’ve been less understandable. It was like, “You fell because of this.” Having been falling to a sophisticated adversary, patient adversary, sophisticated attack, and those types of things makes it much more understandable or forgivable in some ways. That is what happened. It would have been much harder to fight if it turned out it was two guys in a garage.
Hopefully, if it is at least two guys in a garage, eventually, they form the next Apple, but we won’t get there.
It could have been two guys in a garage. They were good.
You also mentioned before that this is not the first time you have been at a company dealing with a heavy-duty breach, but I loved the question that you asked. Let me cue you up with that batting practice fastball. How do you make $1 billion off of a global security company?
Usually, I ask that question to those folks, “Are they in tune with their own internal models? Do they realize what their threat vectors are?” It is a question you should always ask when you are talking to a company. Not what threats do you face and what is important, but from a ransomware perspective, what would you pay $1 million for from a software company?
From a ransomware perspective, always ask not what threats you face. Ask what you would pay a million dollars for.
This was a question that I used when I was at Symantec. I was like, “How would I make $1 billion off of Symantec?” People gave reasonable answers that didn’t matter. They were like, “I would steal the source code.” I have seen the source code. It is not that not worth $1 billion. I would grab the sales list and those types of things. In reality, way back then, you compromised the person that was responsible for live updates because they could drop a change for anything onto 60 million desktops. If you control 60 million desktops, you can make $1 billion.
You look at it from other things. Take that same concept, move it to ransomware and say, “What would you pay for $1 million for ransom? If you are a hospital, what would you pay for?” You are going to kill all my patients. You have been affected. I don’t have access to my patient data any longer. Therefore, I don’t know what drugs to use. I don’t know what to give them. I don’t know how to continue my care of my patient. You know what you will pay for. How do you protect it? What safeguards do you put in place? What do you do?
Many hospitals put offline systems in place. You get synced every hour or every few minutes that are not connected to the internet and not connected to everything but a terminal you can walk up to and say, “What drugs did Tim Brown get fifteen minutes ago?” You can get that data. You don’t sacrifice the health of your patients in case of not being able to access your online data or your online data is corrupted.
Asking the question of what you are willing to pay for makes you focus on what is most important within the environment and have safeguards put into place for those types of things. Those are the models that you need to put into place. Those are some of the questions we asked ourselves after the event of what we would change and how we could put safeguards for those things.
Unfortunately, we had to deal with two major issues like this. You talk about what safeguards we put in place after the event. What safeguards do you put in place in a way that doesn’t become intrusive for your staff and doesn’t imply that you don’t trust and believe in them? There is an emotional component to this. Everybody is horrified by what happened. Hopefully, everybody recognizes they have to take a look at me. I didn’t do it, but here we go. It is justifiable for them to look at me as much as they are looking at everybody else.
I will talk about exactly what we have done and give you a sense of that. It gives that general model. I start with development processes. This happened in our development process and pipeline. Source code has a lot of manual checks in place. You have peer reviews for things. You have other manual checks to make sure the right code gets into place.
If the threat actor had gone after GitHub, we would have caught them because we would have found changes that didn’t get peer-reviewed and didn’t get in place in the right way. They were smart. They went not after GitHub but virtual machines that provided functions during our build. They check code out, compile, and build things and end up with a product at the end. That is TeamCity orchestration. They went after one of those and inserted something into that process. The build supply chain was compromised. What do we do now?
One of the things that we did was build multiple times with multiple pipelines. What we did was take a couple of steps. The first step was to make everything ephemeral, so it didn’t have anything to attack. Our build systems are now built every time it is run. There is nothing static. We picked up the build system and moved it into AWS. We didn’t move it. We recreated it.
In case any artifacts were left over from the incident, we said, “If there is any chance it is dirty, we are not going to take it.” We recreate something new in AWS. We then put the build system all in code. There is nothing to attack. There is nothing that is static there. There is nothing I can get into an environment in check.
The third part was to do multiple build pipelines, a developer pipeline, a test pipeline and a production pipeline. It is a staging validation pipeline and a production pipeline. A limited number of people have access to each pipeline. Two people have access to production, about 30 have access to staging, and about 100 have access to the developer. No one person has access to all three. Before we ship, we build multiple times, compare the pipelines, and if the pipelines don’t match, we don’t ship. I need collusion amongst my pipeline owners to be able to affect my build. You need to collude between 1 of the 2 and 1 of the 30 before you can ship a build that is tainted.
I’m assuming that somebody in my cycle is an insider. I’m assuming that somebody has been tainted. I have safeguards in place to make sure that doesn’t occur when you ship. That is from the build perspective. It is tightening that build, saying, “What are my single points of failure? I don’t have anything similar to the guy that did the live update. It was a single point of failure.”
What is my single point of failure? I don’t have one. I’m making sure that the production bill matches the validation bill. If it doesn’t, I don’t ship. I would need collusion amongst multiple. I have everything checked into code. I need collusion in the idea of code check-in. A lot of those things end up putting safeguards in place, multiple works, it is much more work from a processing perspective. What is in place? It gives us a lot of safeguards that are there. That is what we did on the engineering side. There’s a lot of stuff on the security side as well.
Given the scope of the organizations that you have been a part of, the global reach of the products and the impact, you have had access to an enormous amount of good guys and a few bad guys. As you look several years on from the latest major issue you have to deal with, how are we doing? By that, I mean the good guys.
Company-wise, we are doing good. Prior to the incident, we had about 93% renewal rates. In the last quarter, we were at 91%. The work that we have done has helped us gain confidence in SolarWind. Being out there and talking about it has helped with that confidence. It has helped people feel comfortable saying, “I’m going to continue and move forward.” Since this happened to you, you are stronger than most because it happened.
How are the good guys doing against the bad guys? Bad guys have some advantages. They cooperate well together. They share more data together than what the good guys necessarily share. We share a lot of TTPs, details, and ways to block activity. We don’t share enough in the models. We don’t do enough sharing of what is good, what something should look like, and what it should act like.
CISO is doing a lot of work on what a normal profile for product X looks like. Some of that can help us with sharing. Public-private partnerships, in the beginning, we are trying to help open up conversations about you getting into problems with sharing. You get into problems with who you trust when you are sharing information and data about certain things. A number of customers or entities I talked to throughout this said, “We had these guys attack us. They used this.” We didn’t have to talk about it. They didn’t have to disclose it publicly. The knowledge that they exist has been there for a long time. We made it public.
We are developing good technology and making it a little bit harder. We can still do a better job of making it truly harder for them. From a legal perspective, the penalties are not as great as they could be. We don’t have big sticks to stop folks with. From a nation-state perspective, we all operate offensive nation-states cyber teams. What are the US, Israel, and Russia doing? You name it. What they are doing to each other is known.They’re trying to get advantages using cyber. Get that on the one hand. It is not necessarily the bad guys trying to make money. Sometimes, the bad guys are good guys trying to get control.
The penalties for committing cyber crimes are not so great that they would not stop people from doing them.
It is not an easy question of whether we’re winning or losing. We have to continue to up our game. Technology is improving. With the right level of effort, you become more difficult to be able to circumvent their security. You continue to become difficult, so you are not as much of a target, but there is no panacea. I don’t see that it is the same game we have been fighting for the last several years. It is a little bit different from tools and technology.
The bad guys always have an advantage because they don’t have to be right once. The good guys always have to be right all the time. Anticipating that once is difficult. We are still in a fight. We will be in a fight 20 and 30 years from now. We have to keep being diligent and make it harder, get better visibility, and continue to move the needle so that we become harder to attack.
You say it is the same fight we have been having for the last several years. It is fair to say the argument could be made since the first time, one dude picked up a rock, and the other dude picked up a stick. That is the beginning of technology at that point, and it is moved from one to the next.
We have to keep fighting that fight, looking out for what we have, and making sure that we are focused in the right places that matter because there are many places, gaps, and things that need to be addressed. You can’t do everything. The other piece of advice is that you focus on what matters the most and try to make sure that those are as resilient as possible to the types of attacks that can occur.
This is usually a ham-fisted segue to my favorite allegory, but it works perfectly with what I said and what you said talking about focus. Is there anything that you got your eye on now, whether it is technology, process, training, or even legal? You said about not having a big enough stick that maybe we should be paying more attention to, something that’s in your peripheral vision or do you feel like it is in peripheral vision that maybe should be a little more in focus.
As a technologist, I always wanted to be able to look at deviations from normal for people’s processes and systems. We are getting close to being able to truly do behavioral analytics from many different things and see when we go sideways little ways. We got some hope there. Some of the technology has gotten better in those ways. It’s about being able to model environments a little bit better and have more automation.
Humans in the middle are always one of our problems. More automation on the outside can help us. They can help us both predict when we have potential issues and hopefully self-heal something in the middle. Some of those hold some weight. You like to see more penalties. From the penalty perspective, are we seeing enough? Are we looking at it as a global problem? Are we banding together to enforce and make the penalties greater?
We are seeing some signs of a little bit of claw backing of some crypto. Those things may end up helping. If the bad guys are smart and thoughtful in their models, they can implement their models, not get caught and get paid. If you can flip that and make it so that it is more costly and likely, they are going to get caught and be punished, that can also help for some of these rampant models that we see.
We better call back that crypto pretty quick because it will be much of a too-much look.
Maybe that is the answer. The crypto is now worth nothing. They have lost all their funding.
They seal all the bags of money out of the bank. They get home, and the bags are empty.
I thought I was going to get $5 million. I got $0.05.
Let’s bounce over to the leadership corner. You got so much going on. What do you do when you are not doing this? What is on your playlist? When you turn the radio on, is there music playing, or are you a podcast or audiobook guy?
I do some podcasts. I do a number of those types of things. One of the things people ask me is how you keep your sanity doing these types of jobs. The other half of my life is completely different. I have a ranch. They call it a ranch in Texas. I call it a farm in Upstate New York. I have horses and donkeys.
Is it actually warm-blooded living things?
Warm-blooded living things that don’t talk back to you, and you can put them in a barn when you are unhappy with them. The great therapy is to go dig a ditch, stall or take care of non-technical stuff. I talk to a lot of people all the time. My wife says I don’t talk to her enough when I come home because I’m talking all day. Having alternatives is an important part. It’s about getting different people to use different things to remove stress from their life. It is critical as a CISO to be able to have things that destress you. Some do yoga. Some do all sorts of different things. Some do physical stuff and sports. It is important to have that balance. Without the balance, you will burn out from this career because it is constant.
When young Tim was interning, and he was all mad at the end, he was like, “I can’t believe they got me shoveling crap all day.” Now, you have reached this level of achievement and accomplishment in your career. You were like, “The one thing I want to do is get back in and muck out of a stall.” It is the definition of a full circle.
Nobody yells at you. They are sitting there.
The horses were like, “Get this out of here. It used to be nice.”
The balance is important, and however you find that balance, it is critical because CISOs around the world are under a lot of pressure. They are under pressure from legal teams, their own corporation, and the bad guys. To have those outlets, you need to find where that outlet is for you. Don’t give up on it. This is all you do 24/7, 365. You won’t last that long.
What is the step? Eighteen months is the average lifespan.
It is a marathon. You have to pace yourself, have the right support staff, have the right people around you and outlets set and stop you from thinking about this stuff for a little bit.
Let’s get over to shameless plugs. I know that you have gotten back from a pretty primetime speaking engagement with Black Hat. What do you get going on? Are you writing, more events coming up, social media websites, and all the good things?
We got some new material coming out on Secure By Design. It is the next stage. Secure By Design was our umbrella for everything we have done associated with the incident. Expect that coming up in February 2023. That will be on SolarWinds.com as well as some other places. It has been going through the last couple of years, and what other people can learn from it. A lot that we talked about here, but you know a lot more details.
That is going to be coming up in February 2023. We should be doing quite a few different things there. I’m always out at events. I’m always talking to different folks about how we can help and how we use this event to help the world get better. Don’t let any good event go wasted. That is the good side of having an event like this.
We did help people get a budget. We had people make security and a board-level conversation for many. We had people on board saying, “Could this happen to us?” Smart CISO said, “Yes.” They said, “What do you need?” Increase the budget, focus, and time. Let’s make sure we continue forward and make it harder for the bad guys every day because that is what we need to do.
Given everything that you have had to deal with over the last couple of years, you still have a shockingly thick full of dark hair. As far as being cool, collected and all of this stuff, speaking as a man who has been bald for many years, well played. You like to close things out on a serious note. Anything for you on social media. Are you doing anything on LinkedIn or Mastodon?
I’m on LinkedIn. I post a little bit out there, but it is a tough place to be. I should navigate, post and blog more. Right now, no. I keep thinking about it, but I get tied up in my day jobs. A lot of stuff on SolarWinds, a lot of stuff I will put out in different places. On LinkedIn and other places, but maybe more in the future, we will see.
I guarantee you, dear readers, if you want to get Tim’s attention if you reach out and ask if you can volunteer to help him lock out a stall, that might be the way to go. Tim, we got a lot more to talk about. It is hard to believe that we are already starting to consider coming up on RSA. Where did 2022 go? Consider this the official invitation to come back because you are doing a lot of cool stuff, and we got a lot more questions for you. We are up against the wall now.
It sounds good. It is a good conversation.
We are going to have more fun. As for everybody else, that is it for now. Thank you for joining us on the show. Friendly reminder, all comments reflect the personal opinions of the participants and not necessarily those of their employers or organizations. For more information on all that is good in the world of cybersecurity, make sure you check us out. You can find us on LinkedIn and Facebook, as well as the mothership, ElevateSecurity.com. You can find me @PackMatt73 across all the socials.
As far as the pod goes, if you are reading, you already found us, but you can find us pretty much anywhere. All we ask is you subscribe, rate, and review. You will never miss out on amazing people like Tim who are willing to do something that may not have been the most fun part of his career. We are going to get down and talk about it, so it doesn’t happen again. Until then, we will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Tim Brown
- DLA Piper
- Black Hat
- Secure By Design
About Tim Brown
Tim Brown joined SolarWinds in 2017 as vice president of security and is now the CISO for SolarWinds, overseeing internal IT security, product security, and security strategy. After the SUNBURST attack in December 2020, Tim Brown led the response and remediation efforts. Tim has spoken to thousands of customers and has been instrumental in all customer remediation support and services. He has worked closely with the SolarWinds® CEO in designing the future state of security and their “Secure by Design” philosophy. This new philosophy on software design will not only benefit SolarWinds but the industry as a whole, and it sets a precedent for responses to future cyberattacks. As a former Dell Fellow and CTO, Tim deeply understands the challenges and aspirations of the person responsible for driving digital innovation and change. Tim has over 25 years of experience, and his trusted advisor status has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. He’s also an avid inventor and holds 18 issued patents on security-related topics.