Interview – Tim Brown – SolarWinds
ANDREW MCLEAN [00:00:00] OK. So we’re coming to the last couple of interviews before we start our panel. But I’m not going to go to break today because I have SolarWinds on next. So I have Mr. Tim Brown from SolarWinds here to speak to me. I think you do anyway. Yes, I do. How’s it going?
TIM BROWN [00:00:19] Excellent. How are you?
ANDREW MCLEAN [00:00:21] I’m good, thank you. I think everybody knows SolarWinds. But let’s just do the pitch anyway. Go on tell me what is SolarWinds is and what you do?
TIM BROWN [00:00:30] Yeah, absolutely. So we provide I.T. software and services for MSP’s and for I.T. pros. About 20 years in business, almost a billion dollar company. I run security for SolarWinds. So I’m responsible for the security of our products but as well as security for our infrastructure. And, you know, 4000 people around the world. So kind of a dual role that I play.
ANDREW MCLEAN [00:00:54] Yeah, well, I mean, I’ve heard so much about you guys and around cybersecurity which is kinda handy because it’s a security show. I keep hearing this thing, cyber hygiene in relation to SolarWinds but I must say, I’m not entirely sure what that means. Can you tell me what cyber hygiene is?
TIM BROWN [00:01:17] Yeah, absolutely. If you look at a lot of the breaches, if you look at everybody in the news, you know, 90% of the folks that have had issues have had issues not because they weren’t running the latest greatest tool, but had issues because they were not really practising good cyber hygiene. You know, what is cyber hygiene? That means you’re going to patch systems. That means you’re going to make sure that somebody does a scan of your network, which they’re doing all the time, that they’re not going to find vulnerabilities in your network that make sure that your people only have access to what they need and not have access to something more. That means you’re running, you know, at least antivirus on all your boxes, all the basics. Right, that make you more secure that you’re doing them well. That’s not easy to do that well. Right. So we’re not saying that it’s easy to do them well. But it’s very, very important that you start with that before you take on the next project, before you go in the next stage. You know, people often ask him secure, it’s a terrible question to ask, right? The real question is, what risk do I face? Is that an acceptable level of risk for my organisation, for myself, for my company or my customers? right. So think about from a risk perspective as opposed to a secure being, a binary on or off?
ANDREW MCLEAN [00:02:35] Well, I actually on the topic of risk, I’m gonna ask you this question because I’ve asked a few people this, but I’m curious when, you know, we speak about security and people say, yes, we have got this cyber security thing, we’ve got all locked up, et cetera, then this whole pandemic came around. Everybody rushed home. We all had to work from home. Did all the best practises and hygiene just go out the window.
TIM BROWN [00:03:00] Yeah. So we got everybody moving to home, right? We shifted about 3000 people to home in a matter of days, right? all across the world, all different geos, all different rules. And when we think about that, what did we have set up? We actually had set up a lot of hybrid models or a lot of hybrid services. So not everybody needed the VPN home to do their work, right? We had a good percentage over 50% of our population was able to go direct from the Internet to their services. So services like Office 365, services like Salesforce, services like ServiceNow. Those types of services enable us to work from anywhere. So we were fairly well set up to work from anywhere but then we look at, okay so am I as protected as I was yesterday? Well, not really. I’ve got a home router, a home network, as opposed to my corporate network. So we’ve had to do more monitoring that to do more looking for indicators or compromised. We’ve had to be very watchful on our environment, but also really start looking at how do we kind of embrace that now, another buzzword zero trust, right? How do we really understand, your last speaker talked about crown jewels. Perfect topic, right? Who are the most important things? People in my organisation and the most important resources in my organisation? Can I attest to my board that those are locked down and those are truly secure? When you get to that point. Then you can have real conversation. Now, that’s not 100% of my organisation. I know I have machines at risk in different parts of the country but are those machines and those systems those belonging to my administrators? No. Are those machines that belong to my finance team and my M&A team? No, right? Are those people store my personal data and the data on my customers? No. Are those people doing general email. Yes. So when you start thinking about tiering your security, it ends up being much more practical in what you can do, because nobody can do anything, no matter how big their budget is. Right. They can’t do everything.
ANDREW MCLEAN [00:05:11] So. Well, what can I mean to me this cyber hygiene sounds a little bit like a maintenance of a car. You got make sure you your thing and you have to keep on it but you also don’t want to have to go, You know, you dont want to go everyday and make sure your brakes aren’t going to fail. So I think there is a nice balance there somewhere. What should they look out for?
TIM BROWN [00:05:34] When you look at, you know, one of the biggest things is how you do patch management, right? How do you do patch management? You know, patch management is not just yeah I run patches, right? It’s really a programme. You know, you’ll never be able to have patches, everything completely patched all the time, right? With the latest passage, it’s just not effective to do that. So you put a programme in place, you measure how you’re doing on patches, you measure what your most important systems are. Make sure that those most important systems are patched to appropriate level. You make sure that, you know, you have a good sense of what your crown jewels are and that you’re protecting them. You make sure that you have basic backup in place. You make sure that you had basic antivirus in place on end point. You make sure you’re watching and monitoring what’s going on. You’re always trying in a good cyber hygiene model. You’re trying to reduce that attack aperture from people. From the outside you look like this big, right? And you really want to look like this big. You want to look small. You want to say yep, if you’re going to come after me, you’re going to come after me in this little spot, because this is where I am not as secure as other places. So be aware that you’re under attack 24/7 right? Now is one of the most active time on the adversary front that we’ve seen a long time. If you look at the level of denial of service attacks that we’ve been getting lately, if you look at the level of attacks that are coming from many different sources, it is just pretty scary out there right now. So if you think that you just don’t have anything that somebody would want. So you’re not under attack. You’re under attack simply because you’re a participant on the Internet. So take care of yourself in that model.
ANDREW MCLEAN [00:07:25] Okay, so we barely out of time, Tim but I’m gonna ask you one other question, because you are a very wise man. If I were, let’s say I was an I.T. person, let’s say I was a cybersecurity person. So let’s say we were getting into cybersecurity and I had to have a kind of a checklist of things that just looked so suspicious. This is what I should really be looking out for. What would you say are the biggest, most suspicious things that you should look out for on a day to day basis?
TIM BROWN [00:07:54] Yeah, first thing always, you know, understand your companies, your crown jewels, understand what’s most important, what can cause a material event for you. So I’m not saying technology first. It’s really understanding what’s most important. If that was compromised, it will put you out of business. Take care of that first and start putting security around that first and understand what level of security you’re going to put around that is just to meet the need of that risk, then expand out from beyond that. Everybody in the organisation, you should try to have the basics on right? You should protect their endpoint. You should backup their systems. You should make sure appropriate firewalls are in place and do all of the basics and patch on the outside and then tier your security so that you’re taking care of the things that can do the most harm first and those things that are exposed outside first. And then watch, monitor be proactive in what you’re doing. Plan. Big part of right now is that, you know, you should be planning to be what’s next? As you said, what happens when people start coming home? It’s going to be different. It’s going to be a new different. It’s not going to go back to what it was. So you have to assume that you’re going to live in this hybrid world for a while. So how are you going to manage that? How are you going to appropriately manage risk in those environments? So that’s the big thing. Plan. Understand, be ready.
ANDREW MCLEAN [00:09:18] I love it. I absolutely love it. Well, Tim, thank you so much for your input on this and I know SolawWinds do some amazing things. And I will say for even when I was a little junior techie, it was it was insightful. So all parts of security. So, thank you but Tim Brown, thank you so much.
TIM BROWN [00:09:42] You’re welcome.
ANDREW MCLEAN [00:09:42] Thank you.
ANDREW MCLEAN [00:09:43] That was Tim Brown from SolarWinds telling us about cyber hygiene.