A

Foreign.

B

Welcome to Risk Never Sleeps, where we meet and get to know the people delivering patient care and protecting patient safety. I'm your host, Ed Gaudet. Welcome to the Risk Never Sleeps podcast in which we learn about the people that are on the front lines protecting patient safety and delivering patient care. Today we have a special guest. I am pleased to be joined by Tim Brown. Tim, welcome.

A

Oh, thank you. Great to be here. Yeah.

B

Let's start off with telling our listeners a little bit about your current role and your organization.

A

Yeah, absolutely. So I've been with SolarWinds for eight years and came from a long line of different companies, different things, mostly engineering focused. So I built a lot of security products and helped implement a lot of things, and then I decided to go be a CISO myself. And so I've been with Solar for eight years, went through a little incident a few years ago, and we'll talk a little bit more about that.

B

Oh, good.

A

Okay, great.

B

So what's your background? How did you get into security?

A

Basically engineering. You know, I've been around for a little bit too long. Right. So gone all sorts of. I know all sorts of evolution. I started way back at Wang Labs.

B

Oh, Wang. All right.

A

Right. In your neighborhood and Lowell.

B

Were you in Lowell?

A

Exactly. Me and my wife were the last recent college grads ever hired. Oh, really?

B

It's crazy. Wang. O. S. Right?

A

Was that the. Yeah, yeah, yeah. That's what I worked on, actually.

B

Oh, wow. I'm a child of the vax, the deck, vax, VMs and DCL and all that fun stuff.

A

Yeah. So a lot of my career has been, you know, I started as a programmatic tester, as they called it. Tested a lot of things, built a lot of code, and then started building products, starting running teams. So built lots of security tools then. Really where I cut my teeth in security was way back when Accent Technologies was acquired by Symantec and stayed with Symantec for about 12 years. Got rid of my products and joined the CTO office and helped run architecture and strategy for the company. Then CTO for CA security unit, CTO for Dell software security unit, and then, you know, decided to go over to the other side. And, you know, we really always wanted to do operations as well as do strategy and help the development team. So SolarWinds was a perfect fit and a perfect mix of those two things.

B

You mentioned Access was that axis 360.

A

Yeah, absolutely. How do you like that? I remember.

B

Were they in Framingham, I think, or. Yeah, yeah, that's.

A

Yeah, yeah.

B

I worked Briefly at prime.

A

Okay.

B

On old Connecticut path, if you remember then.

A

Yeah. So that whole area. So, yeah, we hung around there until about 10 years ago. And then. Or that general area, upstate New York and then headed Texas.

B

Yeah. So for folks that don't know what you alluded to earlier about solar winds, really just lessons learned. Like what advice do you have for CISOs on the front line dealing with. And it's a different world, isn't it?

A

It is. It is a different world. And, you know, my first four years were going great. All my crazy ideas that I had while I was developing software, building products, you know, I was really able to implement and really get us ready for a lot of things. So it was a interesting model, being able to actually not just build stuff, but get it all done for people. So that was kind of the first four years. And December 12, 2020 happened. Right. And that was when we found out that the back end of our systems was compromised by the Russian svr. That they had got into our compromised email first and compromised our build system. They didn't touch our source code. Compromised build system. And that build system compromise enabled us to ship tainted code to a number of our customers. 18,000 got copies of that tainted code and fast forward. What we found out later was under a hundred. We really went to a negatively affected stage. But at that time, it was a number of interesting things that people found that were really interesting and they got lessons from. First off, nation states were real, they weren't theoretical. So people often were just, oh, yeah, it's a nation state. Why would a nation state come after me? And to be able to explain what they did, to explain the mission that they had to be public about, what the mission they had was and the models that they used to be able to infiltrate a company and then not wanting to get caught. So they weren't a noisy adversary, they were quiet. And we were just a route to, you know, the four government agencies they were trying to access and some commercial customers. Yeah. So a lot of lessons in that first stage. Right. Yeah.

B

And I think you were one of the first supply chain incidents. Right. That we all had to sort of. We talked about it, like you said, theoretically, but now it's in practice and we're all dealing with it. Every industry was absolutely affected in some way. What were some of the response lessons? What did you learn about incident response and recovery that you maybe, you know, in theory it sounded good, but in practice, like, whoa.

A

Yes. Just that the scope and the scale was different than what we had ever imagined. Right. Or we had a pretty good plan. Right. We had run our plan and tested our plan often. So we ran things that were just events as incident. Right. So you got a vulnerability in a product, okay, that's an incident, we have to go through it. We work with engineering, we get a fix out, we communicate with the reporter, we communicate with communications, make sure release notes are up 90% of the time. My team does that on its own. I guess level zero incidents is what.

B

We say, muscle memory.

A

It's just muscle memory. Level one incident. So say we had a vulnerability that showed some sign of exploitation, that becomes a level one. At that point we do all the same stuff we did with level 0 and then added on legal, added on marketing, added on or more communications things. So we add people to that normal team and those happen, you know. So SolarWinds, 300,000 or so customers, 50 or so products went global. So those types of things happen a few times a year. Right. Well, you know, another good one from a level one would be inappropriate data sharing. Somewhere along the process, somebody sees data that they weren't supposed to see. Doesn't happen often, but every once in a while that would automatically become a level one incident. So muscle memory really is very important. So first lesson is making sure that you practice and don't just practice the big stuff you have. Use tabletops, use little tabletops, use other methods to practice. And if you can insert an incident process into your normal day to day business, even better. So important to have relationships between your people so that it's not the first time you're seeing your legal partner, not the first time you're seeing your HR partner or your engineering partner or your IT partner or. So by getting those relationships going, you end up having being prepared for something that's both could be smaller or could be like Sunburst. Sunburst was level four, our highest level. Yeah, of course. Right. So the muscle memory helps you get ready for some of the structure. But when something this big happens, you really need to get some help from folks that have done it many times. Right. There are thankfully not that many people have gone through being on the COVID of CNN and Wall Street Journal and you name it the next day. Right, right, right. Yeah, we found out on Saturday. We also found out that email had been compromised. We also found out that it was going to go public on Sunday, but we didn't have a long time to be able to be prepared.

B

A lot of Red Bull drank during those 24 hours.

A

Yeah, so I lost £25 in about three weeks. So you're so busy. So just be prepared to be so busy. You're in the middle of things, you're getting things done. You're probably the most efficient you've ever been to get things done. Believe it or not, organization of the team matters really. Splitting people up to do their jobs that they need to do for the incident. So it needed to figure out how they got in. Right. They needed to instrument every endpoint, every server. You know, we brought CrowdStrike in from a threat hunt partner, helped them get things across the entire environment. R and D, they got into our build system, they didn't touch source control. So how did they do that? What did they do? Yeah, we knew it happened, we didn't know how. Right. On Saturday, we knew we had shipped. We figured out which versions were tainted, but we didn't know how to. So R and D. Great. Head of engineering, start looking at that focus marketing. We're getting everybody in the world calling us. So how do we deal with that? Legal, we got have escalations and other things coming in. So how do we deal with that? We have countries calling us, asking us for what's going on with special projects. All of those things are happening. So you have to have different ones to be able to organize us, get us together, get us in the right places. No one, unless assigned to that job would do very well if they didn't understand how to do it.

B

Sounds like you have a book in your future.

A

DLA Piper really came in and helped there. I have started writing.

B

Yeah, that's good. I think you have a really interesting story. I have so many questions about it. Did you do anything different post event, like from a red team? Did you scale your red team process? Did you increase the frequency of your tabletops with.

A

Yeah. So when you go through one of these that SolarWinds has. Customers really love our products. They really do. So prior to the incident, we were at like 92% renewal rates. Post incident went down to the 80s. Just last year our public order, we were at 98, 99% renewal rates. So the question is, how did we do that? Right. Trust gets shaken through one of these. Right. You know, we ship tainted code to customers. So how can we help them? And most of our customers really wanted to stay with us. What they needed to do is convince their executive teams and their boards that we were safer than others. So how do you do that? You become exemplary and you really give exemplary fashion. Exemplary in all cases. So things like as you said it area UB key everywhere no exceptions. Micro segmentation everywhere. Harden the entire environment. Have the environment looked at by, you know, multiple third parties. The engineering side, our build processes and build systems and invent new ones. Now today we do triple build for Orion Bay. So I do three different builds, pipelines, no one having access to all three of them if and comparing the results before we ship them. So you'd have to have collusion among people in order to affect our build systems. Today we also did things like, you know, enhanced bug bony programs. We one important thing is we didn't have the right contacts for people. We found out we had sales contacts, not security contacts in customers. So we added a security contact to every customer. So we now can communicate that way. My teams, we had three socks running. So I kept my sock. I had crowdstrikes and I had secure work sock. I had full time red team as opposed to part time red team. We had bug bonnie programs. I hired a internal security auditor. So things that are sensitive in our environment, we'll red team six months and the next six months we'll audit, then we'll red team, then we'll audit, then we'll red team, then we'll audit. So a lot of structure in those. Yeah. Wow. So a lot of things to allow us to be truly exemplary. So when somebody asks, they knew we took it seriously, knew we were working, doing everything we can to have it not happen again ever. But we never said it's not impossible. Right. Because that would be there always unusable.

B

If it was right. 100% security is unusable.

A

Yeah. So we hardened everything, essentially, and really were able to explain that to many folks. Yeah.

B

That level of transparency too, must have gone a long way to healing the trust that may have been lost over time.

A

Yeah. So one of the lessons from a CISO perspective is everybody wants verbal communication. Okay. So we wrote everything down, we had things published on our website, we told people what we knew on our website, and it was there for everybody to read. But people want to talk. They want to talk, they want to hear from people, they want to be able to understand, ask questions. And the person that's presented needs to be able to stay within the lines of the written word. Give color around the outside that's not material. Yeah.

B

Color and comfort.

A

Right. Color and comfort. So that's a skill that I have had a lot of experience through my history of speaking and speaking to large audiences and, you know, in many ways getting yelled at by the best. Right.

B

That helps builds character.

A

It does. Right. And we laugh about it, but you know, people, some often need to vent.

B

Yeah.

A

You know, I didn't just ruin our Christmas. I ruined, you know, 18, 000 customers Christmases. So they should be mad.

B

Yeah.

A

And I expect them to be mad. And they tried. They had to learn. Most of them weren't affected, which was great. Yeah. But still they had to invest that inventory.

B

They had to figure it out whether or not they even had it or what the impact was or. Yeah, that was incredible.

A

So, you know, let them yell. Right. And it's appropriate. Right. And so transparency is hard in some ways. And from a legal perspective, you know, the best thing you can do is be quiet, not talk to anybody. Company surviving perspective and thriving perspective. You know, transparency is critical. Yes. So that's where you have to have the balance. And we got a lot of credit for transparency. We got a lot of good credit. For the first few months. Nobody said anything nice. That's kind of normal. Grow a hard shell. Yeah. And don't pay too much attention to it. Yeah. And then you go on. But yeah, we got a lot of. I really appreciate a number of folks that really stood up for what we were doing and the approach we were taking. You know, just saying, you know, this is what all vendors should do and this is what you should be doing and thank you for doing this. So that's kind of phase one of the whole kind of saga that we went through. So personally, was I going to get fired? Maybe. Right. And I had to get deal with that. Right. Because before five years ago, very common to fire the C sub and I was too busy to worry about it. That's what essentially I tell people. It's like, yeah, I gave myself 50, 50 chance and I was doing too much work to be able to worry about it. They would take care of me, it would be ok. We would have been fine. But if that's what had to happen for the company to survive, that's what had to happen for the company to survive. It didn't. Right. They have been incredibly supportive and wonderful company to work for in the last five years.

B

Yeah. No, I never understood that. Like if it's its own malicious intent, why fire the person that now is going through the learning and is going to be so much better.

A

Right.

B

And so much better prepared to serve you in the future. I just never understood the listen, there's no such thing as 100 security that can happen. It's more of what did you do afterwards? What how did you react in my book is really what matters.

A

And I think some of it Got misreported in some way. Right. Because shocking skills that I needed post incident. Yeah. Were very different than the skills I needed pre incident. Yeah. So if I wasn't me, I probably would have had to fire me. Right. Yeah. What we needed is we needed appropriate communications. We needed people to be out there. We needed people capable of being transparent. We needed people capable of working post incident. And nothing wrong with the CISO that's not capable. But now if you're not capable for that thing, you have to be, you know, consider being augmented or potentially replaced because the skills are just very different. You could be a fantastic pre incident CISO and then, you know, but when incident comes up, you're not the right one to help through the process.

B

At least CISO is a pre incident CISO until they're not.

A

Right? Yeah, yeah. But it's really the skills that are necessary. And you see that with other organizations and other things. Right. Sometimes it's the CIO and CTO that just melt down during the incident. Yeah. And it happens. Right. It's a lot of press, it's a lot of stress. So I don't, you know, begun them at all. Right. It is uncomfortable, it is hard, it is difficult. And I fully understand that some folks shut down. We got lucky. Right. We got lucky with our team, we got lucky with the people that were there. We all had little lapses here and there, but we gave each other kind of grace throughout the process. Yeah. Got what we needed. I love that.

B

Grace throughout the process. Yeah, that's. Yeah, that's gonna go in the book.

A

Okay, I like that. I'll remember.

B

Well, we'll have the recording up, so if you ever want to go back. All right, so let's shift a little. We talked about your background, we talked about how you got involved. Let me ask some personal questions. If you were to go back and meet your 20 year old self, what would you tell 20 year old Tim?

A

Yeah, I think 20 year old Tim has had a good run. Right. I've been pretty happy. So, you know, 20 year old I just say, be patient, learn as much as you can. Enjoy the ride. Everything is a really great learning experience. So even those hard things that happened were worthwhile throughout the time. So I don't think I would change what I've done along the path, but I think I would just, you know, give myself confidence that it was going to work out.

B

Something about you that most people don't know.

A

So some people know this. I operate kind of two different lives. Right. Home is different than Work. So I have and have the last probably what, 30, 40 years had farms or had ranches. So I had. Oh, wow. I have horses. I have mini donkeys, pictures of me hugging donkeys. That's why I tell people. How do you relieve your stress? Right. Yeah. And that has always helped my. You know, sometimes I get home, my wife says, I know you've been talking all day. You don't want to talk to me or do some work around the farm and do other things. But I do appreciate that separation. I can be very focused at work and very intense a little bit. Then I pop home and I can relax a little bit and have that separation. Yeah, I love that.

B

Do you know John Halamka? He's got a. Dr. John Halamka from. He's a president of Mayo and he was a CIO over at Beth Israel. He's a good friend.

A

But he.

B

He's got a farm Unity Farm, which actually you can check it out on the website. But he has webcams on his farm so you can actually see real time what's happening. His llamas, you know, he's just incredible. It's good nature especially.

A

Get back to kind of non technical stuff.

B

Well, it's very therapeutic as well.

A

Yeah, yeah. Absolutely. Might not help. Yeah.

B

My farm is writing, so I write when I'm not. I'm a. I write poetry. So that's my. That's my version of your farm, right?

A

Yes. But I think it's important that everybody finds those.

B

Absolutely. Yeah.

A

And you know, they help you get through a lot of things.

B

What job did you have when you were younger that really influenced you?

A

Yeah, yeah. So I started working at like 15 and a half. So you. You'll actually know this. I worked as at the Moolahs. Oh, Market Basket. See right by you. Great. What did you do? So I first started up front so as a bagger because that's where the girls were. Right. But we had a good time. We really. Yeah. It was a fun time to be there with a great group of people and you know, so I worked there through high school. So 15, 18, worked in the deli for a while. So talk about having, you know, long lines of people just. You just got used to. Yeah. Like you will get down mad. Right. And people got mad.

B

You didn't call my number.

A

Yeah, exactly. All of those things.

B

She's ordering way too much. What's going on.

A

Yeah. So that would be crazy. That kind of set me up from just people perspective and working with a public perspective and. Yeah. A Little bit of getting yelled at here and there. So that was influential. Then, you know, out of college I started writing programs. I wrote, Worked for a small insurance company, wrote their flexible benefits program. That gave me a lot of experience before I went to Wang and did things.

B

Yeah.

A

So. Yeah. Then just working through different things along the way and figuring out where'd you go to school? Bad. I went to school out in North Adams. So I went to North Adams State and then. Oh yeah, yeah. Did a few things at the Wharton School a little bit later on.

B

Nice.

A

But this was. I'll date myself again. This was like first years of computer science degrees. Right. You know, our classes were. Oh, we got these gifted little unix boxes from AT&T. Let's.

B

Oh yeah.

A

Let's network them together. Right.

B

Yeah.

A

Oh yeah.

B

Running BSD Berkeley 4, 2 and.

A

Yeah. Yeah.

B

Oh, so we probably the same age.

A

Yeah. And. But it was great. Oh, you know, let's go learn C together. Oh yeah. We have regular classes and compiler construction and all those other things, but let's go learn a new language. And that was a course we did with. With the professors. So small school, small classes, lots of self learning, internship, those types of things just really set me up. So, you know, when I went to my interview for a number of different. I interviewed at prime way back in the day. But you know, it set me up from an experience perspective to be able to say, oh, I built something. Yeah. They're running all their flexible benefits through what I built. And it was on DB2 and on a little PC. Right. So those types of things were really just changing really fast. It was cool. Right. That's why I said we got the.

B

Luxury of tech was cool back then.

A

Starting the Internet. Right. Then we got the luxury of going through cloud. Now we're getting the luxury of going through AI. So it's a great AI is going to be another great time.

B

Yeah. And we get the benefit of the music. The great music.

A

Right? Absolutely. No question.

B

All right, so I'm going to ask you the music question. You're on an island. You can bring five records with you albums. What would you bring?

A

It'll be hard.

B

What would be hard?

A

To pick the ones that you would bring. What would you get sick of? So I grew up with like the Journey and the Rush and.

B

Yeah.

A

Van Halen. Yeah. But you have to have some Led Zeppelin in there too.

B

Gotta have Zeppelin. Which Zeppelin album would you bring?

A

Do you know?

B

What album do you bring from Zeppelin?

A

Oh, I don't even know.

B

Four, maybe that one.

A

Yeah. That was a great one. Yeah, but cool. Yeah.

B

Well, you know, Rush is coming back. They found a new drummer.

A

Okay, cool.

B

And, yeah, so they're going to start touring again.

A

So I did see him in concert down in Wister. Yeah.

B

Oh, the Worcester Centrum.

A

Yeah, yeah, whatever that. I can't remember what it was. Yeah, yeah, yeah, yeah, yeah. Back then, and concerts weren't bad at all. They weren't expensive. No. We were working at grocery store and.

B

We could go, yeah, like 12, 24 bucks. Like, whatever.

A

Like.

B

Yeah, like today could change. Oh, my gosh. Yeah.

A

Yeah.

B

I did six Dead shows at the Sphere, and I think I had a mortgage in my home.

A

It was incredible. The Eagles are on my list at the Sphere. I'm gonna try to get there.

B

Have you been to the Sphere yet? No, no. Jim, you gotta go. It's. It's incredible. I looked at all the videos and it just doesn't give it. You gotta experience it yourself. It's an incredible experience, but I've done nine shows there and hopefully I'll do more.

A

Hopefully.

B

The dead. You know, Bobby Weir just passed away, so, yeah, after we all mourn his loss, hopefully the music continues.

A

But we'll see.

B

All right, so if you weren't doing this job, what would you be doing? What's your passion? We talked about farm, but is there anything else that you'd be doing if you weren't?

A

I like cars, too. I never wanted to do a job, but I play a lot with cards. Right. So I have a collection of different ones. I'm always, you know, you got the farm work, but then I've got a Corvette. I've got an old BMW. I've got a old Jeep truck. Okay. Yeah.

B

Mustang. Get a Mustang.

A

I do. Well, what's my son short of a 67 Mustang? And I built Windsor. Yeah, yeah. Hard top. Yeah.

B

Nice, nice.

A

So I was just visiting my son and we got his 57 Willy's wagon going this weekend.

B

What?

A

Yeah. So I enjoy cars. It's a fun thing to do. I don't know if I'd make a career of it, but. Yeah, that's a hard career, but it's still fun. It's fun to tinker, fun to build. Very cool. Fun to design, fix, figure out what's going wrong. All of those things.

B

Yeah, yeah. Cars are simple 30 years ago.

A

So that's why a lot of ours are 30 years old.

B

Yeah, exactly. Any predictions for AI over the next couple of years?

A

Yeah, absolutely. So I'm a big fan. So we're gonna hit Bumps. Right. Historically we always hit bumps during our evolutions and I really do see this one as one that's going to be broader than what we saw for. Yeah. For Internet and cloud. Maybe not Internet. Internet was very broad, affected everyone. Yeah. So, but cloud, cloud only affected some. Right. This one will be equivalent. So it won't be an easy transition in many ways I'm truthfully very worried about both India, Manila, simply the help desk areas and where we've outsourced roles. I think we're going to see huge unemployment in those spaces and how we're going to handle that. It's going to need to be, it will be interesting. Right. It's going to be, you know, going to steam power. Right. And it's. Yeah. So that's one side of the AI world. From a, from a security perspective, at a tactical level of AI today we're going to look to how we can make ourselves more efficient doing what we're doing. We're starting to see folks start thinking more strategic. Right. And saying, well, how can I use this to give me a leg up over the adversaries? How can I do things completely different than what I've done? And in the 30, 40 years, whatever we've been around, we've always been taking complexity out of the system and making it so humans can understand. What does the network look like? Oh, it looks like this. I can understand it, but what does this look like? Oh, let's make one identity provider across thing. Let's make things so that we can be as efficient as possible. I think AI is going to actually allow us to remove that, some of that efficiency for security. I think why don't we have all military grade network because it was too expensive for us to do. Right. So with AI, maybe not. Right. So I look at it like humans don't fly the B1 bomber, right. You can't fly. It's an impossible thing to fly without the computer. So when we look at what AI could do for us, it can make us do some of the impossible things, make us do things that are less expensive and still work. So not still are better than what they were. So I think we're going to see evolution in a lot of different areas and then evolution inside of just simply the things that we couldn't process with data and look at data in a different way, be able to really look at data sets and be able to come up with things that humans just were not set up to do. So we're going to hit some bumps. Right. And there'll be bumps in the road. But I think, you know, I really am a proponent. I think we're going to use this evolution for good and we're just gonna have to work through some of the bumps that are gonna come up in the next few years.

B

No, I love that. And the focus on the human transition is so critical to really ensuring, you know, we smooth out those bumps as much as we possibly can.

A

Yeah, as much as we possibly can. Because it's just a fact. Right. Just look around and what we see from today's who are. What humans are getting displaced. Right. You see. Yeah. We've dropped 4,000 jobs from our support staff or our help desk staff or our call centers. And it's doing a good job. Right. Probably doing a better job at the function.

B

Yeah.

A

So then how do we help transition people out? The other human side of it is how do we embrace and then still employ the lower levels that are going to then get to the higher levels? Right, yeah. So there's a skip generation as well in the middle that's going to be. Have difficulty. The kids that are getting out of school today are becoming very AI literate. And that's a good thing. Right. So going into the workforce, they're extremely AI thinking and AI prepared. But you had that group that's, you know, has graduated in the last little while, in the last five years or so that are not in that same state. So.

B

Yeah, interesting.

A

That's really things we've got to work on from a human perspective. Right?

B

Yeah. I'm glad you pointed out India and Malaysia too, because I think when people think about the impact of jobs, they're always thinking about the US Only, but. Right, yeah, it's a global. It's going to be a global effect and it's really, really good to think about that in that way. All right, we're coming up at the end. Any last advice for folks coming out of school right now?

A

So especially in the security field. Right. Be a lifetime learner. Right. That's number one. Right. Our world has changed so many times over and over again, and you have to embrace that change and be willing to learn again and be able to learning to learn again. Be excited about learning. The AI world can either be a great opportunity or it could be a detriment. And think about the opportunities that it presents itself, the opportunities to do things differently. So always continue to think that's a big, big advice. And then embrace the new models. Embrace the new models of work. Work models change, sometimes very drastically, sometimes takes a while. But yeah. If you're embracing change, embracing learning, if you're going to be that person that come in and say, yeah, great, well, I don't know this today, but I can go learn it right then you're going to be much more prepared to succeed in the future. Yeah.

B

Tim, thank you so much for joining the program. Really appreciate you and all your experience and learnings. You've been great today. Thank you very much, sir.

A

Absolutely. Thank you for the opportunity.

B

All right, this is Ed Gaudette from the Risk Never Sleeps podcast. And if you're on the front lines protecting patient safety and delivering patient care, remember to stay vigilant because Risk never sleeps. Thanks for listening to Risk Never Sleeps. For the show, notes, resources and more information and how to transform the protection of patient safety, Visit us@SenseInet.com that's C E N S I N E T.com I'm your host, Ed Gaudet. And until next time, stay vigilant because Risk never sleeps.