WEBVTT 1 00:00:00.300 --> 00:00:02.010 Michael Novinson: Hello, this is Michael Novinson with 2 00:00:02.040 --> 00:00:05.070 Information Security Media Group. I'm joined today by 3 00:00:05.070 --> 00:00:09.060 Sudhakar Ramakrishna. He is president and CEO of SolarWinds. 4 00:00:09.300 --> 00:00:10.620 Good morning, Sudhakar. Doctor, how are you? 5 00:00:11.159 --> 00:00:12.329 Sudhakar Ramakrishna: Good morning, Michael. Thanks for 6 00:00:12.329 --> 00:00:15.089 having me. I'm doing great. Hope you're doing well as well. 7 00:00:15.450 --> 00:00:17.550 Michael Novinson: I'm doing very well. Thank you for making the 8 00:00:17.550 --> 00:00:21.750 time. Wanted to jump into things here to talk about the recent 9 00:00:21.750 --> 00:00:25.080 launch of SolarWinds Observability. Specifically I 10 00:00:25.080 --> 00:00:28.920 wanted to get a sense of what the implications are of this new 11 00:00:28.920 --> 00:00:31.050 offering from a cybersecurity standpoint. 12 00:00:31.600 --> 00:00:33.940 Sudhakar Ramakrishna: Absolutely. Michael, as you know, SolarWinds 13 00:00:33.940 --> 00:00:38.320 is a leader in monitoring solutions. And we have over the 14 00:00:38.320 --> 00:00:42.520 last 20 years, provided customers with great solutions 15 00:00:42.520 --> 00:00:47.080 for networks, applications, database, infrastructure and 16 00:00:47.080 --> 00:00:52.030 Cloud Monitoring. Over the last 18 months, we have been evolving 17 00:00:52.030 --> 00:00:57.100 into what we call full stack observability, except that we 18 00:00:57.100 --> 00:01:00.010 are taking customers on a cloud journey. So in other words, we 19 00:01:00.010 --> 00:01:03.940 are not imposing on them that they only have to consume it in 20 00:01:03.940 --> 00:01:07.690 SaaS, or they only have on-premises solutions, what we 21 00:01:07.690 --> 00:01:10.780 are doing is evolving our monitoring into observability. 22 00:01:10.780 --> 00:01:13.780 So there are two important elements of the announcement 23 00:01:13.780 --> 00:01:17.200 that we made. One is extension of our hybrid cloud 24 00:01:17.200 --> 00:01:20.860 observability solutions, which are largely on-premises but can 25 00:01:20.860 --> 00:01:25.270 be deployed in a hybrid world, and the introduction of our SaaS 26 00:01:25.300 --> 00:01:29.500 observability solutions, which can actually co-mingle and 27 00:01:29.530 --> 00:01:31.990 co-reside in customer environments to provide them a 28 00:01:31.990 --> 00:01:36.100 continuum, let's say from premises to hybrid to complete 29 00:01:36.100 --> 00:01:41.050 SaaS, depending on the pace of their cloud journey. Both of 30 00:01:41.050 --> 00:01:45.520 these solutions are built on our secure-by-design foundation. So 31 00:01:45.520 --> 00:01:49.960 all the work that we have done over the last two years almost 32 00:01:49.960 --> 00:01:55.090 in terms of implementing security elements to the build 33 00:01:55.090 --> 00:01:59.470 systems, the software supply chain, and the enhancements that 34 00:01:59.470 --> 00:02:04.270 we've made, will essentially result in a more robust and more 35 00:02:04.270 --> 00:02:06.730 secure solution for our customers. 36 00:02:08.400 --> 00:02:09.870 Michael Novinson: From the standpoint of the customer 37 00:02:09.870 --> 00:02:12.960 themselves, how can adopting implementing SolarWinds 38 00:02:12.960 --> 00:02:15.150 Observability help them with their own security? 39 00:02:15.780 --> 00:02:19.320 Sudhakar Ramakrishna: So first things first, Michael, is that 40 00:02:19.590 --> 00:02:25.560 the hybrid cloud observability helps customers consolidate 41 00:02:25.830 --> 00:02:28.980 tools, or in other words, eliminate tool sprawl. That's 42 00:02:28.980 --> 00:02:32.880 step one. As a result of doing that, we have also enhanced 43 00:02:32.880 --> 00:02:37.530 through AI and ML techniques, better call it alert stacking, 44 00:02:37.560 --> 00:02:42.420 as you know, alert fatigue is a real thing. And we are trying to 45 00:02:42.450 --> 00:02:48.000 work with customers to help them get to the right alerts faster. 46 00:02:48.270 --> 00:02:51.150 So in essence, when they have security incidents, they are 47 00:02:51.150 --> 00:02:54.000 able to address the right incidents faster through our 48 00:02:54.000 --> 00:02:58.110 technology as well. In doing both those things, we are 49 00:02:58.110 --> 00:03:01.590 improving their productivity and reducing their costs. So there's 50 00:03:01.590 --> 00:03:05.460 a lot of compelling value from a security standpoint. But there's 51 00:03:05.460 --> 00:03:08.100 an economic value associated with that as well. 52 00:03:09.860 --> 00:03:11.840 Michael Novinson: In terms of cloud adoption, and I know you 53 00:03:11.840 --> 00:03:14.780 offer this in some a couple different form factors. What 54 00:03:14.780 --> 00:03:17.450 have you seen in terms of cloud adoption and shifts and usage 55 00:03:17.450 --> 00:03:19.940 patterns, since the onset of the COVID 19 pandemic? 56 00:03:21.010 --> 00:03:22.900 Sudhakar Ramakrishna: Remote work, I would say has been 57 00:03:22.900 --> 00:03:26.320 driving a lot of the acceleration in in cloud 58 00:03:26.320 --> 00:03:30.610 adoption as well. So they are in many ways intertwined. What we 59 00:03:30.610 --> 00:03:34.690 noticed is that while there was a lot of cloud adoption, as a 60 00:03:34.690 --> 00:03:38.950 result of COVID, customers are also realizing for my 61 00:03:38.980 --> 00:03:44.200 environment, for my economics, is going all into the cloud is 62 00:03:44.200 --> 00:03:48.220 the right answer, or is there a way I can have a hybrid model 63 00:03:48.460 --> 00:03:52.060 where policies, user experiences, deployments can be 64 00:03:52.060 --> 00:03:57.910 viewed as one large and one single and unified view, while I 65 00:03:57.910 --> 00:04:02.140 still sweat my on-premises assets, so to speak. So I'm 66 00:04:02.140 --> 00:04:06.010 increasingly seeing, especially in this environment, where high 67 00:04:06.010 --> 00:04:09.340 inflation, compress budgets, which I won't go into, because 68 00:04:09.340 --> 00:04:13.420 everybody knows about these, value and the element of 69 00:04:13.450 --> 00:04:16.750 deriving value becomes even more important. So I would say they 70 00:04:16.750 --> 00:04:22.270 are still focused on the cloud journey, but maybe not as 71 00:04:22.270 --> 00:04:26.680 accelerated the pace as they used to at the advent of the 72 00:04:26.680 --> 00:04:27.370 pandemic. 73 00:04:28.810 --> 00:04:31.750 Michael Novinson: Interesting, wanted to talk a little about 74 00:04:31.750 --> 00:04:34.900 the market landscape. So if SolarWinds were to find 75 00:04:34.900 --> 00:04:38.020 themselves in a competitive bid scenario around observability or 76 00:04:38.020 --> 00:04:40.420 some of the other products, which companies are you most 77 00:04:40.420 --> 00:04:42.520 frequently encountering, and what do you consider to be your 78 00:04:42.520 --> 00:04:43.780 biggest differentiators? 79 00:04:44.740 --> 00:04:46.450 Sudhakar Ramakrishna: So I'll start with the differentiators 80 00:04:46.450 --> 00:04:49.060 at a company level first, Michael, and then talk about 81 00:04:49.090 --> 00:04:54.790 each of the segments the way we are projecting our value to 82 00:04:54.790 --> 00:04:57.340 customers. Over the years we have said we will deliver 83 00:04:57.340 --> 00:05:01.180 simple, powerful and increasingly secure solutions - 84 00:05:01.210 --> 00:05:05.290 simple, powerful and secure. Through that process, what we 85 00:05:05.290 --> 00:05:08.860 intend doing is increase customers productivity and 86 00:05:08.860 --> 00:05:13.720 reduce their costs. And specific to our solutions, we focus on 87 00:05:13.720 --> 00:05:18.160 three value drivers. Best time to value in the market, you buy 88 00:05:18.160 --> 00:05:21.520 our products, you start getting value quickly. This is one 89 00:05:21.520 --> 00:05:24.700 dynamic that I'm seeing with customers where they don't want 90 00:05:24.700 --> 00:05:29.770 long value cycles, buying, implementing, testing, adopting, 91 00:05:29.770 --> 00:05:33.490 and then finally getting value. So compress time to value, 92 00:05:34.600 --> 00:05:38.710 fastest time to isolate and identify issues in their 93 00:05:38.740 --> 00:05:41.350 multi-cloud environments, not just in networks, but multi 94 00:05:41.350 --> 00:05:45.460 cloud environments. There, the fact that I spoke about the 95 00:05:45.550 --> 00:05:48.940 AI/ML capabilities, for instance, is a way of giving 96 00:05:48.940 --> 00:05:52.000 them the fastest time to identify. And last but not 97 00:05:52.000 --> 00:05:55.390 least, it's not good enough just to identify issues, but time to 98 00:05:55.390 --> 00:05:59.380 remediate. So time to value, time to identify, time to 99 00:05:59.380 --> 00:06:02.800 remediate are the three value drivers across the entire 100 00:06:02.800 --> 00:06:05.560 portfolio that we're building, whether it is database 101 00:06:05.560 --> 00:06:10.900 monitoring, service management, or full-stack observability. In 102 00:06:10.900 --> 00:06:15.340 terms of competitors, the way I would describe it is, depending 103 00:06:15.340 --> 00:06:19.330 on the segment that we are in, let's take call it the broader 104 00:06:19.360 --> 00:06:24.070 observability segment, we have the traditional monitoring 105 00:06:25.210 --> 00:06:29.470 providers as well, because it is a share of wallet, thing, 106 00:06:29.890 --> 00:06:34.600 traditional being more of the microfocuses and the computer 107 00:06:34.600 --> 00:06:38.590 associates of the worlds. But unfortunately, I don't believe 108 00:06:38.590 --> 00:06:41.920 that innovation cycles are rapid enough to give customers the 109 00:06:41.920 --> 00:06:46.510 confidence necessary to traverse in the multi-cloud world and 110 00:06:46.510 --> 00:06:53.110 more of the new age, but more focused on a particular segment 111 00:06:53.110 --> 00:06:56.680 of observability - be the new relics of the world that come 112 00:06:56.680 --> 00:07:01.120 largely from an app management and app monitoring type of world 113 00:07:01.150 --> 00:07:05.320 and spreading into the observability spectrum. Splunk, 114 00:07:05.320 --> 00:07:08.320 as you know, is getting more from a security dimension to the 115 00:07:08.320 --> 00:07:11.920 observability dimension. And then obviously Datadog is taking 116 00:07:12.370 --> 00:07:16.060 a different approach, starting from infrastructure and moving 117 00:07:16.180 --> 00:07:19.930 up into applications and others. So different vendors are coming 118 00:07:19.930 --> 00:07:25.120 at it from a different angle of incidence. But the fundamental 119 00:07:25.120 --> 00:07:29.650 differentiator, I would say is we are taking customers from 120 00:07:29.650 --> 00:07:32.770 where they are today and evolving them in the multi-cloud 121 00:07:32.860 --> 00:07:37.150 journey. So like I said at the beginning, not forcing a 122 00:07:37.150 --> 00:07:41.080 particular way of deploying, and also giving them the user 123 00:07:41.080 --> 00:07:45.010 experiences, the seamless migrations, and the economic 124 00:07:45.010 --> 00:07:49.540 value of the evolution from monitoring to observability, 125 00:07:49.600 --> 00:07:51.220 like nobody else is able to do. 126 00:07:53.020 --> 00:07:54.640 Michael Novinson: In December, it will have been two years 127 00:07:54.640 --> 00:07:57.580 since the world learned of the Sunburst attack. What do you 128 00:07:57.580 --> 00:07:59.560 consider to be the biggest lessons learned both for 129 00:07:59.560 --> 00:08:02.440 SolarWinds in particular, as well as the industry as a whole? 130 00:08:03.430 --> 00:08:06.370 Sudhakar Ramakrishna: That we continue to learn, is the way I 131 00:08:06.370 --> 00:08:10.780 would say it, Michael, we are a learning organization. And as 132 00:08:10.780 --> 00:08:17.200 you know, we came through the Sunburst set of issues with 133 00:08:17.230 --> 00:08:21.490 outlining our secure-by-design principles, which were at some 134 00:08:21.490 --> 00:08:24.670 level learnings at that point. But the learnings continue to 135 00:08:24.670 --> 00:08:30.340 refine. A few reinforcements I'd make is situations like Sunburst 136 00:08:30.340 --> 00:08:34.840 are unfortunate, but they require us to constantly focus 137 00:08:34.840 --> 00:08:37.690 on the learnings. And one of the key learnings is the need for 138 00:08:37.690 --> 00:08:41.890 public and private partnerships is probably never been greater 139 00:08:41.920 --> 00:08:45.730 than it is today. In fact, I've been most recently in many 140 00:08:45.730 --> 00:08:49.390 fireside chats and discussions where we are trying to amplify 141 00:08:49.390 --> 00:08:52.600 it because it is important to understand that no one single 142 00:08:52.600 --> 00:08:56.800 company - no matter how good is how many resources we have - is 143 00:08:56.800 --> 00:08:59.620 able to defend ourselves especially against let's say a 144 00:08:59.620 --> 00:09:05.710 nation-state attack. So it is my continuous appeal to both 145 00:09:05.740 --> 00:09:09.970 private and public to have a better partnership so we can 146 00:09:10.030 --> 00:09:17.020 protect assets better. The software supply chain issues are 147 00:09:17.020 --> 00:09:21.610 real, and we cannot lose sight of those. So we have done quite 148 00:09:21.610 --> 00:09:25.840 a bit of extensive work and built processes and implemented 149 00:09:25.840 --> 00:09:28.900 security or better yet, I like to call it left shifting 150 00:09:28.900 --> 00:09:32.470 security. So it doesn't start at pen testing. It is at the 151 00:09:32.470 --> 00:09:34.840 development and the design phase, which is why I'm very 152 00:09:34.840 --> 00:09:38.170 deliberate about calling it secure by design. It is a real 153 00:09:38.170 --> 00:09:42.190 thing that must be adopted by the entire industry. We have 154 00:09:42.190 --> 00:09:45.550 done some extensive work - published white papers as 155 00:09:45.610 --> 00:09:48.430 essentially open source for everyone to use, and that 156 00:09:48.430 --> 00:09:51.070 becomes an increasingly important conversation with my 157 00:09:51.100 --> 00:09:56.860 customers. Three is vendor validation by customers is a 158 00:09:56.860 --> 00:10:02.050 more and more relevant thing to do. Vendors need to educate 159 00:10:02.050 --> 00:10:05.080 themselves on what are the key things we should ask. I should 160 00:10:05.080 --> 00:10:08.320 say customers need to educate them on what should I ask 161 00:10:08.320 --> 00:10:12.610 vendors for in terms of the security posture, not just in 162 00:10:12.610 --> 00:10:16.330 investment, but in actually processes, tools and techniques 163 00:10:16.330 --> 00:10:19.660 that they use, because we are pocketing value chain in an 164 00:10:19.660 --> 00:10:24.010 ecosystem, and deficiencies in one will affect the other. So 165 00:10:24.010 --> 00:10:27.340 these are three areas that I would say need heightened focus. 166 00:10:28.750 --> 00:10:31.480 Michael Novinson: In terms of the embedding security into that 167 00:10:31.480 --> 00:10:34.570 build process - the design and the development process - what 168 00:10:34.570 --> 00:10:36.580 are some of the obstacles and challenges that you've had to 169 00:10:36.580 --> 00:10:38.800 navigate as you try to put that into practice? 170 00:10:39.970 --> 00:10:43.090 Sudhakar Ramakrishna: So I'll give you a very quick update on 171 00:10:43.090 --> 00:10:47.650 that. We run three build systems or build processes, Michael. The 172 00:10:47.650 --> 00:10:52.060 location of those builds, will change. Who has access to those 173 00:10:52.060 --> 00:10:56.080 changes? So first things first was changing the developers' 174 00:10:56.080 --> 00:10:58.780 behaviors themselves, because they're used to a certain way of 175 00:10:58.780 --> 00:11:01.600 doing things, which is true in every company, and we had to 176 00:11:01.630 --> 00:11:06.130 enforce or we had to influence - I should say not enforce - them 177 00:11:06.130 --> 00:11:09.670 to understand why we have to do these things. And then once they 178 00:11:09.670 --> 00:11:14.320 jumped on it, it was a matter of like, second nature now for us 179 00:11:14.320 --> 00:11:18.310 to be able to do that. So that is one. Two, it is a pragmatic 180 00:11:18.310 --> 00:11:22.030 issue that many companies will fail face, which is, it's an 181 00:11:22.030 --> 00:11:26.350 investment that you make, because you are investing in 182 00:11:26.350 --> 00:11:28.930 security, you're investing in your people, and you're 183 00:11:28.960 --> 00:11:33.970 investing in your processes. Oftentimes, you may discount the 184 00:11:33.970 --> 00:11:38.260 significance of it. But I can say that from prior experience, 185 00:11:38.290 --> 00:11:41.680 and hear that it will pay off a lot. And in terms of confidence 186 00:11:41.680 --> 00:11:46.030 you have with customers, and it has some very strong ROI, even 187 00:11:46.030 --> 00:11:49.450 if you think about it in ROI terms. So that's a second, I 188 00:11:49.450 --> 00:11:54.190 would say. It needs to be elevated from a prioritization 189 00:11:54.190 --> 00:12:00.430 standpoint. Third, I would say is the real effort in testing, 190 00:12:00.430 --> 00:12:04.270 validating, and qualifying, when you have multiple build systems, 191 00:12:04.450 --> 00:12:07.960 the integrity of the code itself. So that's more of the 192 00:12:07.960 --> 00:12:10.390 effort side of it. So those are the three elements. 193 00:12:11.030 --> 00:12:13.370 Michael Novinson: Surely after you started as CEO in January 194 00:12:13.400 --> 00:12:16.910 2021, you announced the secure-by-design initiative. And 195 00:12:17.390 --> 00:12:21.770 now looking back over the past 21 months, what are some of the 196 00:12:21.770 --> 00:12:24.380 bigger changes that you've made to secure by design? And what 197 00:12:24.380 --> 00:12:28.220 are some of the bigger areas of emphasis for secured by design 198 00:12:28.220 --> 00:12:30.860 that maybe were on top of mind when you first launched this? 199 00:12:32.310 --> 00:12:34.710 Sudhakar Ramakrishna: Michael, the principles of secure by 200 00:12:34.710 --> 00:12:38.190 design have stayed the same. But what I will say is that the 201 00:12:38.190 --> 00:12:42.540 details of secure by design have evolved a lot. I'll give you a 202 00:12:42.540 --> 00:12:48.360 couple of examples. One is, I would say that red team efforts 203 00:12:48.390 --> 00:12:53.280 and secure operating center efforts within SolarWinds are 204 00:12:53.430 --> 00:12:59.340 significantly more advanced than when we started. We do a bunch 205 00:12:59.340 --> 00:13:03.450 of activities, we attack ourselves, the tools, techniques 206 00:13:03.450 --> 00:13:08.460 and processes that my CISOs team uses is not known to a lot of 207 00:13:08.460 --> 00:13:11.970 people. So in essence, we try to do social engineering things, 208 00:13:12.180 --> 00:13:18.120 penetration testing, without users knowing about it. And we 209 00:13:18.120 --> 00:13:21.450 learn a lot from it. And let's say you click on a very 210 00:13:21.450 --> 00:13:25.890 sophisticated phishing attack, you're going to get a teaching 211 00:13:25.890 --> 00:13:29.190 lesson, so to speak from us. So these are all techniques that we 212 00:13:29.190 --> 00:13:32.790 have been continuously improving in the spirit of elevating our 213 00:13:32.820 --> 00:13:37.830 internal security postures, that is definitely number one that 214 00:13:37.830 --> 00:13:43.710 has improved. Two is the image of SolarWinds itself has 215 00:13:44.850 --> 00:13:47.790 evolved, I would say quite drastically and dramatically. 216 00:13:48.300 --> 00:13:52.170 Whereas people may have been skeptical about secure-by-design 217 00:13:52.200 --> 00:13:55.590 work. Whereas people may have been skeptical about our own 218 00:13:55.590 --> 00:14:00.360 competencies. Routinely, I see customers, partners, others 219 00:14:00.540 --> 00:14:03.420 wanting to implement the techniques that we are using in 220 00:14:03.420 --> 00:14:08.130 their environments. Again, going back to the need for us to all 221 00:14:08.130 --> 00:14:11.970 be part of the same ecosystem and a secure ecosystem. That's 222 00:14:11.970 --> 00:14:15.240 changed a lot. Three, in the build systems - in the build 223 00:14:15.240 --> 00:14:18.810 processes - we are using a number of techniques to improve 224 00:14:18.810 --> 00:14:22.650 the security posture. Not just like things like static code 225 00:14:22.650 --> 00:14:27.270 analysis and pen testing and such. But looking at open 226 00:14:27.270 --> 00:14:30.240 source, understanding open source vulnerabilities, 227 00:14:30.630 --> 00:14:35.400 checkpointing software, the multiple build systems, those 228 00:14:35.400 --> 00:14:37.980 are all evolutions that have happened in the last 10 to 12 229 00:14:37.980 --> 00:14:38.430 months. 230 00:14:40.140 --> 00:14:42.030 Michael Novinson: Interesting. Finally here, I wanted to turn 231 00:14:42.030 --> 00:14:45.210 back from internal security to helping customers secure 232 00:14:45.210 --> 00:14:48.270 themselves and talk a little bit about what's on the roadmap for 233 00:14:48.270 --> 00:14:51.900 2023 and what innovations customers can expect from 234 00:14:51.900 --> 00:14:55.200 SolarWinds in order for them to improve their own security. 235 00:14:55.860 --> 00:14:58.560 Sudhakar Ramakrishna: So the alert stacking pieces that I 236 00:14:58.560 --> 00:15:02.700 mentioned, the continuous focus on AI/ML from a security 237 00:15:02.700 --> 00:15:05.970 standpoint, but then broadly speaking, the observability 238 00:15:05.970 --> 00:15:12.690 camp, Michael, one of the areas in observability is the security 239 00:15:12.690 --> 00:15:16.950 observability itself. So the uniqueness of our platform is 240 00:15:16.950 --> 00:15:20.310 not only we are we looking at observability from an app, 241 00:15:20.520 --> 00:15:23.970 database, network, monitoring standpoint, but we also looking 242 00:15:23.970 --> 00:15:28.230 at security as an element of observability. And more 243 00:15:28.230 --> 00:15:31.350 critically tying the capabilities of, let's say, 244 00:15:31.350 --> 00:15:36.420 applications, networks, etc, to security and logs and providing 245 00:15:36.420 --> 00:15:40.110 customers with better insights. What it does is again, it goes 246 00:15:40.110 --> 00:15:44.580 back to fault isolation, incident isolation, and incident 247 00:15:44.580 --> 00:15:47.220 remediation. Those are the things customers can expect from 248 00:15:47.220 --> 00:15:47.670 us. 249 00:15:48.900 --> 00:15:50.940 Michael Novinson: Good to know. Sudhakar, thank you so much for 250 00:15:50.940 --> 00:15:51.330 the time. 251 00:15:51.960 --> 00:15:53.490 Sudhakar Ramakrishna: Thanks again, Michael. Pleasure meeting 252 00:15:53.490 --> 00:15:53.970 you again. 253 00:15:54.660 --> 00:15:56.730 Michael Novinson: Yourself as well. We've been speaking with 254 00:15:56.730 --> 00:16:00.420 Sudhakar Ramakrishna. He is president and CEO of SolarWinds. 255 00:16:00.630 --> 00:16:03.840 For Information Security Media Group, this is Michael Novinson. 256 00:16:04.140 --> 00:16:04.950 Have a nice day.