SecurityScorecard's response to the SolarWinds compromise FAQ
What services were added for our customers?
- Ratings New Portfolios: We have created new Portfolio(s) of those identified as having SolarWinds in their environment. Only companies previously followed will be in the portfolio. If no company followed is impacted, the portfolio will not be visible.
- Ratings New Finding: We have added new informational finding to identify companies where SolarWinds and SUNBURST was detected.
- Atlas SolarWinds Orion Questionnaire (Coming Soon): A new questionnaire template called “SolarWinds Orion Questions” is now available in Atlas for all users. You can leverage this questionnaire to fill out for your organization and proactively share it with your business partners and send it to your third-parties to assess the potential impact.
Why did we create two new Portfolio(s)?
As you may be aware, on December 13, SolarWinds Corporation, a U.S. software company, disclosed that a targeted cyberattack inserted a vulnerability into certain versions of its Orion centralized IT monitoring and management software. To assist customers in assessing the potential impact on their third parties, we have added two new Portfolio(s). In an effort to help everyone save time in assessing any potential impact, we've aggregated this information into Portfolio views for our customers with SolarWinds in their own environment and those who are currently following companies identified as having potential exposure to SolarWinds.
Why have you provided information on both SolarWinds impacted in general vs only SolarWinds Orion?
SecurityScorecard has provided an indication of whether a company has a SolarWinds product in their environment, NOT if they are running the affected Orion software. This is based on guidance and caution from CISA that this hack could potentially extend beyond just the Orion products given the advanced level of the APT adversary. The extension to all SolarWinds products is cautionary in the event of a discovery of other products that have also been breached in the supply chain.
Will my company be identified to all customers on the platform?
Only customers that are following impacted companies at the time the portfolios are created as of December 18th, 2020 6 am EST will see the information. We are NOT providing a cumulative list.
Are you making this information public?
No, we are not making the list of impacted companies public. Customers must already be following impacted companies at the time the Portfolios are created as of December 18th, 2020 6 am EST.
How do we refute or correct this information?
If you do not believe that this information is correct, please contact our Customer Reliability Team at [email protected].
How will this impact my score?
Those with SolarWinds solutions will not see an immediate impact to their score as the data is informational and an Analyst Report will be noted under the Breach & Incidents tab. SecurityScorecard ingests signals from HackNotice to provide insight into who was breached. Unless we are notified through this medium to confirm an actual breach, we will only mark the incident as informational. Informational incidents do not impact a company’s score. When and if, we confirm the actual breach, a company’s score will drop accordingly.
Will you provide an updated list of companies as more information is discovered?
While we do not have a confirmed update scheduled at this time, we do expect to make updates as we continue to gather information. We will continue to monitor the situation and update the list as we determine necessary.
How was this information gathered?
We identified impacted companies using banner grab data and a predefined list of customers that SolarWinds posted and then retracted. We used that in combination with the scanned ports and decoding of traffic to reveal victims from the C2.
How can I quickly respond to SolarWinds related questionnaires?
If you are concerned with incoming vendor inquiries, Atlas can help. Atlas is our automated questionnaire exchange and validation solution for questionnaire senders and receivers. All Atlas users have access to over 20 template frameworks. This includes our coming soon 5-question questionnaire that we created for this called “SolarWinds Orion Questionnaire”, that they can fill out for their organization and build their Answer & Evidence Repository. Then, when they receive a new questionnaire, Atlas uses machine learning and natural language processing to automatically suggest responses to the questionnaire and saving you hours of time.
In order to help you get started, we’ve created these two short videos:
- Fill out and proactively share the “SolarWinds Orion Questionnaire” with Atlas
- Build your Answer & Evidence Repository and use the free Autocomplete to respond to questionnaires
Where can I find more information?
Please visit a new channel in our Customer Community called Breaches & Incidents for such additional resources as detailed FAQs, videos and Discussion Board around the SolarWinds Orion SUNBURST breach.