Problem
The year 2020 held many societal challenges for us to navigate. And as if that wasn’t enough, the year closed out with the announcement of a significant cybersecurity exploit using a widely accepted security software, SolarWinds.

Practice
IP Services utilizes many widely adopted best in class enterprise tool sets as a part of our best practices approach delivering our Managed Services. These various tools deployed throughout our infrastructure for support and service purposes, includes SolarWinds. At IP Services, we are committed to our best practices approach of engaging ITIL and other cybersecurity processes to ensure ours and our client’s networks are secure and available. One of our core processes is designed to ensure clients’ networks and systems are safe and systems are not disrupted by any unnecessary or unplanned changes.

At IP Services we have developed and adhere to a very strict release management process. In fact, we literally “wrote the book”. (Series of Visible Ops Handbooks)

IP Services is vigilant in security awareness including communications and alert subscriptions with all of our critical vendors when security alerts such as this arise. We have been on high alert since the SolarWinds exploit was
initially reported and take all threats very seriously and investigate them as a matter of our security practice.

Impact
At IP Services, our practice has been to NOT deploy to latest versions as they are released. Rather, we take time to evaluate whether it’s necessary for operability or if it closes any known security gaps. As such, we have not moved to any of the versions that were affected by this exploit.

We have our Security Management Awareness Response Team (SMART) monitoring all releases and may opt to make a version move if it accomplishes our goal of securing, monitoring, and continuing to protect from malicious activities such as the SolarWinds exploit.

Note: This practice does NOT include Zero Day Vulnerability Exploit Patches to keep networks and systems we manage secure; those patches are applied upon ZERT (Zero Day Emergency Response Team) verification.

Summary
To reiterate, the reason we are highly confident we are not compromised is because without a fully justified reason such as security or operability; we do not commit to any version changes or upgrades. We not only apply these best practices approaches to our enterprise tools, but also in some cases system and network device operating systems as well. Our Change Management Practices and policies are an ultimate backstop to identify security threats and breaches.

There is no 100% failproof system or process.

Leave a Comment