Is Nexthink affected by SolarWinds breach?

Question

Is Nexthink affected by the recent SolarWinds breach?

Answer

No, it is not. Nexthink does not use SolarWinds Orion and has never used SolarWinds Orion. Therefore, we are not affected by this data breach. Even so, we took additional precautionary steps, including having an independent security company search for endpoint and network indicators of compromise (IoC) in our environment. This investigation confirmed that Nexthink is not affected.

Background

SolarWinds offers a product family called Orion Platform for IT monitoring. According to SolarWinds, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 had a vulnerability inserted in them which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. According to media reports, this vulnerability was allegedly inserted by a state-sponsored threat actor to further compromise high-value targets including multiple US federal government agencies.

How is Nexthink protecting their products against supply-chain attacks like this?

Secure software development is an integral part of our security program. As such, several security controls have been implemented to detect vulnerabilities from the early stages of the design to the release of products to customers. This includes, but is not limited to, design reviews, third-party library assessments, code reviews, continuous vulnerability scanning and penetration tests. In addition, we classify all components of our software supply chain as critical and apply additional security controls to them. Nexthink binaries are signed following a strict signature process that makes use of a Hardware Security Module (HSM) and ensures strong integrity and suitability requirements.

Nexthink has also achieved the ISO 27001, 27017 and 27018 certifications for our Nexthink Experience cloud platform.