The problems of brand association

I’ve been thinking about SolarWinds MSP partners recently and wondering what it was like for them when news of the huge breach at SolarWinds started to come through in December last year.

What must they have been thinking as the the list of prodigious names grew larger, encompassing the likes of the US departments of Defense, the Treasury, Homeland Security, Health, Energy and State, then Microsoft, Cisco, Intel, Nvidia, FireEye, VMware and Belkin?

I’m sure they would be quick to try to draw a distinction between SolarWinds and SolarWinds MSP to reassure anxious customers they would not be affected by the breach.

SolarWinds did something similar in its latest security advisory about the breach on its Orion platform, dated 31 December.“While our investigations are early and ongoing, based on our investigations to date, we are not aware that this Sunburst vulnerability affects other versions of Orion Platform products,” it said. “Also, while we are still investigating our non-Orion products, we have not seen any evidence that they are impacted by the Sunburst vulnerability.”

It’s not unequivocal though, is it? Not yet. And it may be a while before it is – remember, the investigations are “early and ongoing”. It may be assurance enough that the advisory contains a list of products not known to be affected, including a range of SolarWinds MSP N-Central products, PassPortal, MSP Manager and RMM. But that’s not quite the same as known not to be affected.

So if you’re a SolarWinds MSP customer and you see all this stuff about SolarWinds, what do you think? Are you comfortable that there’s no possible threat to you? Do you treat it in the same way as you would if you owned a Volvo V90 and there was a recall on Volvo V60s? Are you happy to make the distinction between the two?

Or do you think: “Hang on a second, SolarWinds has this huge vulnerability that has hit all these critical departments and huge companies and I’m supposed to be fine with that?” In other words, does SolarWinds MSP become a collateral victim of the reputational damage to SolarWinds?

Whatever else it may suffer from, SolarWinds MSP has definitely been a victim of bad timing. In August last year, it announced plans to potentially spin off from its parent, and those plans are still in process.

SolarWinds MSP president John Pagliuca revealed in a letter to partners on 30 December 2020 that it was continuing to explore the potential spin-off, adding: “We have some exciting news to share. We’ve chosen a new name, and I’m excited to tell you that we will be called N-able. This name may sound familiar, as N-able extends the roots of who we are as a company. It’s all about the performance, protection and partnership you need to power your clients – and your business – forward.”

Bearing in mind that news of the SolarWinds breach first emerged in public on 14 December, it is perhaps unfortunate that SolarWinds MSP hadn’t been just that little bit quicker to make the break. Pagliuca’s letter noted that it had “confidentially submitted a Form 10 with the SEC on 4 December, 2020, regarding the potential spin-off”.

Usually, a name change and spin-off can be a bit of a hassle for partners and their customers. I suspect that won’t be so much of an issue in this instance. SolarWinds MSP and its partners are probably hoping the spin-off means they won’t be connected to a company that helped enable such a widespread attack. If anything, it might enable them to make a clean break.