The Gately Report: Kaseya CISO on Improved Cybersecurity with Datto Acquisition, Microsoft Teams Security Vulnerability
Hitachi ID Systems has been acquired, rebranded as Bravura Security.
Getty Images
Channel Futures: How has your experience as an FBI special agent come into play and benefited you in your role with Kaseya?
Kaseya’s Jason Manar: It’s benefited me in multiple ways; first and foremost are the obvious ones. I had unprecedented information that was made available to me to understand the threat actors and what they were doing at any given moment. The other thing is, I ran a large cyber squad that was responsible for all the cyber events in the South Florida region. So I had a lot of the same problems that any CISO would have, including hiring the right people, creating training programs and budgeting analysis. I had specific people to hire a computer scientist. And going through that, not only the application process, but what we needed, the trial and error, the right fit, the right culture, the right people in order to get that right team that actually moves the needle forward, was tremendously invaluable when I came here and started building upon the team that already existed. So those are the things that come to mind right off the bat.
The other thing that a lot of people don’t think about is pressure and grace under fire. Unfortunately, with me being in the FBI, being battle tested and probably working over 1,000 different intrusions, you get to see the good, the bad and the ugly with everything under the sun, the way a Fortune 100 company responds, their policies, their procedures, the things that they did right, the things that they did [wrong]. And you see that from Fortune 100 companies all the way down to mom-and-pop shops. And what are we doing? We’re working very closely with our partners to always add security value back to them. It’s one of the things that I’m doing here. I’m meeting with people left and right. And it’s the partnership to where we’re discussing, what are those threat landscapes? And what are those things right now that they could be doing practically to help secure their environment? And really, I owe it all to the FBI.
CF: With ransomware obviously still rampant, how are you helping Kaseya and its MSPs stay safe?
JM: That’s what we’re doing on a consistent basis, right? We have a whole threat team that is constantly reviewing and looking at how we make sure that we are as anticipatory as we can be. While we can never predict the future, we can look at current trends and past trends to help see where that adversary may go. We also have very strong relationships with governments around the world that provide us with information. That gives us a better idea of what we can do to continue to fortify our efforts and continue to strengthen our security posture as we evolve and grow.
We’re specifically looking at not only the threat landscape, but we’re taking individual teams and we’re offensively targeting our own products to make them better. It’s called purple teaming. We have dedicated teams that are constantly going through, and doing static and dynamic code scanning to ensure that our code is up to date, current and secure. We have application security testers that are using cutting-edge frameworks, and outside independent third parties to come in and make sure that not only do we have the right processes in place, but we’re following those right processes in order to secure our software as we develop it. And then we have a very robust security operations team … ensuring that they man that wall and that they’re looking at any of the alerts coming in, that they’re reviewing all the threat intelligence and that they’re looking at all the log ingestion from all our security tools to determine if there is any out of the ordinary behavior on the network.
CF: Proactive security is really important because the impact of a potential attack could be devastating, right?
JM: Absolutely. We all know that the impact on even one of our customers could be devastating. So we want to understand. We want to make sure that we have as robust a process as humanly possible to protect our customers, to protect our organization and, quite frankly, to protect the world. We are a worldwide institution. I used to say that with the FBI. You’ve got to protect and defend the United States from all adversaries, foreign and domestic. Well, now I get to do that on a worldwide stage with Kaseya, because we’re truly a global company. We also understand that, and we say this all the time: It’s a matter of if, not when. So you want to have processes in place that are going to limit that exposure, identify that you have a plan and you rapidly execute on that plan, automate as much as possible to ensure that if that happens, that you’re able to immediately take action, quarantine off any server or any device that would potentially be compromised so it doesn’t lead to a wider compromise. We have individual engineers that are dedicated security architects that review to make sure that, God forbid if this happens again, that we make sure that we’re able to stop it immediately so there’s no east-west transversal.
CF: What do you find most dangerous about the current threat landscape?
JM: I think about year-over-year trends continually moving in an upward direction. And it doesn’t seem like they have a peak. And that constantly worries me because you just see a continual evolution of the adversary. And my biggest fear is that we’ve become numb to the fact when we hear about all these things. If you go and look at intrusions that have happened or you look at events that have happened, you’ll see some of the biggest companies in the world and some of the biggest governments in the world. But we should never become immune or complacent. And I want to make sure that we as a community, as a world, as individuals, don’t get in a state of mind of “Well, it’s a matter of if, not when, so there’s nothing I can do about it. ”
That’s my biggest fear, is people are going to have an attitude one day of, “Well, there’s nothing I can do about it, so I’m not even going to address it.” That puts me in a very fearful place of how we would run our systems, run our businesses, run our organizations. I’m very happy that we are very far from anything like that. With Kaseya CEO Fred Voccola at the helm, you hear constant investment in security. You see constantly where he’s talking about it at the forefront of his message. So I don’t think there’s any fear there within our organization. But just worldwide, I want to make sure that we always take security for what it is, which is something that needs to be at the forefront of everyone’s mind.
CF: We have the war in Ukraine, so we’ve got geopolitical instability. And then you put on top of that talk of recession or potential economic instability. Is that having any kind of potential impact on the fight against cybercrime?
JM: Absolutely. In fact, I was getting daily updates on the war in Ukraine and they’ve switched to weekly updates. That is because we see predominantly a large number of the cyberattacks, at least here in the United States, are financially motivated. And economies across the world, if they begin to have a recession, believe it or not, criminals are impacted by that. too. And what are they going to do? They’re going to do what they know, so yes, it’s absolutely a concern. It’s something that we constantly want to stay focused on and ahead of. But that’s why we intentionally are proactive. That’s why we are intentionally investing more in cybersecurity, and that’s why we’re constantly taking steps to get better. I always say that just like Fred says, we’re never going to be perfect. But what we will promise to do is be better today than we were yesterday, and we’re going to be better tomorrow than we were today.
CF: Is it getting increasingly complicated to comply with security requirements?
JM: Every state, every country potentially has different requirements. We have a governance risk and compliance program, which specifically is an entire team that does nothing but reviews and constantly stays updated with the latest and greatest of all laws and regulations within every state and province, as well as country and municipality out there.
CF: After everything that’s happened, are there still companies out there with the mindset of “it won’t happen to me?”
JM: I hear stories like that every single day from our MSP partners. I’ve had several meetings with MSP partners even this week where some of their biggest challenges are getting people to understand the need for cybersecurity. One was a municipality and then another was actually a law enforcement organization within a small community. And their immediate response was, “we just don’t have the funding for that right now, and we haven’t been hit before, so I don’t think we’ll be hit.”
Interesting thing about this particular story is, unfortunately, within that community, not more than two weeks later, the MSP got a call back from that individual who said, “We’re ready to have that talk and we want you to be our provider.”
“What changed your mind? I gave you all the statistics. I told you all that.”
And they said, “Well, our local school system got hit and they were down for three days. And we realized now that that could happen to us.” That’s why I’m always on talk circuits and I’m a big advocate because, unfortunately, there are still a lot of people that just say, “Well, it hasn’t happened to me yet.” And unfortunately, sometimes then they become victims. And it does happen to them. And what we see when becoming a victim, especially of a ransomware attack, usually are very high multiples of what you would pay if you took proactive action beforehand. And it depends on the size, obviously, of your business or municipality as to what that multiplier is. But at the end of the day, my granddad always said an ounce of prevention is worth a pound of cure.
In other cybersecurity news this week …
Vectra has identified an attack path undermining Microsoft Teams security.
Last month, the Vectra Protect team identified an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in. Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access. Additionally, this vulnerability was determined to impact all commercial and GCC Desktop Teams clients for Windows, Mac and Linux.
The research discovered that the Microsoft Teams app stores authentication tokens in cleartext. With these tokens, attackers can assume the token holder’s identity for any actions possible through the Microsoft Teams client, including using that token for accessing Microsoft Graph API functions from an attacker’s system. Even worse, these stolen tokens allow attackers to conduct actions against multifactor authentication (MFA)-enabled accounts, creating an MFA bypass.
Connor Peoples is a SaaS security posture management (SSPM) architect at Vectra.
“Microsoft is aware of this issue and closed the case stating that it did not meet their bar for immediate servicing,” he said. “Until Microsoft moves to update the Teams desktop application, we believe customers should consider using the web-based Teams application exclusively. For customers who must use the installed desktop application, it is critical to watch key application files for access by any processes other than the official Teams application.”
John Bambenek is principal threat hunter at Netenrich.
“In essence, this is the still unsolved problem of stealing cookies and other web credentials by attackers with local access,” he said. “That isn’t to say its not significant. The fundamental problem is that attackers can steal a cookie and use it on any number of machines to replay an authenticated machine. I would like to see developers and tech companies send these credentials hashed with some local-machine specific information so cookie and credential relay attackers would disappear entirely.”
LogRhythm has appointed Gary Abad as vice president of global channels. He has 25 years of experience in senior channel leadership positions with Trustwave, Ivanti, Meru Networks (acquired by Fortinet), Kaspersky Labs and F5 Networks.
At LogRhythm, Abad will be responsible for growing the company’s global channel partner program, increasing the channel’s LogRhythm market penetration, and providing LogRhythm’s partners with support as they address increasing customer demand for cybersecurity solutions.
“Having first started at LogRhythm back in 2015, I’m thrilled to be rejoining the company’s strong team of experts and impressive senior leadership team,” he said. “LogRhythm continues to gain more momentum every year. And I am looking forward to driving channel revenue, and expanding the reach and benefits of LogRhythm’s solutions to new channels and key partnerships.”
Abad has a successful track record of sales development and results, with the ability to build channel sales organizations and worldwide partner programs. He has also led large and complex teams in the technology industry selling hardware, software, cloud, and security solutions and professional services.
LogRhythm’s leadership is focused on providing a platform for end-to-end threat lifecycle management to make it easier for customers to detect, investigate and neutralize attacks.
David Kluzak is LogRhythm’s chief revenue officer.
“Abad brings significant experience to our executive team and shows a passion for the direction that LogRhythm is headed in building trust with customers through continuous innovation,” he said. “With his background, we have no doubt Abad will grow our world-class channel sales teams and drive valuable new partnerships.”
Volaris Group has acquired Hitachi ID Systems, which it has renamed Bravura Security. Bravura Security will continue to operate independently, delivering identity, privileged access, password and passwordless products.
Bravura Security software has helped Fortune 500 companies around the world protect against increasing cybersecurity threats.
Nick Brown is CEO of Bravura Security, formerly CEO of Hitachi ID Systems.
“Hitachi allowed us to build an impressive suite of solutions, but we weren’t part of its core business plan,” he said. “Volaris’ sole focus is software, which makes this a perfect fit for us. Volaris is committed to investing in its products, which will allow Bravura Security and its partners to scale and keep supporting current customers.”
Bravura Security will retain its existing business relationships with partners that resell Bravura Security software offerings, Brown said.’
“Our existing contracts will also continue,” he said. “As we kick off the next calendar year, we will look to partners to also accelerate our growth and keep innovating identity management for our current and future customers.”
Hitachi ID Systems’ stable and loyal customer base dating back to 1992 is what attracted Volaris Group in the first place, Brown said.
“Now that we have the support of an organization that purely focuses on software and prioritizes the industries we’ve targeted, we can grow and innovate faster,” he said. “Forging new partnerships, as we just did with HYPR in developing Bravura OneAuth, will be even more organic under the leadership of Volaris Group.”
Bravura Security is focused on profitable revenue growth and adding new customers in industries where it has strong success like financial services, higher education, retail and manufacturing, Brown said.
Volaris Group has a long term buy-and-hold acquisition strategy and operates more than 150 independently managed software companies around the world.
“Bravura Security’s analyst-recognized market position combined with its more than 20 years of experience and global customer base made it an attractive investment for Volaris,” said Carl Bruce, group leader at Volaris Group. “This acquisition positions us to strategically build out a broader cybersecurity portfolio and provides us a footprint in the growing identity and privileged access management market.”
Keeper Security’s latest annual cybersecurity census shows most respondents expect the onslaught of cyberattacks to intensify over the next year. However, 32% lack a management platform for IT secrets, such as API keys, database passwords and privileged credentials, posing a significant risk to organizational security.
The report yielded results from over 500 IT leaders and decision makers in businesses across the United States. Though most report feeling prepared for attacks, leaders admit their tech stacks lack essential tools.
Among the findings:
More than 80% are concerned about the dangers of hard-coded credentials in source code, but 25% don’t have software to remove them.
More than one-quarter of respondents said they lack a remote connection management solution to secure remote access to IT infrastructure. With the rise in hybrid work and remote work, this is a significant security gap.
Nearly one-third suffered a disruption of partner or customer operations in the wake of a cyberattack, and the same percentage experienced theft of financial information.
Eighteen percent experienced theft of money, with the average amounting to more than $75,000, while 37% lost $100,000 or more.
Twenty-three percent experienced the inability to carry out business operations.
Less than half of respondents said they have plans to invest in password management, visibility tools for network-based threats or infrastructure secrets management.
Darren Guccione is Keeper Security‘s CEO and co-founder.
“The volume and pace at which cyberattacks are hitting businesses is increasing and with that come severe financial, reputational and organizational penalties,” he said. “Leadership must prioritize cybersecurity, enabling their security teams to address rapid shifts in technology and distributed remote work. The impact these shifts have on cybersecurity are both pervasive and extreme. Building a culture of trust, accountability and responsiveness is critical.”
Keeper Security’s latest annual cybersecurity census shows most respondents expect the onslaught of cyberattacks to intensify over the next year. However, 32% lack a management platform for IT secrets, such as API keys, database passwords and privileged credentials, posing a significant risk to organizational security.
The report yielded results from over 500 IT leaders and decision makers in businesses across the United States. Though most report feeling prepared for attacks, leaders admit their tech stacks lack essential tools.
Among the findings:
More than 80% are concerned about the dangers of hard-coded credentials in source code, but 25% don’t have software to remove them.
More than one-quarter of respondents said they lack a remote connection management solution to secure remote access to IT infrastructure. With the rise in hybrid work and remote work, this is a significant security gap.
Nearly one-third suffered a disruption of partner or customer operations in the wake of a cyberattack, and the same percentage experienced theft of financial information.
Eighteen percent experienced theft of money, with the average amounting to more than $75,000, while 37% lost $100,000 or more.
Twenty-three percent experienced the inability to carry out business operations.
Less than half of respondents said they have plans to invest in password management, visibility tools for network-based threats or infrastructure secrets management.
Darren Guccione is Keeper Security‘s CEO and co-founder.
“The volume and pace at which cyberattacks are hitting businesses is increasing and with that come severe financial, reputational and organizational penalties,” he said. “Leadership must prioritize cybersecurity, enabling their security teams to address rapid shifts in technology and distributed remote work. The impact these shifts have on cybersecurity are both pervasive and extreme. Building a culture of trust, accountability and responsiveness is critical.”
Cybersecurity was a big topic at this week’s DattoCon 2022 in Washington, D.C. Kaseya CISO Jason Manar says Datto and Kaseya coming together means even stronger cybersecurity.
Kaseya’s Jason Manar
Manar joined Kaseya last October and formerly was an FBI special agent overseeing all cyber, counterintelligence, intelligence and language service programs for its San Diego office.
At DattoCon, attendees got a preview of multiple innovations Datto is planning, including Datto Managed SOC, powered by RocketCyber; Datto EDR; and Datto Secure Edge, a SASE offering. These solutions allow users to securely connect from anywhere and access sensitive data in the cloud, the company said.
Expanded Role with Datto Acquisition
It’s now been 10 weeks since Kaseya completed its $6.2 billion acquisition of Datto. Manar said the acquisition has expanded his role as CISO of Kaseya.
“It’s expanded because we’re one security team, we’re not bifurcated in any way,” he said. “And we want to make sure, just as we’ve been talking about here, that we share that threat intelligence and that we work smarter, not harder. We use those resources that we have holistically. And the new resources that I think you probably heard [Kaseya CEO Fred Voccola] talk about, we’re investing in security and we’re doing it in a smart way. So, yes, we are one security family, while we still have specialties that we do. So each individual company has definite people within the security organization that are able to be product-specific. But we are sharing that knowledge across all of security so that we can all become more familiar and experts in that realm. And again, it becomes a force multiplier. So you take the data and our teams combined, we’re doing some really cool things.”
Scroll through our slideshow above for more from Manar and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like