The Gately Report: Acronis CISO Says MSPs Need to Focus Defense on Supply Chain Attacks
Mississippi hit with DDoS attack on Election Day.
![Supply Chain Attack Supply Chain Attack](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltbd3d2cb0b132fe24/65241094d319c6b18240ac30/2-Supply-Chain-Attack.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Acronis announced a number of new and updated products this week. Did you play a role in the formulation of those?
Kevin Reed: I did. In my role as CISO, I am one of the first customers of Acronis products. My team also plays a role as people who are in the trenches. And very early in the product development, we actually can tell them what are the real problems that we have, and also our partners and customers have. So we can provide input to the product management team and to the R&D team about what features are the most requested, and what real security teams that are protecting their organizations need. That is one part of our engagement. But also Acronis runs a secure software development program and within my organization I have a dedicated team that is focused specifically on making Acronis software secure. So they do security design reviews and implementation review, and they actually try to hack into software. We also run a bug bounty program, for example, and that is the responsibility of that team as well. So I think I can tell that we take part in all stages of product development.
CF: How have you shaped Acronis’ cybersecurity strategy, and in your view what’s the most effective cybersecurity strategy?
KR: I can start with what is called layer of defense or defense in depth. It’s like water, cybercriminals are trying to find every little hole and then sneak in. So what is important is when you build your protections, you put actually not a single wall, but instead a few walls, one behind another. And this is the definition of this type of protection. But also, I think another thing that is important here is to be on top of the modern trends, and the attackers’ tactics and techniques. This is where the threat intelligence helps us a lot. We work very closely with our cyber protection operation team that takes the threats that they see in the wild … and they try to circle it back, to modify products and to actually adjust protections in real time so that we and our customers are always up to date with their protections.
CF: What aren’t MSPs doing that they should be doing to protect themselves from these attacks?
KR: I talk a lot to our partners and they ask me what can we do to protect ourselves? And I tell them usually even if you do the very basic security things that everyone is talking about, you will be better than 80% of organizations out there. So first, having two-factor authentication (2FA) on at least your administrative interfaces, but ideally on all your external access. And second, having email protection in place like anti-phishing protection. Also, if you are patching your software on time and you don’t delay it by years, maybe within a month or two. I usually talk about the golden 72 hours. So the golden 72 hours idea is that when there is a high-profile vulnerability, usually we see attackers starting to exploit them within 72 hours. So if you do those three things preferably everywhere you can, you will be well protected from non-determined attackers. And this is actually a very good, initial level of protection, and you will get better protection than, as I said, maybe 80% of organizations out there.
CF: I saw your recent column on Patch Tuesday. Tell us about Patch Tuesday, what it means to Acronis and why it should be important to every organization.
KR: Patch Tuesday, usually the second Tuesday of the month, is when Microsoft and a few other large companies release their patches for security vulnerabilities. The idea behind that is those companies wanted to have a predictable schedule to all defenders in the world so that they know that they need to clear their calendars for that day because this is the day when the information about the new vulnerabilities will be published and so they need to implement them. This is Tuesday, not Monday or Friday, because they want to give people enough time before the weekend, because the weekend is when the attacks start. So they give enough time to defenders to update their critical systems within those golden 72 hours.
For Acronis, that is a challenging day for multiple reasons. First, of course, Acronis itself could be targeted and a very prominent target given that we work with lots of MSPs, so we need to make sure that our systems are patched. That is important and we strive to patch within 72 hours, especially when it comes to critical vulnerabilities. We can drop everything and fix that. But also we are concerned about our customers. So this is the time when we and our cyber protection operations center team send notifications to our customers. We also push updates to Acronis software and agents that will help our partners to evaluate their systems and understand where those systems need to be patched, what is the severity of the vulnerabilities that we’ve disclosed and how immediate is the danger. And so this is what we do on top of the usual protections to help our customers and partners to be protected as well.
CF: Ransomware is everywhere. What are your thoughts on how organizations should protect themselves and respond if an attack is successful?
KR: When we talk about ransomware, I circle back to this idea of the defense in depth. And we do believe that every organization has a few stages, if you will, where they can interrupt the attack and stop the attack from happening. So if you look at the typical kill chain attack lifecycle, there is initial reconnaissance, then initial access, and then what is called lateral movement when the attacker compromises one workstation, and then they move from one workstation to another workstation until they find a way to elevate their privileges. And then they repeat this cycle multiple times until they get in a Windows environment. They would typically get a domain admin privilege or would be trying to get admin privileges. But sometimes they cannot and then they maybe stop at a lower privilege level and execution on their primary target, which is encrypting as many workstations and servers as they can. So what an organization can do is try to interrupt them at every step. And the earlier the organization does that, the less expensive it is going to be for that organization. So if they manage to stop that attack at an initial compromise level, then maybe one workstation is compromised or maybe one employee account is compromised and that’s it. And the financial cost and the time spent on the recovery is relatively small. And Acronis can help with that with our anti-malware and our email protection.
But let’s say that failed. We can try to interrupt the attack at the next stage or the lateral movement. So when attackers are trying to deploy reconnaissance and then move laterally between systems, or they may try to exploit internal vulnerabilities, this is where the patch management will come into play so we can interrupt them there. Also, we can try to interrupt them at that stage as well with the visibility that we have with Acronis Agent. And if they try to elevate privileges by exploiting a vulnerability, this is where patch management comes into play and our zero day protection comes into play for specific applications. And then if all those protections fail and they start to encrypt the data on the source and workstations, there is this last, but ultimate protection. You can always restore from the backup. And so this is going to be the most costly exercise, but you can still recover. And so our strategy and our vision here is that you try to interrupt ransomware multiple times at different stages, and it’s going to be more expensive every time. But at the end of the day, you should be able to recover.
CF: Are there still organizations that say it won’t happen to me, we’re too small?
KR: The worst thing about ransomware is that it’s not the big organizations that are victims. If an organization that we all know about and we hear about gets compromised, and then they maybe recover, those organizations usually have a dedicated security team and protocols in place to help them recover. Maybe there’s some data loss and maybe some financial loss, but they are able to do that. However, what is problematic is the majority of ransomware attacks are actually small and medium-size organizations you will never hear about and you will never hear news about them being compromised. We as a company that works in this industry, we see those organizations and we see news about them, and this is always heartbreaking because literally sometimes this is a 10-people company and losing all their files means for them loss of business. And these are real people who will not be able to bring food to the table at the end of the day.
Not that I don’t have empathy for large companies, I do. And I know that their security teams undergo very stressful moments of their life when ransomware strikes. But I’ve seen situations when a law firm that has like five full-time employees, their workstations have been encrypted and the hackers actually wanted $10,000. If you compare that with news about millions and millions in ransom, that is like not much. But for that particular company, that was a significant amount of money. It was very hard for them to find that sum. So small companies are the most important targets and no company is too small to get attacked.
CF: What can partners and customers expect from Acronis in the months ahead into 2023?
KR: Acronis is working on some very exciting products that will help our partners that are MSPs protecting small and medium companies to protect themselves against very advanced attackers with minimal effort from their side. We understand there is a talent shortage in many such organizations. Not everyone can afford a full-time security team. And so we are building products that will help those companies who may not have and may not be able to afford a full-time security team or a full-time incident response team on their sid. We will help them to protect themselves from the current risks like ransomware, but also from very advanced threats that are still yet to come.
In other cybersecurity news …
A distributed denial of service (DDoS) attack knocked several Mississippi state websites offline during Tuesday’s midterm election in what was the most significant digital disruption of the day, according to Recorded Future.
Mississippi’s secretary of state’s office released the following statement Tuesday night:
“An abnormally large increase in traffic volume due to DDoS activity caused the public facing side of our websites to be periodically inaccessible this afternoon. We want to be extremely clear and reassure Mississippians our election system is secure and has not been compromised.”
A pro-Russian hacking group took credit for the attack, which did not interfere with voting or counting processes.
Daniel Selig is Swimlane‘s security automation architect.
“Midterm election security has been on the minds of state governments for weeks, with at least 14 states activating the National Guard to combat cyberattacks on Election Day,” he said. “Following the massive amount of Russian interference during the 2016 election, there has been much unease around foreign influence in U.S. elections. Oftentimes, DDoS attacks are used during elections to result in large-scale disruptions or prevent people from voting. Since voting is the cornerstone of our democracy, it is essential that government organizations take the appropriate actions to ensure votes maintain their confidentiality and integrity, and voting infrastructure remains intact.”
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a PSA about combating DDoS election attacks.
“To further reduce the risks of election insecurity, government organizations should implement an all-encompassing platform that centralizes detection, response and investigation protocols into a single effort and helps security teams automate certain tasks,” Selig said. “Low-code security automation allows organizations to utilize streamlined detection and implement proper and effective incident response. Implementing these security controls can ensure top-notch protection and keep essential services like voting up and running.”
On this Veterans Day, cybersecurity experts say cybersecurity is a great fit for veterans looking for a career after military service.
Timothy Morris is chief security advisor at Tanium. He said veterans almost always make great hires.
“They’re resolute, detail oriented, respectful and loyal,” he said. “Some of the best leaders I’ve worked for, and employees I’ve hired, are veterans. They definitely have what it takes in terms of needed cybersecurity skills. Many job requirements are very specific, almost too specific in my opinion. The diverse skill sets required to field cybersecurity teams are as varied as the talent that is available.”
Qualities such as commitment and teamwork are also common among military, which is well-suited for the “high-pressure” environment of cybersecurity that calls for strategic thinking and the ability to respond on the fly, Morris said.
“This is a must in any situational awareness meeting and incident response ‘war rooms’,” he said. “It is no coincidence the many of the terms used in cybersecurity are based upon military terms.”
Darren Guccione is Keeper Security‘s CEO and co-founder. He said military service members come from all walks of life, all different backgrounds and experiences, but they have one critical trait in common: sacrifice for the greater good.
“They dedicate their careers and lives to protecting the freedoms that are essential to us,” he said. “As battlefields shift and change in the digital age, cybersecurity has become an integral facet of national security. Those who work to prevent ransomware attacks, breaches and cybercrime are fighting a new type of battle, but one which requires the same sacrifice and dedication. Cybersecurity professionals face a growing attack surface, often with limited resources, yet they continuously work to protect the networks and systems that underpin nearly every aspect of our modern lives. There are four facets of cybersecurity – prevention, detection, remediation and response. Veterans have awareness, training and a mindset across various agencies, departments and corps that would help make them great cybersecurity candidates, students and professionals. To wage the war against cybercrime day in and day out requires a special person with special character, the same character our nation’s service members and veterans embody.”
Marty Martinez is senior systems administrator at Coalfire.
“Coming from a special forces group and within the more secretive side of the military, these veterans live in a world of operational security (OpSec) and know the value of both physical and cyber security for the mission and even their lives,” he said. “Veterans being a heightened awareness and real-world experience set of values that civilians cannot learn in a school environment. The self-discipline and team values that veterans also bring is an invaluable asset for the civilian workforce that is forged in the military and post-combat operations. This is difficult to replicate in the civilian world. Most all veterans have already proven as top performers that have the passion, patience and the penchant for learning.”
Marketing giant Epsilon tops Proxyrack’s list of the 10 most expensive data breaches of all time. The cost of the 2011 breach totaled $4 billion.
Proxyrack examined data breaches since 2004 in which more than 30,000 records were stolen or compromised. The most common methods for data breaches include hacking, poor security and lost/stolen media.
With Epsilon, the names and addresses of 60 million people were stolen after the email system was breached.
Proxyrack’s list of the most expensive data breaches includes:
Equifax in 2017, at $700 million.,
U.S. Office of Personnel Management in 2015, at $500 million.
U.S. Department of Veterans Affairs in 2006, up to $500 million.
Yahoo in 2013-2014, at $470 million.
Target in 2013, at $300 million.
TJ Maxx in 2007, at $256 million.
Marriott in 2018, at $200 million.
Sony Playstation in 2011, at $171 million.
Uber in 2016, at $148 million.
The research also revealed the following:
2011 saw the most data breaches, with 34 being recorded. This was closely followed by 2020, which experienced 31, and 2019 where 30 data breaches occurred.
The industry experiencing the most data breaches is the internet, with 53 hacks recorded since 2004. This is followed by the health care industry, which has experienced 47 breaches.
Facebook is the company that has experienced the highest number of hacks, with a total of five, followed by AOL and Citigroup, which have both experienced three data breaches.
A new Vulcan Cyber survey shows more than 70% of IT security managers lack necessary threat intelligence skills.
The survey finds 75% of organizations have dedicated threat intelligence teams and two-thirds have dedicated threat intelligence budgets. Despite this, 73% of respondents indicated a “lack of skills” is their biggest threat intelligence challenge and is keeping organizations from fully leveraging investments in threat intelligence resources. Fifty-five percent of respondents identified threat intelligence as not being sufficiently predictive to keep cyber teams ahead of threat actors.
Other key findings from the Vulcan Cyber survey include:
Threat intelligence adoption is on the rise, as more companies have dedicated teams (75%) and budgets (66%) in place.
Organizations are using threat intelligence on an ongoing and frequent basis with 75% of respondents using threat intelligence at least weekly.
Threat intelligence is used in a variety of ways, but still primarily for “traditional cybersecurity” like blocking bad IPs.
According to the latest survey, threat intelligence is clearly a crucial source for ongoing vulnerability detection and prioritization. In fact, 87% of decision makers rely on threat intelligence “often or very often” for vulnerability prioritization. More than 90% of organizations rate their ability to respond based on threat intelligence as average or better.
Yaniv Bar-Dayan is Vulcan Cyber‘s CEO and co-founder.
“It is good that we’re seeing such extensive adoption of threat intelligence feeds by so many different types of cyber teams,” he said. “It’s even more encouraging to see the share of organizations that have dedicated teams and budgets to act upon those findings. Nonetheless, a concerted effort to scale our ability to respond with precision will be correspondingly more crucial as cloud-native environments grow more complex. Teams don’t just need tools and people, they need skills and the ability to use the tools at their disposal to improve the security posture of their organizations.”
John Bambenek is principal threat hunter at Netenrich.
“The entire point of intelligence in the national security world is to figure out what is coming next, not what has already happened,” he said. “While cyber threat intelligence has borrowed techniques from the intelligence community, we have lagged behind in creating products that are forward looking. Unfortunately, much of the entire cybersecurity ecosystem is designed around giving information about a fire after the house has already burned down.”
Ivanti has launched a new partner portal and Campaign Central, a marketing platform that enhances partner marketing efforts by co-branding professionally packaged marketing campaigns at no cost.
The partner portal provides a one-stop shop for all Ivanti-related content, tools and resources across all roles. It also offers a marketing platform to support partner lead generation and demand efforts.
Campaign Central enables partners to create and personalize every campaign. Additionally, partners can track campaigns securely and stay informed at every customer touchpoint with built-in reporting.
The partner portal provides a personalized, role-based experience that will enable Ivanti partners to drive more leads and close more business.
Leigh Lebow is Ivanti‘s senior director of product marketing.
“Business requirements for the partner portal were built two years ago, and at the time feedback was gathered through our strategic partnerships and partner advisory committee,” she said. “Campaign Central was a tool that was added to the build at the end of last year based on feedback and engagements with our partners across the world. Partners have been kept updated on progress, and through a soft launch, partners were able to kick the tires and provide us feedback, some of which was incorporated for go live. Other items will come into play during future phases.”
The partner portal and Campaign Central’s primary goal is to simplify processes for Ivanti partners, supporting their business operationally and most especially driving greater efficiencies, Lebow said.
Ivanti has launched a new partner portal and Campaign Central, a marketing platform that enhances partner marketing efforts by co-branding professionally packaged marketing campaigns at no cost.
The partner portal provides a one-stop shop for all Ivanti-related content, tools and resources across all roles. It also offers a marketing platform to support partner lead generation and demand efforts.
Campaign Central enables partners to create and personalize every campaign. Additionally, partners can track campaigns securely and stay informed at every customer touchpoint with built-in reporting.
The partner portal provides a personalized, role-based experience that will enable Ivanti partners to drive more leads and close more business.
Leigh Lebow is Ivanti‘s senior director of product marketing.
“Business requirements for the partner portal were built two years ago, and at the time feedback was gathered through our strategic partnerships and partner advisory committee,” she said. “Campaign Central was a tool that was added to the build at the end of last year based on feedback and engagements with our partners across the world. Partners have been kept updated on progress, and through a soft launch, partners were able to kick the tires and provide us feedback, some of which was incorporated for go live. Other items will come into play during future phases.”
The partner portal and Campaign Central’s primary goal is to simplify processes for Ivanti partners, supporting their business operationally and most especially driving greater efficiencies, Lebow said.
Supply chain attacks pose the biggest threat to MSPs, but Acronis CISO Kevin Reed said MSPs can protect themselves by adopting a small number of security measures.
We spoke with Reed as part of this week’s Acronis CyberFit Summit 2022 in Miami. Acronis is working with over 20,000 partners and 750,000 businesses in over 150 countries and 26 languages.
During CyberFit, Acronis unveiled a new, simplified endpoint detection and response (EDR) solution for MSPs. It also unveiled strategic updates to its Acronis Cyber Protect Cloud platform with a new product, Advanced Automation, and developments including the addition of machine intelligence (MI) to its Advanced Management solution.
More and Worse
In a Q&A, Reed talks about Acronis’ cybersecurity strategy and what MSP partners can expect in the month ahead.
Channel Futures: What’s your take on the current threat landscape? What do you find most dangerous?
Acronis’ Kevin Reed
Kevin Reed: Journalists always ask me every year what is going to happen the next year. And I usually answer that it’s going to be the same, but more and worse. And what I mean is that at a very high level, the attack landscape did not change. Initial access technologies especially did not change significantly over the last few years. Business email compromise (BEC) existed five years ago. Phishing as an initial access did exist five years ago. Exploiting vulnerabilities that have not been patched in time, that problem did not change in 30-40 years. The only real, somewhat new trend was the attacks on the supply chain, which is especially important for MSPs because MSPs are really the primary target. They almost always have collateral damage or they are a gateway into customer systems. So we actually have seen situations when MSPs are hacked, not because they were particularly important, but because their customers were important to attackers. So I think this is a new trend somewhat, and I think it is a very dangerous one. But on a technology level, it is just more and worse.
Scroll through our slideshow above for more from Reed and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like