The Gately Report: Blackpoint Cyber to Accelerate Innovation with Growth Investment
Plus, more victims of the recent MOVEit Transfer mass-attack are surfacing.
![Accelerate innovation Accelerate innovation](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt11b8ac9fcae2cef3/6523f220ba04f748ec51add8/Accelerate-innovation.jpg?width=700&auto=webp&quality=80&disable=upscale)
Jirsak/Shutterstock
Channel Futures: Last month, Blackpoint Cyber announced the launch of its newest product, Managed Application Control. What does this mean for partners?
Blackpoint Cyber’s Wil Santiago: Managed Application Control is a solution that Blackpoint determined is needed by our partners because it provides a set of curated threat intelligence that we’ve seen in the wild that will automatically orchestrate blocking of malicious or suspicious executables that we’ve observed being abused by adversaries in the wild. So Managed Application Control, not only does it allow our partners to do custom zero trust with their policies and executions, but it also has the APG teams and the threat operations teams, and threat intelligence behind it to say hey, we’re actively seeing these executables, these software components being abused by threat actors writ large, and they’re not expected to be running in your environment. Therefore, Managed Application Control offers them an automated way to block those tools from ever executing in the environments prior to us having to respond to their environment.
CF: How is Blackpoint University, launched in April, helping MSPs better protect themselves and their customers?
Santiago: Blackpoint University is meant to be a learning space for our MSPs on various different tracks: leadership, SOC, sales enablement, marketing and insurance. There’s all these different components to Blackpoint University where we’re basically giving back to the community and giving them that insight of things they need to be aware of, not just in the threat operations side of things, but also running the business. So we’re really giving our partners the enablement that they need in order to be successful to scale their security companies.
Blackpoint Cyber’s David Rushmer: When you discuss any kind of security solution or any of those pieces with customers, the misconception is that there’s a silver bullet to solve every problem, like there’s one solution. And because there’s not, the inverse has happened where providers and customers think they need every security product out there to enable them to be secure. And actually what they’re doing is poorly managing their funds in some respects by purchasing products that they don’t need and don’t require to address their security problems. And in doing so, customers at the very end of all of this are becoming more aware of the questions they should be asking their MSPs. So what we’re trying to do is give back to the MSPs and help them translate the security marketplace … so they can answer those difficult questions that customers are now asking their MSPs that doesn’t necessarily fit well into their knowledge base. We’re trying to help educate them and also make them aware that they can come to us with any of those questions when they have them.
CF: How is participation in Blackpoint University going?
Santiago: With Blackpoint University, we’ve run a few different iterations. We’ve done some recordings, but we had our first session at IT Nation Secure just recently and it was very well received. Lots of MSPs are very interested in the topics that were covered. There’s plans to basically have Blackpoint University in multiple iterations throughout the year, at trade shows, private events, things of that sort. But really it’s about giving our partners a place to come learn.
CF: What sort of growth has Blackpoint Cyber experienced in the past year, and what role are partners playing in this growth?
Rushmer: Internally from our own hiring perspective, we have almost doubled our entire team across the board just because of the success of both the product and the company as a whole. The customers are key to that success, not only because we feel that their trust in our product is an emphasis that what we’re doing is the right thing, but also the ability to then translate that to their customers means that they’re making a better profit margin on what they’re selling and we’re reaching more endpoints than before. So we’re growing year on year and we’re doing fantastic in that sense, to the point that Wil has had a continuous pipeline of new members to the SOC. It has been nothing but growth for his team and I don’t think that’s slowing down any time soon.
CF: How would you say Blackpoint Cyber’s Managed Detection and Response (MDR) is better than other MDR solutions out there for MSPs?
Santiago: Across the board without having to bash our competitors or anything like that, I think what differentiates Blackpoint to other services that exist is that we’ve created an ecosystem for our partners. So that ecosystem covers not only on-premises devices, endpoints and servers, it also covers cloud, logging and compliance. So our plans are really to expand that ecosystem, to make it more accessible to our partners, to be able to provide the security comfort that they need for their customers in one specific place. We see a lot of MSPs purchasing multiple tools, multiple different scenarios because that’s what they feel they need. Blackpoint has created an ecosystem where we can say with real data that these are the sort of components and tools that are going to make you secure and also provide you the ability to scale that security company.
Rushmer: One thing that’s really important is the delivery from Wil’s team is the same whether you’re a single endpoint customer all the way through to 1,000 endpoints. The quality of service, the level of expertise that’s applied is exactly the same, meaning that no matter who you are, you still get the same deliverable. And I think, without bashing competitors, in some cases you don’t necessarily get that same interaction on a human level. It’s largely delivered by automation. The only way some of the MDRs are able to actually scale their customer base is to introduce automation and remove people more from that process.
CF: Is Blackpoint Cyber being impacted by economic uncertainty? Also, how can Blackpoint Cyber help MSPs that are being impacted by economic uncertainty?
Rushmer: To answer your first question, no would be my honest answer. And the reason why I would say no is because if you look across the security space as a whole, there are a number of companies that have unfortunately had to lay off members of their staff, and we’re not in that position. I think our CEO and CFO have been very strategic with their spending to ensure that people are continuously employed, and that we have the ability and scalability for continued growth without wasting money. It’s not that we didn’t want to hire thousands of people, but we’ve been smart with the way it’s done.
MSPs have been impacted. And the way that we’re trying to solve that problem for them is helping them review their security stack and look at where we can use our integrations to better suit them. If you take a look at a lot of organizations, they do have things like Microsoft, they’re running Word, they’re running Excel, and what a lot of them don’t realize is they actually get Defender for endpoint bundled into their business premium licenses. And so they’ll then have an antivirus (AV) solution when they’ve already got a perfectly viable one. There are some nuance problems with it. We all in the security community understand, but it’s not about the efficiency of the product, it’s more about the policy application. So what we’ve done is we’ll manage the policies for you. If someone turns around and says we’ve already got an AV solution, we integrate with it and we’ll handle that for them. So we look at assessing the security stack of the MSPs and of their customers, and offering areas where they could immediately benefit just from the fact that they’re utilizing one of our bundles.
CF: What’s the latest in terms of feedback from MSPs? Have their most-pressing needs evolved?
Santiago: We’ve received consistent feedback from our partners on a daily basis on things they want to see built and problems they’re facing. One of the things that I’ve seen a lot of feedback from is we’ve developed a product which we refer to as Cloud Response that monitors Microsoft 365 and account takeovers. That’s something that been missing in the industry for some time, real-time response in a cloud environment. And honestly, this product is responsible for catching about three times as many intrusions as compared to on-premises endpoint and server intrusion. The hackers have realized they can gain a lot of intelligence by targeting cloud environments that don’t have the same protections that we’ve been implementing for the past 10 years in an on-premises environment. The cloud is still this very large attack surface that companies are still trying to decide how to maneuver because they’re putting sensitive data on there for the purposes of sharing it remotely, but they’re not understanding the implications of the security flaws with that cloud service. So Blackpoint developed Cloud Response for that specific purpose. And so a lot of that feedback is how do we make cloud response better … ultimately to service our partners from these adversaries that are kind of operating unhinged for some time.
CF: What do you find most dangerous about the current threat landscape?
Santiago: My personal opinion is the push to the cloud, while extremely beneficial cost savings with patching automated from the actual providers, opened up a door of confusion for the MSP. There’s lots of policies. If you turn off the wrong policy, you lose all your protections on one thing that you might have set up. And so there’s a lot of confusion as it pertains to how do we secure our cloud and SaaS platforms. The adversary is learning that wait a second, I can really gain a lot of intelligence and value by targeting SaaS platforms because there’s not a lot of logging, usually people aren’t implementing multifactor authentication (MFA), and then they’re putting all this very sensitive data that historically used to be stored on a server that was the keys to the kingdom in files that are distributed across different tenants. You share sensitive information with a friend and that friend’s email account gets compromised, and now they have your data as well. And so there’s a large third-party risk component in the cloud where we still are understanding what that landscape looks like from the attack surface, and the MSP is catching up to that. The adversary is way ahead of where the MSP is in terms of their knowledge of the attacking versus the defense. So Blackpoint has come in and said OK, we know how the hackers are hacking, how do we build a product that can stop and answer this, and that’s where Cloud Response has come in and we’re making continuous enhancements to that.
Rushmer: The other one for me would probably be an overreliance on an AV solution to be the be all and end all security product for your endpoint. There is a misconception about what the AV is there to detect. So that’s probably the thing that keeps me up at night. We’re seeing a lot of attacks that come in from file formats not scanned by AV, and luckily behavioral analysis catches that and that’s where we fit really nicely in the MDR space. But that’s probably one of the big ones for me.
CF: What can partners expect from Blackpoint Cyber through the remainder of 2023?
Santiago: We’re heavily investing in technology and innovation, heavily investing in partner enablement via things like Blackpoint University, expanding on that, and then ultimately expanding our go to market engine for our MSPs … to allow our MSPs to use our existing ecosystem to go to market, go to battle, protect their customers and scale their businesses. It’s really where we’re going to be focusing the efforts for the next six months.
Rushmer: Innovation and continued improvement of our contextual information. That would be the big one, enabling MSPs to basically be the heroes that they are. We’re sitting in the background, we do what we do, but we know it’s the MSPs that directly link to that customer and it’s the MSPs we need to support to, to show their value, and again be the heroes that save their customer base.
In other cybersecurity news …
Security researchers with Jumpsec, a UK-based cybersecurity provider, have discovered a simple way to deliver malware to an organization through Microsoft Teams, which has 280 million monthly active users.
According to a Jumpsec Labs advisory, two members of Jumpsec’s red team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organizations using Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in an organization.
“Organizations that use Microsoft Teams … inherit Microsoft’s default configuration, which allows users from outside of their organization to reach out to their staff members,” said Max Corbridge, senior security consultant with Jumpsec. “By allowing this, an entirely new avenue of social engineering (and now payload delivery) is created.”
The reason the vulnerability could be a lucrative avenue for threat actors to deliver payloads is the fact that this bypasses nearly all modern anti-phishing security controls, he said.
“Firstly, it is very straightforward to buy a domain similar to your target organization’s and register it with Microsoft 365,” Corbridge said. “Secondly, it avoids the now-rightfully-dangerous act of clicking on a link in an email, something that staff have been trained to avoid for years now, greatly reducing the likelihood of a typical staff member detecting this as a phishing attack. The payload will now be served by a trusted Sharepoint domain, and will arrive in the form of a file in a target’s Teams inbox. As such, the payload inherits the trust reputation of Sharepoint, not a malicious phishing website.”
Finally, when this vulnerability is combined with social engineering via Teams, it becomes very easy to start a back-and-forth conversation, jump on a call, share screens and more, he said.
“By comparison, it makes social engineering via email feel very stagnant, and stop-start,” Corbridge said. “When using this on a real engagement, the pretext of an IT technician was used to ask the target if they could jump on a call to update some critical software. Once on the call, this vulnerability was leveraged to deliver a payload and, when combined with a full social engineering attack, was implicitly trusted by the target.”
Dror Liwer, co-founder of Coro, said “while we normally hear about email as the most common entry point for attackers, we see Teams, Slack and other messaging platforms as a quickly developing vector.”
“Attackers will always look for a path of least resistance, and while email has been a very lucrative method, less people expect an attack through Teams, and as such are more easily targeted,” he said.
The U.S. Army’s Criminal Investigation Division is warning military personnel to be on the lookout for unsolicited, suspicious smartwatches in the mail, saying the devices could be rigged with malware.
“Service members across the military have reported receiving smartwatches unsolicited in the mail,” it said. “These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data. These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts and account information such as usernames and passwords. Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches.”
Melissa Bischoping, Tanium‘s director of endpoint security research, said most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in.
“This surprise smartwatch tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information,” she said. “As the adage goes, if it’s too good to be true, it probably is, and if you’re not paying for the product, you are the product. In this economy, no one is sending out free gadgets for funsies, so the arrival of an unexpected package should raise suspicions and warrant investigation into the authenticity or identity of the sender. Best case? Someone sent you a birthday gift and forgot to include a card. Worst case? You’re compromising your personal and/or professional data with malware.”
Gareth Lindahl-Wise, Ontinue‘s CISO, said the ability of a smartwatch to deeply interact with a paired mobile device should be of great concern.
“The dangers of fitness trackers (such as Fitbit and Strava) disclosing the location of military personnel and installations was seen towards the end of the Afghan conflict,” he said. “A wealth of personal information, such as emails, chats, location and banking information, could be exposed, but also consider the exposure of authentication apps, many of which can be used on smartwatches – which could lead to personal and corporate account compromise. These unsolicited ‘goodies’ must be reported and dealt with appropriately.”
The California Public Employees’ Retirement System (CalPERS) and insurer Genworth Financial are two of the latest victims of the MOVEit Transfer mass-hack that resulted from a software vulnerability. The Russia-based Clop ransomware gang is believed to be behind the attacks.
CalPERS is alerting its retired members and their families that some of their personal information was involved in a worldwide data security incident that impacted one of its contracted third-party vendors, PBI Research Services/Berwyn Group (PBI).
In all, the PBI security incident impacted the personal information of about 769,000 CalPERS members.
PBI has reported the matter to federal law enforcement and has told CalPERS it has resolved the vulnerability, while also adding additional security measures.
PBI also advised Genworth of a security event connected to the vulnerability in the MOVEit file transfer software that PBI uses. Specific Genworth files containing policyholder and agent information were compromised due to the security event.
The personal information of 2.5-2.7 million individuals who are either customers or insurance agents was accessed in the attack, Genworth said. For policyholders, the exposed information includes Social Security numbers, names, dates of birth, zip codes, states of residence and policy numbers. For agents, the exposed information includes the agent ID, name, date of birth and full address.
Genworth uses PBI to satisfy regulatory obligations to scan Social Security data to determine whether a customer may have passed and triggered death benefits under a life insurance policy or annuity contract. It also partners with PBI to identify deaths across its other lines of insurance and insurance agents to whom it pays commissions.
Aviral Verma, lead security analyst at Securin, a provider of attack surface management (ASM) and vulnerability intelligence, said obscure technologies like MOVEit are often overlooked by organizations, despite being exposed to the internet.
“This oversight leaves organizations vulnerable to easy exploitation by attackers,” he said. “In this case, the perpetrator, Clop ransomware, specifically looked for exposed public-facing applications. By adopting proactive security strategies, organizations can uncover these vulnerabilities, patch them, and bolster their defenses to keep their data safe.”
The California Public Employees’ Retirement System (CalPERS) and insurer Genworth Financial are two of the latest victims of the MOVEit Transfer mass-hack that resulted from a software vulnerability. The Russia-based Clop ransomware gang is believed to be behind the attacks.
CalPERS is alerting its retired members and their families that some of their personal information was involved in a worldwide data security incident that impacted one of its contracted third-party vendors, PBI Research Services/Berwyn Group (PBI).
In all, the PBI security incident impacted the personal information of about 769,000 CalPERS members.
PBI has reported the matter to federal law enforcement and has told CalPERS it has resolved the vulnerability, while also adding additional security measures.
PBI also advised Genworth of a security event connected to the vulnerability in the MOVEit file transfer software that PBI uses. Specific Genworth files containing policyholder and agent information were compromised due to the security event.
The personal information of 2.5-2.7 million individuals who are either customers or insurance agents was accessed in the attack, Genworth said. For policyholders, the exposed information includes Social Security numbers, names, dates of birth, zip codes, states of residence and policy numbers. For agents, the exposed information includes the agent ID, name, date of birth and full address.
Genworth uses PBI to satisfy regulatory obligations to scan Social Security data to determine whether a customer may have passed and triggered death benefits under a life insurance policy or annuity contract. It also partners with PBI to identify deaths across its other lines of insurance and insurance agents to whom it pays commissions.
Aviral Verma, lead security analyst at Securin, a provider of attack surface management (ASM) and vulnerability intelligence, said obscure technologies like MOVEit are often overlooked by organizations, despite being exposed to the internet.
“This oversight leaves organizations vulnerable to easy exploitation by attackers,” he said. “In this case, the perpetrator, Clop ransomware, specifically looked for exposed public-facing applications. By adopting proactive security strategies, organizations can uncover these vulnerabilities, patch them, and bolster their defenses to keep their data safe.”
With a recent $190 million growth investment, Blackpoint Cyber will focus on more innovation and partner enablement in the months ahead.
That’s according to Wil Santiago, Blackpoint Cyber’s vice president of threat operations. Bain Capital Tech Opportunities led the investment with participation from Accel. Bain and Accel joined existing investors including Adelphi Capital Partners, Telecom Ventures, Pelican Ventures and WP Global Partners.
In light of the growth investment, TEDCO, Maryland’s economic engine for technology companies, announced the successful exit of Blackpoint Cyber from its portfolio. In 2018, TEDCO invested $200,000 in Blackpoint Cyber to support its growth and development.
Blackpoint Cyber’s Top Priorities
Blackpoint Cyber’s Wil Santiago
“Blackpoint plans on using a lot of these investment funds for investing in tech and innovation, and partner enablement,” Santiago said. “That’s the priorities for Blackpoint, enabling our partners, getting them into our ecosystem and then allowing them to enjoy all the fruits of the ecosystem paired with my 24/7 security operations center (SOC) that’s monitoring all the customers for our partners.”
Innovation is “never cheap,” said David Rushmer, Blackpoint Cyber’s director of threat research.
Blackpoint Cyber’s David Rushmer
“We want to excel our innovation,” he said. “We want to speed up what we’re trying to deliver in the time frame we’re trying to deliver. The threat landscape as a whole is ever evolving and one of the biggest challenges is to stay ahead of the curve, and unfortunately that does involve capital. The good news is that with the Bain investment and also their general interest in this whole space, they’ve not just thrown the money in with an intention of going hey, return our investment. They have a very keen interest in understanding themselves how the threat landscape is changing. So the deal in all honesty benefits both us and them. The great news for our customers is that innovation from our side of things will turn around a lot faster than we had originally intended.”
Scroll through our slideshow above for more from Blackpoint Cyber and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like