The Gately Report: ConnectWise CISO Talks Strengthened Security Post-Attacks
Nearly 500,000 patients' information was stolen in a ransomware attack on ITx.
![ConnectWise CISO on strengthening security ConnectWise CISO on strengthening security](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt84a6b7a4f43e4edc/6523f6bf26cdcce4d90b0041/Strong-Business.jpg?width=700&auto=webp&quality=80&disable=upscale)
ra2 studio/Shutterstock
Channel Futures: Are you constantly dealing with cyber threats? Who is targeting ConnectWise?
ConnectWise’s Patrick Beggs: We’re scanned and probed, and phished on an hourly, daily and weekly basis just like any organization. And unfortunately attribution in that space is hard to come by. But we do have some really salient threat resources that we can refer to. In my opinion, it’s a criminal group, criminally focused organizations that are hitting us right now. A lot of it is not criminal at all.
On the dark web, you can buy a mail server that’s been compromised to use for your your spamming. There’s nothing nefarious about these. A lot of times it’s mass marketing not from the most ethical sources. That’s easily defendable most of the time. To my knowledge in my tenure, there have been no nation-state attacks that have been coordinated per se. But to be honest, the attribution is so blurred sometimes. Criminal groups will take off their military hat at night and put their criminal hat on. But they’re using the same tactics and techniques, and protocols, so sometimes you don’t know the difference. It’s a blurry area and it’s active.
We have our relationship with the Cybersecurity and Infrastructure Security Agency (CISA), but also industry groups that we talk to and share information. So if something is brewing, we all know the warning lights and start sharing information. So that’s really great.
CF: Are threat actors looking to get to MSPs via ConnectWise? If so, how are you fending them off?
PB: I can’t say that they’re directly trying to get to MSPs through ConnectWise. They cast large nets. You could say maybe they sell us as a one-stop shop to them to get to that. I don’t have enough telemetry or intelligence — no one would — to know if that was their true intention. I do know that we see coordinated attacks against N-able and ConnectWise, and we actually talk to each other so we’ll share that information. I have not seen any really concerning campaigns yet, but that is their intention. But we get scammed a thousand times a day looking for vulnerabilities. Could one of those be that? Yes, absolutely. So I have to assume that is the case and that’s the visor I put on. I’ve got to protect these people because if they compromise a piece of our core infrastructure, that’s it, I’m out of a job and a lot of people are, too.
We help SMBs sometimes that use ConnectWise products, but the attack that they suffered has nothing to do with one of our products. But we just help them out. We don’t leave them alone. They come to us and say, “Hey, we have one of your products,” but they got hit with a business email compromise (BEC). I help them out as much as I can to an extent, and then they have to bring somebody into it.
CF: What aren’t MSPs/TSPs doing that they should be doing to protect themselves and their customers?
PB: There are things if they’re not doing it, they should be doing it, such as really good basic backup recovery and multifactor authentication (MFA). I advocate that all the time — turn on MFA. It’s just going to make your life a lot easier. It is a little cumbersome sometimes, but [it’s important]. So there’s some basic hygiene.
On the SMB side of the house, sometimes it’s a lack of knowledge of how to do things from an information security perspective. So it’s a talent gap and sometimes one of the things they’re not doing is bringing the right folks in to understand the space. And I would say that’s probably the biggest thing because it’s not a technology problem. It could be a process problem if they don’t have the right people in place. So people, process and technology. I would say it’s having the right folks with the right mindset in the right places.
CF: Are there organizations still saying they’re too small to be a target, and therefore don’t need any protection?
PB: Yes. I understand some of their points. They call it security by obscurity, being too small. I think in this day and age, that doesn’t exist, especially with personal devices. Folks are allowing personal devices into their their corporate networks. It’s just inviting bad hygiene. So they’re not too small, unfortunately. I’m not trying to be doom and gloom, but it’s just the current state of the world.
CF: How would you describe ConnectWise’s cybersecurity strategy? Is it evolving?
PB: I’ll speak to my entry point a year-and-a-half ago. The maturity journey started with product security day one, and vulnerability management, ensuring that our hygiene was in a good enough place to start to get more proactive and moving toward our cyber fusion model. That’s something I created years ago with other organizations, large, Fortune 100 organizations. And I realized, “Hey, I could do this here. I may not have a $100 million cyber budget like Bank of America does, but I could still do it to scale here.” And so that’s our cyber fusion journey. It’s a proactive versus reactive approach. That is my road map and how we’re doing things. We are well on the way to that and it’s a never-ending journey. Automation is part of that as well. Part of our road map and journey is really automating a lot of the mundane tasks that a tier-one analyst can actually get alert fatigue and then can start missing things because they’re just doing the same repetitive things, filling in the same fields that could be automated through different alerts.
CF: What do you find most worrisome and dangerous about the current threat landscape?
PB: People, education and awareness. Something that was one of the biggest priorities at ConnectWise, and I’m very proud to say it’s come a long way, is vigilance. The lack of vigilance is what worries me as well. The ease of folks just sometimes trusting without validation. So we can put in technology and processes, and all the best stuff in the world, but if a product engineer building something isn’t following sound secure practices, that’s another example. It’s not just an employee clicking on a link. It’s someone building something that isn’t secure. That’s the human side of the house.
CF: Can you elaborate on the importance of communication and sharing among competitors regarding cybersecurity?
PB: I keep open lines of communication and sync semi-regularly with [N-able chief security officer] Dave McKinnon. Among our peers it happens all the time. We do quarterly calls at this point. But if something is happening, I just shoot him a text and say, “Hey, are you seeing this?” They’ll say yes or no, and vice versa. So we take our company hats off when it comes to that stuff. If they got hit first, who do you think they’re coming after next? So I learned a long time ago that you have to take those hats off and just work together.
CF: Is increasing cyber crime prompting that sharing? I can’t imagine it taking place in any other area of the business.
PB: I lived through was called the distributed denial-of-service (DDoS) attacks of 2013 in the financial sector. And those banks took those hats off so fast because the first banks to get hit with these DDoS attacks, it was Iranian groups that were doing this; their customer portals went down. You couldn’t access online banking. The first week no one shared. But the government came in and helped, and then they would start dumping the IP addresses of those attackers and then the rest of the banks got protected from that week. But every week they chose a different target. Then they started closing the gap of response, and then we started taking that information and protecting each other. And everyone follows that now.
CF: What would be your advice for other CISOs in the channel? Is being a CISO particularly stressful?
PB: I’ve done cyber operations my whole life so this is the only life I know. I don’t know what I’d do without it. When I came in here, I was having anxiety because I hadn’t seen my phone in two hours. That’s the mindset. If you can’t be in that mindset, you have no business doing this job. Is it stressful? Yes. Is it rewarding? It’s much more rewarding than stressful.
But what’s the best part of it is the human side, building those teams and watching folks progress. It’s creating the environment where you can trust in your team. And that’s my advice to a CISO: Build an organization where you can step back from it and say, “It’s OK, they’ve got it.” That’s where I get most of my job satisfaction from. The people that I work with support me right from the CISO all the way down to the lowest level analyst.
In other cybersecurity news …
Google has introduced the Secure Artificial Intelligence (AI) Framework (SAIF), a conceptual framework for secure AI systems.
“The potential of AI, especially generative AI, is immense,” said Royal Hansen, Google’s vice president of engineering for privacy, safety and security. “However, in the pursuit of progress within these new frontiers of innovation, there needs to be clear industry security standards for building and deploying this technology in a responsible manner.”
Google said a framework across the public and private sectors is essential for making sure that responsible actors safeguard the technology that supports AI advancements so that when AI models are implemented, they’re secure by default. Its new framework concept is an important step in that direction, the tech giant claimed.
SAIF is designed to help mitigate risks specific to AI systems like model theft, poisoning of training data, malicious inputs through prompt injection, and the extraction of confidential information in training data.
“As AI capabilities become increasingly integrated into products across the world, adhering to a bold and responsible framework will be even more critical,” Hansen said.
John Bambenek, principal threat hunter at Netenrich, said, “we are only just getting started thinking about this and we’re drawing analogies on existing cybersecurity disciplines.”
“For instance, having bug bounty programs makes sense if you’re talking about software applications, but in AI, we don’t even really know what penetration testing truly looks like,” he said. “The fact is, we are making it up on the fly, and we’re just going to have to revise and figure things out. In that sense, putting some of the stuff out there is a good first step because at least it gives us a starting point to figure out what works and what does not,” he added.
Patrick Harr, CEO at SlashNext, said as one of the leaders in AI advancements, Google is taking the necessary first steps to foster a culture of security for AI.
“As organizations try to take advantage of the benefits of AI, they are realizing the potential dangers,” he said. “The most important takeaway is the need for a thorough security protocol when using AI-generated programs. As we progress through these uncharted waters, we will undoubtedly see more security tools and recommendations to mitigate the risks.”
The lastest victim of the Fortra GoAnywhere mass ransomware attack is Intellihartx (ITx), a U.S. company that handles patient payment balances and collections.
Nearly 500,000 patients had information stolen in the attack. This includes Social Security numbers, medical billing records and diagnoses data. ITx notified the Maine Attorney General’s office about the attack.
“On Feb. 2, ITx discovered that its secure file transfer protocol provider, Fortra, was subject to a data privacy event that potentially impacted ITx’s clients’ patient information,” it said. “We promptly launched an investigation to determine the nature and scope of the Fortra event. On March 24, we completed our initial review of the logs provided to us by Fortra. We completed a further review of the additional logs provided by Fortra, as well as correspondence with the unauthorized party, to determine the scope of impacted information on May 10. We then undertook a comprehensive review of the data to determine what information was affected and to whom that information related. This review was completed on May 19.”
Erich Kron, security awareness advocate at KnowBe4, said the Clop ransomware/extortion group has “certainly caused a stir” this year as they exploited the GoAnywhere software vulnerability with “nearly reckless abandon.”
“While files were generally not encrypted like in typical ransomware attacks, the theft of data and threat of leaking it publicly has been more than enough to cause issues for victims of these attacks,” he said. “Clop has certainly shown that disrupting operations by encrypting data isn’t necessarily required to force organizations to pay up. Because Clop generally works under a ransomware-as-a-service (RaaS) model, leveraging affiliates to carry out attacks in exchange for a majority percentage of earnings from attacks, the initial attack vectors can vary. However, email phishing generally tops the charts as a favorite approach due to its low cost and high success rate. Because this is the most common attack method, organizations should ensure that employees are educated and trained on how to spot and report phishing and other social engineering attacks. In addition, a robust patching process that allows for quick testing and patching of potentially vulnerable software can significantly reduce the damage bad actors can do in the event they do gain access to a network.”
Verizon Business recently released the results of its 16th annual Data Breach Investigations Report (2023 DBIR), which analyzed more than 16,000 security incidents and 5,200 breaches.
Chief among its findings is the soaring cost of ransomware. The median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million.
This rise in cost coincides with a dramatic rise in frequency over the past couple of years when the number of ransomware attacks was greater than the previous five years combined. That prevalence held steady this year. Representing almost a quarter of all breaches (24%), ransomware remains one of the top cyberattack methods.
The human element still makes up the overwhelming majority of incidents, and is a factor in 74% of total breaches. One of the most common ways to exploit human nature is social engineering, which refers to manipulating an organization’s sensitive information through tactics like phishing.
In addition, the median amount stolen in business email compromise (BEC) attacks has increased over the last couple of years to $50,000, based on Internet Crime Complaint Center (IC3) data.
“Senior leadership represents a growing cybersecurity threat for many organizations,” said Chris Novak, managing director of cybersecurity consulting at Verizon Business. “Not only do they possess an organization’s most sensitive information, they are often among the least protected, as many organizations make security protocol exceptions for them. With the growth and increasing sophistication of social engineering, organizations must enhance the protection of their senior leadership now to avoid expensive system intrusions.”
Bhaven Panchal, senior director of service delivery at Cyware, said with the median costs of ransomware attacks doubling since last year and reaching the million-dollar range, the new Verizon report once again highlights the upward inflationary trend of the cost of data breaches.
“Another striking revelation is the prevalence of the human element as the contributing factor behind breaches, whether it be through errors, privilege misuse, use of stolen credentials or social engineering,” he said. “It is imperative for organizations to accelerate their security processes and plug visibility gaps in their environments. The operationalization of threat intelligence, threat response automation and security collaboration are going to help drive this change toward a more resilient cyberspace for all.”
Roy Akerman, Rezonate‘s co-founder and CEO, said dependency on privileged identities and access in a cloud-and SaaS-dominated environment are a key indicator and enabler of the increase in BEC attacks.
“The attackers need to obtain access, making identity security more critical than ever,” he said. “This aligns with the fact that the root cause of 74% of breaches were identity-related or enabled, which aligns with Verizon DBIR findings over the last decade. Identity remains the leading reason for security breaches, yet tools and tactics remain the same, and organizations struggle to deploy and further mature their identity security programs. A shift in approach is required — a holistic, automatic approach to identity management and trusted identities is important now and will be for years to come.”
Verizon Business recently released the results of its 16th annual Data Breach Investigations Report (2023 DBIR), which analyzed more than 16,000 security incidents and 5,200 breaches.
Chief among its findings is the soaring cost of ransomware. The median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million.
This rise in cost coincides with a dramatic rise in frequency over the past couple of years when the number of ransomware attacks was greater than the previous five years combined. That prevalence held steady this year. Representing almost a quarter of all breaches (24%), ransomware remains one of the top cyberattack methods.
The human element still makes up the overwhelming majority of incidents, and is a factor in 74% of total breaches. One of the most common ways to exploit human nature is social engineering, which refers to manipulating an organization’s sensitive information through tactics like phishing.
In addition, the median amount stolen in business email compromise (BEC) attacks has increased over the last couple of years to $50,000, based on Internet Crime Complaint Center (IC3) data.
“Senior leadership represents a growing cybersecurity threat for many organizations,” said Chris Novak, managing director of cybersecurity consulting at Verizon Business. “Not only do they possess an organization’s most sensitive information, they are often among the least protected, as many organizations make security protocol exceptions for them. With the growth and increasing sophistication of social engineering, organizations must enhance the protection of their senior leadership now to avoid expensive system intrusions.”
Bhaven Panchal, senior director of service delivery at Cyware, said with the median costs of ransomware attacks doubling since last year and reaching the million-dollar range, the new Verizon report once again highlights the upward inflationary trend of the cost of data breaches.
“Another striking revelation is the prevalence of the human element as the contributing factor behind breaches, whether it be through errors, privilege misuse, use of stolen credentials or social engineering,” he said. “It is imperative for organizations to accelerate their security processes and plug visibility gaps in their environments. The operationalization of threat intelligence, threat response automation and security collaboration are going to help drive this change toward a more resilient cyberspace for all.”
Roy Akerman, Rezonate‘s co-founder and CEO, said dependency on privileged identities and access in a cloud-and SaaS-dominated environment are a key indicator and enabler of the increase in BEC attacks.
“The attackers need to obtain access, making identity security more critical than ever,” he said. “This aligns with the fact that the root cause of 74% of breaches were identity-related or enabled, which aligns with Verizon DBIR findings over the last decade. Identity remains the leading reason for security breaches, yet tools and tactics remain the same, and organizations struggle to deploy and further mature their identity security programs. A shift in approach is required — a holistic, automatic approach to identity management and trusted identities is important now and will be for years to come.”
ConnectWise CISO Patrick Beggs said there’s a reason cybercriminals haven’t succeeded in their attacks on the company for at least the past year.
Beggs took the role of ConnectWise CISO in February of last year. Before that, he was Cognizant’s global head of security operations. And before rejoining the private sector, he held top cybersecurity leadership roles in the U.S. Department of Homeland Security.
We spoke with Beggs at last week’s IT Nation Secure in Orlando. ConnectWise unveiled new solutions, and offerings from strategic vendors, to help MSPs grow and better secure their customers.
In 2020, ConnectWise was hit with ransomware via vulnerabilities in ConnectWise Automate. And last year, ConnectWise Control was deployed by bad actors in cyberattacks.
ConnectWise CISO Has ‘Security First Mindset’
Beggs said one of the prerequisites when he joined ConnectWise was a “security first mindset,” not to say there wasn’t already a similar mindset in place.
ConnectWise’s Patrick Beggs
“The last thing I’m going to do is jinx myself because there can always be something out there that no one knows about from a detection capability standpoint,” he said. “It’s not an if, it’s a when, and it’s how you handle the when. That’s how we’ve gotten so much better. And it’s just discipline. I brought in amazing talent that I’ve worked with in the past, new talent that I’ve discovered, the right technology in the right places. Again, you’re as good as your last scorecard. That’s the way we take it.”
ConnectWise’s vulnerability management program is “world class,” Beggs said.
“I have a board that holds us accountable,” he said. “I report to a board member in a committee. So that’s another dynamic that I think probably stands us out. It’s like re-upping your contract, and they know what they’re talking about. These are industry leaders, experts in cyber. I think that’s probably a differentiator as well, having that accountability at the board level. And if a CISO doesn’t have accountability to the board level, someone should ask why.”
Scroll through our slideshow above for more from Beggs and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like