The Gately Report: ConnectWise CISO Warns of AI Unknowns

Channel Futures: How does what you do impact technology service providers, MSPs, etc.?

Peter Beggs: I'm responsible for all product security. We have a lot of their livelihoods in our hands to ensure that the products that they're using are safe, secure, that the data is where it should be and it's only accessed where it should be. So that digital guardian role I take very seriously. That's where I put myself … lead by example and be transparent, and let folks know what we're up to. I won't necessarily call it industry-leading, but hopefully it's raising the bar. I think that as CISOs, we all have to do that in a good way to each other, just keep raising the bar.

CF: In your keynote, you said technology defenses have never been more challenged, and you can speak to that personally. Can you elaborate on what’s changed in the past several months?

PB: I think we have to be a lot more flexible in how we're viewing things. We're seeing adversaries deploying AI in attacks. For example, we're seeing a lot of brute-force password spray attacks. And when I say more, it's very frequent in the whole industry. They're literally leveraging AI in the bots. They scrape sites with credential harvesting sites. It's so seamless. We're seeing a lot of increase in that, where normally I would see one a month, maybe one every two months, and now I'm seeing it several times a month.

I'm talking to my industry peers and they say they're seeing the same ones, too. Our defenses are doing just fine on those. It should be table stakes to be able to defend against that stuff, obviously knowing what your external infrastructure looks like and to ensure that there's multifactor authentication (MFA) in place that you're using, that no one's reusing passwords and things like that. It's the flexibility. We can't be stuck in our comfort zone is what I'm telling my folks. So that's our theme right now.

CF: What sorts of threats is ConnectWise facing? Who’s targeting ConnectWise? Are they using AI?

PB: It's not changed. We're not getting any attribution to any well-known cybercriminal groups. The stuff I see is low- to mid-level, and not a lot of complexity to it. The phishing campaigns we see, it's nothing that sophisticated and our defenses are blocking those. We'll see the same campaigns on the phishing side that other companies see. We talk and get on intelligence Slack channels, and we say, "Hey, are you seeing these campaigns?" And they say they're seeing them as well.

We are seeing AI used on that vector as well. We're seeing the emails are much better crafted. It’s still a matter of your email defense staying up to date with the signatures, but also employee awareness and training. We test ourselves internally. We're actually using AI to write our own phish test emails because we have to train our employees. The emails are looking a lot more legitimate. But we're also using some defense analysis if a phishing email comes in and it's too perfect. We're trying to detect better-than-human scripts to be able to alert or triage those if they're a little too close.

CF: We've heard a lot about the evolving role of the CISO. Has your role changed?

PB: Yes, it has. And it’s not just at ConnectWise. I would have to assume it's always been ever evolving. You're learning and you're adapting, or you're probably going to be unemployed at some point. But it's also on the workforce side. The talent shortage is a challenge, and trying to be creative in finding folks that you really do see potential in that can contribute. I'm becoming increasingly more external-facing as well. I believe CISOs should be [more external-facing] once you get to a comfort level within your organization. You have to represent. It's not just internal- facing. You have to give them that assurance and be transparent. Transparency is really where the evolution is occurring more now because if you’re not communicating, if you're not being transparent, people will make up the narrative for you.

CF: A year ago, we talked about ConnectWise’s cybersecurity strategy. Any changes since then? What’s impacting that?

PB: It's been a really great year for us, refining a lot of the capabilities that I've talked about before. I'm a very proactive leader. We test our own infrastructure. We bang away on our own products all the time. We've been very fortunate. We've had a lot of good tabletop exercises, testing our incident response capabilities and continuously learning in those environments. Internally facing, we’re working toward a more mature zero-trust model for how we do identity and access management (IAM).

One of my big themes this year is IAM. This is something I am preaching to TSPs and MSPs, understanding the third-party apps, the SaaS apps that you're connecting to, what are the entitlements out of the box … once you're connected to them, who has access and what access did they have? Are they external-facing? Is there an MFA in front of them? So one of my bigger journeys is IAM. We reached a really good bar in 2023, and I let my team be excited for about a month and then I said, "OK, let's go back to work; we’ve got to get to the next level." We do that across all of my operational areas, but I'm just a little more hyper-focused on the identity side.

CF: What do you find most surprising and disturbing about the current threat landscape? Is it all about AI, the acceleration and the unknown?

PB: It comes back to folks putting vulnerable infrastructure externally facing without MFA in place, without proper authentication or the fact that it is external-facing and they don't know it. What still surprises me is the table stakes of folks not understanding their attack surface, not training their employees on phishing awareness, not doing phish testing on a regular basis because that will save you so much time and money, and really reduce your risk. It still blows me away that large, mature organizations that you see in the news just aren't doing the basics. I don't get it. No one's perfect; I get that. But we're still making it easy for the actors, so I'm doing my best to be very disruptive to that.

CF: The Cybersecurity and Infrastructure Security Agency (CISA) is asking software manufacturers to take its Secure by Design pledge. ConnectWise isn’t on the list of companies that have taken the pledge. Is this in the works?

PB: We're considering that right now, actually. We're taking a look at that. It's in legal review right now so stay tuned. We're excited that we recently got an email from them. They asked us if we would like to take it. It's one of the things where you have to get the lawyers involved.

CF: What can TSPs and MSPs expect from you in the months ahead?

PB: Just to continue doing what we're doing, being transparent and [showing] a security-first mentality. I'm really excited with what Ameer [Karim, ConnectWise’s executive vice president and general manager of cybersecurity and data protection] and the cybersecurity product team have launched, that single pane of glass, what I call the common operational picture. I've come close to finding that from vendors over the years and I'm actually very excited to use it internally. I've done a really good job of refining my dashboards and how I see things, but I'm excited for the MSPs. Who knows, it may save them money on their cyber insurance if they can really show that type of awareness of their posture. It's only going to strengthen them and it's going to go downstream for their customers. They're going to attract more customers because they're not using pencil and paper anymore, that analogy. They're really pushing the envelope, so that's good.

In other cybersecurity news …

Despite economic uncertainty and workforce reductions, 70% of organizations prioritize investment in SaaS security, according to a Cloud Security Alliance (CSA) survey of 478 IT security professionals.

The commitment is reflected in the establishment of dedicated SaaS security teams within many organizations.

Hillary Baron, lead author and senior technical director for research at the CSA, said the survey results “speak volumes to organizations’ realization that even the most secure systems are vulnerable to increasingly inventive threat actors.”

Many organizations already have established such dedicated SaaS security teams. The majority (57%) of respondents have a SaaS security team of at least two dedicated full-time employees, and an additional 13% said they are allocating a dedicated full-time employee to SaaS security.

Other key findings:

Chris Morales, Netenrich’s CISO, said the rise of SaaS solutions has increased the potential for cyberattacks.

Netenrich's Chris Morales

“For example, third-party integrations in SaaS applications can introduce vulnerabilities that traditional IT controls can't handle,” he said. “Both organizations and SaaS vendors share security responsibilities. Protecting data with strong encryption, access controls and constant monitoring is crucial."

Generative AI and chatbots in SaaS applications introduce new security risks that organizations must keep an eye on, Morales said. These AI systems handle large amounts of data, raising concerns about data usage, storage and sharing. The rules for managing these risks are often unclear, so organizations must stay alert.

Omri Weinberg, DoControl’s co-founder and chief revenue officer, said to prevent data breaches and unauthorized access incidents in their environments, SaaS security teams should implement MFA, enforce least privilege access, and limit as much as possible the amount of sensitive data residing in SaaS solutions.

“Regularly train your staff on security awareness and have a solid incident response plan,” he said. “This should include alerting your staff to any exposed data that could be used in social engineering phishing attacks. Continuous monitoring will help you catch issues early.”

Canalys’ Cybersecurity Titans revenue benchmark grew 14.3% in the first quarter of 2024, which was above the midpoint forecast of 13.6% set in the previous quarter.

Larger deals contributed the most to growth in the first quarter as the titans focused on cross-selling across their platforms to existing accounts. In addition, platform adoption will continue to drive growth for the titans in 2024, with the benchmark forecast to grow by 12.9%.

The transition to platforms will accelerate M&A activity, evolve go-to-market strategies, intensify the battle for GSI mindshare and increase the focus on operationalizing generative  AI, according to Canalys

The Cybersecurity Titans are: Akamai, Check Point Software Technologies, Cisco (including Splunk), Cloudflare, CrowdStrike, CyberArk, Fortinet, Juniper Networks, Okta, Palo Alto Networks, Qualys, Rapid7, SentinelOne, Tenable, Trend Micro and Zscaler. The combined revenue of the 16 vendors reached $10.1 billion, up $1.3 billion from last year.

These vendors have annual revenue of over $300 million, were publicly trading for at least four quarters and broke out their cybersecurity revenue numbers quarterly.

Akamai was added to the list to replace Splunk after its acquisition by Cisco.

Canalys’ Cybersecurity Titans revenue benchmark grew 14.3% in the first quarter of 2024, which was above the midpoint forecast of 13.6% set in the previous quarter.

Larger deals contributed the most to growth in the first quarter as the titans focused on cross-selling across their platforms to existing accounts. In addition, platform adoption will continue to drive growth for the titans in 2024, with the benchmark forecast to grow by 12.9%.

The transition to platforms will accelerate M&A activity, evolve go-to-market strategies, intensify the battle for GSI mindshare and increase the focus on operationalizing generative  AI, according to Canalys

The Cybersecurity Titans are: Akamai, Check Point Software Technologies, Cisco (including Splunk), Cloudflare, CrowdStrike, CyberArk, Fortinet, Juniper Networks, Okta, Palo Alto Networks, Qualys, Rapid7, SentinelOne, Tenable, Trend Micro and Zscaler. The combined revenue of the 16 vendors reached $10.1 billion, up $1.3 billion from last year.

These vendors have annual revenue of over $300 million, were publicly trading for at least four quarters and broke out their cybersecurity revenue numbers quarterly.

Akamai was added to the list to replace Splunk after its acquisition by Cisco.