The Gately Report: MSP, MSSP Partners Fueling Blueshift Cybersecurity Growth, CrowdStrike M&A
Meantime, partners will benefit from Devo Technology acquiring SOAR provider LogicHub.
Shutterstock
Channel Futures: How are MSPs and MSSPs helping SMBs with cybersecurity?
Blueshift’s Steve Nicol: We’re trying to provide MSPs and MSSPs with a partner as they start trying to offer service solutions to their end customers. There are a number of drivers of this. But the bottom line is for compliance reasons, for insurance reasons, for liability reasons, etc., MSP and MSSPs are being asked to extend their coverage to deliver security operations as a service. And probably the biggest driver of this is that it’s very difficult for SMBs to find or afford in-house analysts who can do that type of thing. So they want to outsource that and separate their IT operations from their security operations.
And then the second thing we’re trying to deliver is to provide our MSPs or MSSPs with a platform that extends detection, response and vulnerability detection beyond the endpoint in the server to what we call all the things. So we’re talking about IoT devices, networking equipment, cloud, work-from-home users, etc.
Cybersecurity has gotten far more complex because the attack vectors have exploded. You have zero-day attacks now where a preventive approach to cybersecurity really doesn’t work anymore. So you need to be watching all the things, you need to have automation detecting, and responding to what automation can catch. But you also need to have highly trained humans looking for indications of compromise so that you can detect and respond to threats early on in what we call a cyber kill chain. So those are basically the two unique things that we think we do, and we try to do it at a very affordable price. We use a lot of open source in our platform whenever feasible. And we try to make our platform really easy to put in so that you don’t have to have any training for your staff.
CF: Can Blueshift help when MSPs need to beef up their cybersecurity, and when MSPs want to become MSSPs?
Nicol: That’s what’s driving this, is that a lot of the MSPs are being told by their customers they need to become an MSSP. Now, what that entails is you have two options. At that point, you spin off your own SOC and hire a bunch of expensive, hard-to-find security analysts, or you partner. And so we’re partnering with the MSPs that don’t want to do that in house. They want to rely on us to be their SOC-as-a-service partner.
Blueshift’s Greg Scasny: That’s been kind of key to us. It’s one of those things that good MSPs understand. Running an MSSP business where you do services for a company is a very different discipline than running security operations for a customer. So the MSSP goal is to make sure that technology works for that business, and that business makes a profit. Our goal is to make sure that business doesn’t get hacked. Sometimes those are diametrically opposed and they don’t have to be all the time. We’re not the security company that says no to everything. But the skill set is just very different. So when I go and give presentations to IT guys, they [say], “I’ve never heard of half the things you’re talking about.” It’s just different skill sets. So the nice thing is when you put those things together, especially from an MSP-MSSP standpoint, they can sign on as a partner. Now instantly they have a SOC-as-a-service offering they can give to their customers and it’s priced accordingly where it’s both reasonable for them to buy and they can make decent margin when they sell it to their customers.
CF: What are you hearing from your MSP and MSSP partners in terms of their customers’ biggest pain points and biggest threats that they’re dealing with? And how is Blueshift addressing those?
Nicol: The biggest problem in the industry right now with respect to threats are zero-day attacks. So it’s vulnerabilities, [where] there’s no patch available for them. So things like firewalls and EDR are able to be bypassed by zero-day attacks. And so there’s no way to keep them out of your network or out of your infrastructure. That’s one of the reasons we’re growing so quickly, is that the MSPs and MSSPs are realizing that you need more of a defensive approach to cyber, which assumes there’s going to be some sort of compromise with these supply chain or zero-day attacks. And we put detection and response in place to detect them and kick them out of the network, frustrate them before they can do any real damage.
Scasny: A couple of things that are driving this is people are scared. The media tends to hyper inflate things that happen and … from a security perspective I think it’s finally warranted. It makes people wake up and understand that they all have risk and they need to be able to have ways to remediate that risk. No one wants to wake up the next day and [say], “Oh crap, I need to pay $1.5 million in ransom because my systems are down. I don’t know what to do.” And that’s any-size company. Big companies wake up and [say], “Not only do I not want to pay the ransom, but now I’m going to spend … $10 million in infrastructure to replace things.” No one wants to do that. So everybody’s kind of scared. They know they have to do something, but the problem is they don’t know what. You could do it yourself, but no one’s going to do that, so relying on a partner like us who has done it time and time again, and we have the body count to prove what we do and why it’s effective.
The second thing that drives it is compliance. Cybersecurity Maturity Model Certification (CMMC) is one of those things that you’re going to have to be audited against. So it doesn’t matter if you’re a food vendor or you’re supplying very technical printed circuit boards to missiles or weapons, defense systems or whatever the case may be, you will have to be audited by CMMC. They do not know how to even deal with that. So if we can say, “Here’s our solution, here are the things that show you all the controls we meet for that and all the really hard things you have to worry about, you just cut us a check and it’s very reasonable every month and you’re taking care of that,” that’s driven a ton of the adoption from what we see.
CF: Who do you consider your biggest competitors and what gives you an advantage over them?
Nicol: Our biggest competitors are companies like Arctic Wolf and AT&T, and there are other players in the space called Perch Security and Sinet. It’s a whole bunch of folks that do … SIEM and SOC as a service. What we do and what our partners really like about our platform are basically two things. One, we have a built-in security orchestration, automation and response (SOAR). What we mean by that is we do a lot of alert mitigation using automation wherever possible. So where we block threats using packet-level data sniffing really eliminates a lot of the millions of alerts that otherwise would get sent to the SOC. So we’re able to send highly curated alerts to the SOC, which makes our SOC really productive, which at the end of the day is what the game is all about. How productive can your SOC be and how easy it is for you to scale the SOC in a cost-effective way so you can keep the cost of this solution down? And two, what I would say is the real advantage we have over our competitors is that the solution is affordable. And the reason it’s affordable is we have so much automation built into the platform.
CF: After everything that’s happened in cybercrime, are there still organizations in denial, thinking it won’t happen to them?
Scasny: Yes. I do a lot of public speaking and that’s one of the things I talk about is people saying, “I have nothing of value; I’m too small.” And to me, the best thing I can tell people is I subscribe to what’s called the dream principle, so data rules everything around me. I just show them the raw data of how many data breaches happen to companies that are 50 employees or fewer to 25 employees and fewer. It doesn’t matter what you do or what you sell, or what you’re in business to do. You have something that’s going to be of interest to an attacker, period. And there are 100 different things, so everybody is at risk.
And people would say, “Oh, yeah, whatever.” But now when they start seeing companies go out of business, small companies going out of business because they can’t afford to pay the ransom. Small companies deal with a lot of data and they get not only ransomed, but now the second level of blackmail and extortion. So taking their customer list and calling them, and telling them they’ve been hacked, or doxing their websites and doing all the things that these groups do. It starts to get really serious, really fast, and they start to understand how the adversaries are playing for keeps. And that doesn’t matter the size of what you are. You will be a victim eventually.
CF: What can MSPs and MSSPs expect from Blueshift in the months ahead and into 2023?
Scasny: What they can expect from Blueshift is more. We know that this is an integration play for us as well, so we’re integrating with more platforms every day. So we’re going to be adding more tools to the belt. We’re always looking to do that. We’re always looking for different detection capabilities. That’s an ongoing, continuous improvement-type thing for us. We [don’t say], “Oh, this is the next big thing.” Cyber changes every day. And so we have to move with that ebb and flow of the adversary tides as they come and go. But that’s something we do on a daily basis anyway. So we’re just always trying to grow our knowledge and stay … at least one step ahead of the adversaries if we can. It’s a challenge, but that’s what we strive to do.
In other cybersecurity news …
CrowdStrike is acquiring Reposify, which provides an external attack surface management (EASM) platform that scans the internet for exposed assets of an organization to detect and eliminate risk from vulnerable and unknown assets before attackers can exploit them.
Michael Sentonas is CrowdStrike‘s CTO.
“This acquisition will provide CrowdStrike partners the benefit of a fundamentally differentiated EASM experience,” he said. “As part of the Threat Intelligence product suite, CrowdStrike will now combine deep insights on endpoints and IT environments with internet scanning capabilities that provide an adversarial-view of organizational risk across internal and external attack surfaces. Partners will benefit from the holistic view of customers’ environments and reduced risk exposure of external assets.”
Attack surface management is a critical aspect of an organization’s security posture, Sentonas said.
“Through the acquisition of Reposify, partners will gain an unmatched outside-in perspective of entities’ global external risks, such as shadow IT, legacy systems and unknown infrastructure risks that expose their business,” he said. “Combined with CrowdStrike’s industry-leading intelligence and ITSecOps offerings, this acquisition allows partners to be more proactive in how they manage customers’ security posture, making them more resilient to attacks.”
Reposify was founded by Yaron Tal in 2017 to help organizations take control of their external attack surfaces by providing complete and continuous visibility and insight. Its core technology leverages one of the largest databases of internet-facing assets to give organizations the most complete view of their external attack surface.
Reposify’s partners will benefit from enhanced capabilities with CrowdStrike, Sentonas said.
A new phishing campaign impersonating Capital One attempts to steal personal identities rather than account credentials.
First detected by Vade in early July, the ongoing phishing campaign exploits Capital One’s recent partnership with Authentify, an online verification service that enables financial institutions to verify their customer’s identities to other institutions, such as lenders, when prompted by users.
The phishing email includes the subject line “REMINDER: Your attention is required!” The body text introduces the Authentify service and urges the user to provide a copy of their photo ID to enroll in the service. Neglecting to do so, the email says, will result in account restrictions.
The phishing link is a legitimate-looking URL that includes both Capital One and Authentify in the text. However, this is only display text and not the real URL, as the display URL returns a Capital One error page in a browser, according to Vade.
The real phishing link directs to a compromised WordPress website impersonating Capital One. The user is then taken through two webpages to upload the front and back of their state-issued ID.
The phishing campaign began on July 1 with email volumes reaching up to 6,000 in one day.
Adrien Gendre is Vade’s chief tech and product officer. He said stealing personal identifications can quickly escalate to a victim having their personal identity stolen. If a victim uploaded a driver’s license, for example, that could be used in any number of crimes.
“Emotion is a key component of social engineering, and so organizations need to train their employees to stop and think before clicking on these types of emails,” he said. “Consumers, unfortunately, may not receive any type of awareness training, so they are particularly vulnerable. Your bank would never ask for this information or any personal information over email. So people should always be suspicious when they are asked to divulge personal or financial information.”
Other Authentify collaborators include Bank of America, PNC Bank, Truist, U.S. Bank and Wells Fargo. Like other highly publicized partnerships, the Capital One/Authentify collaboration piqued interest from phishers, who are known to pay attention to the news cycle.
The collaboration created an opportunity for creative cybercriminals to exploit both brands. Vade has observed similar phishing campaigns coming on the heels of other brand partnerships.
“While Vade blocked these attacks, another platform may not have, so the campaign could certainly continue until the campaign runs its course or the threat actor is stopped,” Gendre said. “Whoever is behind this particular attack will likely make changes to the campaign and try new techniques to optimize the campaign. Eventually, they will move onto another campaign, learning from this one how to be more successful next time.”
Devo Technology, the cloud-native logging and security analytics company, has acquired LogicHub, a SOAR innovator.
The acquisition extends what has already been a year of growth for Devo, with a $100 million funding round, surging revenue and the acquisition of Kognos, the provider of an autonomous threat hunting solution.
Bringing LogicHub’s technology to the Devo platform realizes the complete stack of capabilities needed to deliver the autonomous SOC, a vision Devo unveiled earlier this year. It aims to reinvent how security professionals work by providing complete visibility, automation, analytics, and access to the latest community expertise and content.
Marc van Zadelhoff is Devo’s CEO.
“Devo Drive partners are immediately able to sell LogicHub to deliver a next-generation solution that forms the foundation of the autonomous SOC to their clients,” he said. “LogicHub, like Devo, is a SaaS cloud-native solution, so partners can focus their expertise on helping their clients reduce manual tasks and drive automation and efficiency in the SOC, allowing them to act as the trusted advisor to their clients.”
Devo’s managed service partners can now deliver a solution that provides full visibility across the attack surface, real-time threat detections, and AI-driven automation and response capabilities to improve SOC efficiency “by as much as 10x,” van Zadelhoff said.
“Unlike other leading SOAR solutions, LogicHub’s patented decision automation technology has proven to exceed human accuracy, allowing analysts to fully trust the decisions and actions it makes during playbook execution, boosting SOC performance and improving the efficiency in their managed service that ultimately improves margins for them,” he said.
LogicHub’s partners will transition and integrate as part of the Devo Drive partner program, whether they are a technology alliance partner with an existing integration to LogicHub or a go-to-market (GTM) partner able to expand their offering for their clients, van Zadelhoff said.
This week, Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence. Comprised of hundreds of security analysts and researchers, the center produces real-time intelligence and threat indicators to help customers detect, respond and remediate the latest cybersecurity threats.
The center also published its research into a vulnerability estimated to be present in over 350,000 open-source projects and prevalent in closed-source projects. It exists in the Python tarfile module, which is a default module in any project using Python and is found extensively in frameworks created by Netflix, Amazon Web Services (AWS), Intel, Facebook, Google, and applications used for ML, automation and docker containerization.
The vulnerability can be exploited by uploading a malicious file generated with two or three lines of simple code and allows attackers arbitrary code execution, or control of a target device.
Christiaan Beek is head of adversarial and vulnerability research at Trellix.
“When we talk about supply chain threats, we typically refer to cyberattacks like the SolarWinds incident,” he said. “However, building on top of weak code-foundations can have an equally severe impact. This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”
Open-source developer tools, like Python, are needed to advance computing and innovation, and protection from known vulnerabilities requires industry collaboration. Trellix is working to push code via GitHub pull request to protect open-source projects from the vulnerability.
Josh Kocher is adversarial engineer at Lares Consulting.
“Projects need to be vigilant and mindful of library dependencies, keep abreast of security vulnerabilities in these libraries, and apply appropriate mitigations or updates to resolve these issues,” he said. “Vulnerabilities found in libraries can often be far reaching in their impact due to the number of projects that may make use of them and, as seen with [this vulnerability], these vulnerabilities can exist in projects long after the vulnerability has been discovered. Supply chain issues such as these arise due to an implicit trust in libraries being secure and correctly implemented. However, developers should instead treat these libraries as untrusted, ensure input to them is sanitized and that all error conditions are handled appropriately.”
SentinelOne has launched S Ventures, a $100 million fund to invest in the next generation of category-defining security and data companies.
S Ventures will invest across all stages of the startup life cycle, with a focus on security and data companies that bring innovative use cases to the Singularity Marketplace. That’s SentinelOne’s open application ecosystem that allows security teams to extend Singularity XDR use cases.
New S Ventures investments include:
Armorblox, an API-based email security platform that leverages ML and natural language processing to detect and prevent sophisticated threats.
Noetic Cyber, a continuous cyber asset management and controls platform that provides teams with unified visibility and insights into the security posture of all assets across their cloud and on-premises systems.
These investments join S Ventures portfolio companies. Those include Torq, a no-code security automation platform accelerating complex threat response workflows, and Laminar, a platform providing full data observability across the entire public cloud to reduce the attack surface and detect real-time data leaks.
Tomer Weingarten is SentinelOne’s CEO.
“SentinelOne pioneered a data-driven approach to delivering autonomous cybersecurity,” he said. “Our early days were defined by the support of our investors, who saw the power and promise of our vision. Today, I’m proud to see SentinelOne invest in future disruptors, doing our part to continue a legacy of innovation. Our focus on cybersecurity and data innovation brings SentinelOne’s technology and engineering expertise, GTM and customer base to S Ventures portfolio companies. We’re committed to investing in innovation that solves mission-critical problems for the enterprise – and digital society at large.”
In addition to providing strategic capital, SentinelOne will help foster innovation for portfolio companies by accelerating route to market and engineering experience. Startups gain enhanced exposure in the Singularity Marketplace and SentinelOne technology ecosystem. They also benefit from joint marketing and SentinelOne Partner Network opportunities.
SentinelOne has launched S Ventures, a $100 million fund to invest in the next generation of category-defining security and data companies.
S Ventures will invest across all stages of the startup life cycle, with a focus on security and data companies that bring innovative use cases to the Singularity Marketplace. That’s SentinelOne’s open application ecosystem that allows security teams to extend Singularity XDR use cases.
New S Ventures investments include:
Armorblox, an API-based email security platform that leverages ML and natural language processing to detect and prevent sophisticated threats.
Noetic Cyber, a continuous cyber asset management and controls platform that provides teams with unified visibility and insights into the security posture of all assets across their cloud and on-premises systems.
These investments join S Ventures portfolio companies. Those include Torq, a no-code security automation platform accelerating complex threat response workflows, and Laminar, a platform providing full data observability across the entire public cloud to reduce the attack surface and detect real-time data leaks.
Tomer Weingarten is SentinelOne’s CEO.
“SentinelOne pioneered a data-driven approach to delivering autonomous cybersecurity,” he said. “Our early days were defined by the support of our investors, who saw the power and promise of our vision. Today, I’m proud to see SentinelOne invest in future disruptors, doing our part to continue a legacy of innovation. Our focus on cybersecurity and data innovation brings SentinelOne’s technology and engineering expertise, GTM and customer base to S Ventures portfolio companies. We’re committed to investing in innovation that solves mission-critical problems for the enterprise – and digital society at large.”
In addition to providing strategic capital, SentinelOne will help foster innovation for portfolio companies by accelerating route to market and engineering experience. Startups gain enhanced exposure in the Singularity Marketplace and SentinelOne technology ecosystem. They also benefit from joint marketing and SentinelOne Partner Network opportunities.
Blueshift Cybersecurity, which spun off from Cigent Technology nearly a year ago, is helping MSP and MSSP partners beef up their cybersecurity with its full-service extended detection and response (XDR).
Blueshift XDR is a security operations center (SOC)-as-a-service platform. It simplifies compliance initiatives and extends security visibility and management across an entire organization. It integrates with all existing devices, data and systems across the network. That includes cloud, IoT, endpoint, server, remote workers and more.
MSPs and MSSPs are using Blueshift XDR to keep data on-premises at all times. Blueshift mixes automated threat detection and response with hands-on cybersecurity expertise to increase efficiency and reduce cost.
In April, Blueshift announced a $6 million seed fund round from investors WestWave Capital and CyberJunction.
Blueshift Experiencing ‘Crazy Growth’
We spoke with Steve Nicol, Blueshift’s co-founder and senior vice president of sales and marketing, and Greg Scasny, co-founder and CTO, to learn more about how the Blueshift helps MSP and MSSP partners.
Channel Futures: What sort of growth has Blueshift experienced since you formed, and what role are MSPs and MSSPs playing in that growth?
Blueshift’s Steve Nicol
Steve Nicol: When we first launched this platform, the first thing we did was go out and get 10 or 15 customers that we could use as references. And we sold those directly. And then during the pandemic, things kind of ground to a halt for awhile. So Greg went and added a lot of the additional functionality to the platform. We added a management console, the managed security information and event management (SIEM), and some of the other … layers to this thing.
When we relaunched with the new functionality, we’ve just seen exponential growth with both MSPs and MSSPs. And what surprised us the most is how interested MSSPs are in this platform. Our biggest customer is an MSSP. They like to sell highly curated, best-of-breed solutions to MSP partners worldwide. So they’ll sell a product called SentinelOne and a vulnerability management product called Cyber CNS and some other platforms, and they chose Blueshift as their designated XDR/managed SIEM platform. We’re literally booking two to three deals a week with this partner.
Blueshift’s Greg Scasny
We’re replacing a lot of the existing SOC-as-a-service vendors that are in the space that haven’t been able to keep up with the changes in the threat landscape. So the growth has just been crazy for us. And I don’t see that abating in the near future. We’re transitioning to a 100% channel model. We rarely will sell this directly to an end customer. Our play is to be that SOC-as-a-service partner for the MSPs and the MSSPs.
Scroll through our slideshow above for more from Blueshift and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like