The Gately Report: Zimperium Partners Get Formal Channel Program

Channel Futures: Zimperium has been named a leader in the Forrester Wave for Mobile Threat Defense Solutions for Q3 of 2024. What does that mean for Zimperium and its partners?

Chris White: First and foremost, this is one of the first times that Forrester has done this. Gartner has not created a Magic Quadrant in this area. I think it bodes well for a couple of different things, and I'll get to how it impacts our partners. But No. 1, the market just continues to grow and evolve, and with the different things that are happening in the world right now, it just creates increased awareness. There's just an increased awareness on mobile devices, mobile security, and it's an entryway that people are trying to backdoor into enterprises. So what means is No. 1, there's an increased awareness. No. 2, we're the leader in the space, which is outstanding. What's not in the Forrester Wave is our complementary products, not just about device protection, but also application protection. We give the partner ecosystem a product that’s No. 1 in the space, a recognized leader, and then we give them a portfolio to sell on top of mobile threat defense. So it's a land-and-expand strategy for our partners. I think this tool is a door opener for our partners as well.

CF: Zimperium recently announced it supports MITRE ATT&CK, a knowledge base of adversary tactics and techniques based on real-world observations to help organizations stay ahead of mobile attacks. What does that mean and will partners benefit from this?

CW: It's another checkbox that validates Zimperium. So as we think about the MITRE protection landscape … oftentimes when it's our partners and my field team working in conjunction as we go talk to industry experts with the customer, they are going to be measuring themselves against the MITRE standards. So we check the box and part of the reason we're in that upper right of the Forrester Wave is that we check the boxes more thoroughly from the standpoint of a MITRE measurement. That's a benefit to the partners and anybody that's utilizing Zimperium's platform.

CF: You joined Zimperium as its CRO in February. What have you been up to since then? How has your previous experience with Druva and more come into play in this role?

CW: When I joined Druva, we were a company that was slightly under $100 million in annual recurring revenue (ARR), and I helped grow that company to over $225 million in ARR. You probably saw my background, so I have a lot of history and experience. One of the things that I think is critically important, whether it's at Zimperium, my time at Proofpoint running strategic accounts, whatever it might be, is having that partner-first mindset. So I'm bringing that to bear at Zimperium.

We have four key areas around partners and alliances in our partner ecosystem that we focus on. A couple of those are emerging, but it's still the mindset of partner-first. I've got to do the same thing at Zimperium that I did at Druva. We're less than $100 million; how do I grow this to a $250 million-plus company? I'm not going to do that by hiring hundreds of sales reps. I'm going to do that [through] focus and execution, and that focus includes a very well-defined and tightly executed partner and alliances strategy. Admittedly we are in the early days of that, but we're going to leverage our partner ecosystem to scale, just like we did in my prior roles and positions. And in addition to that, focusing on what types of partners and prioritizing those partners. We're not trying to be all things to all people. We focus on $1 billion-plus accounts, so call it large enterprise and Global 2000. So how do we align our partner strategy to that? How do we drive focused execution because our account executives, our partner managers, everybody had so much dirt to cover. They were trying to be all things to all people.

So in a very short period of time, we're really focused. We have something that we call our field focus account list, so every account executive has their field focus account list. And we are mapping that to the partner ecosystem, both from a traditional VAR, as well as mapping that to our OEM partners.

CF: What types of partners make up Zimperium’s partner ecosystem? Is the ecosystem growing? If so, what’s fueling that growth?

CW: We focus on four key areas from an ecosystem standpoint. No. 1 are the VARs. We focus on some of the national players like SHI and CDW. We do a fair amount of volume with both of them, as well as the regional players like the Avotechs of the world, the Trace3s of the world, etc., and that's a very critical part because we are a Global 2000 focus. It's very much a line-in-the-field, meet-in-the-market strategy with those partners and saying, "Hey, how can we align on account A, B and C and drive that?" The second key pillar is around OEM. We have about seven to eight OEM partners, and we're doing two things with those partners. One is, how do we align with them to drive net-new [customers] together and give them a mobile threat defense platform that they don't have to candidly compete against CrowdStrike and Microsoft, and others? But in addition to that, we give them … additional protection from that mobile entry point that they can't do today. So those are our two biggest areas today.

Our emerging pillar is MSSP, and we're doing that through independent MSSPs, as well as MSSPs that are under the umbrella of our OEMs today. SentinelOne has a huge MSSP [ecosystem], so how do we add in to their portfolio for their MSSPs, as well as strategically work regionally across the globe with key MSSPs in markets like the United Kingdom, the Nordics, etc.? And then the one that's really going to be emerging … is we will continue to look at how we better align and engage with GSIs and federal SIs because they all have security practices, but they don't have mobile security practices. So how do we add an element to their portfolio to help their customers analyze where they're at risk and how they close those risks?

CF: Is Zimperium’s revenue increasing? If so, what role do partners play in that growth?

CW: We are definitely growing. I can't get into the specific details, but we are wrapping up our quarter here in the next seven days and I expect it to be the largest quarter in our history. And it's Q2, which is typically not the largest quarter in history. So we've got some positive trends. Our partners are playing a huge role in that, especially in our public sector space. So partners like Merlin Cyber are critical to that growth. We're seeing hyper growth in our public sector space. We're seeing very strong growth in North America, APJ and in EMEA. I've got roughly 25-30 reps across the globe, and we are penetrating new accounts and new markets by leveraging the partner ecosystem. So they're absolutely playing a role in our high growth and hyper growth markets.

CF: Was Zimperium and its customers impacted by the recent global IT outage caused by CrowdStrike? Did Zimperium have to take any action?

CW: Our customers and Zimperium were not directly impacted by it. We have a partnership with CrowdStrike from a standpoint of the data that we collect from a mobile threat defense standpoint, you can take that information and feed it into the platform that CrowdStrike and others are using to look at it. But from an operational standpoint, we had zero impact. We do have customers that were impacted, but not because of the Zimperium solution. We are not embedded in the kernel of anybody like that. CrowdStrike is embedded into the kernel with Microsoft, which obviously impacts that. And because we are not built and constructed that way, we are not going to see a similar kind of impact, even if our data is being fed into CrowdStrike or something similar. We've certainly gotten questions from our customers [such as] 'Hey, are we at risk of the same type of outage with Zimperium?" We basically are responding to those customers saying, "No, we are not embedded into the kernel." So even if we do an update, it's almost sandboxed and you can see what's happening before it goes live into the system. And that's because it's pulled in versus automatically built into the latest version within the kernel.

CF: AI is the hottest topic in cybersecurity. How is Zimperium incorporating AI in its mobile device and app security?

CW: It's fundamental to the baseline engineering of what we do. Before AI was a hot topic, whether you want to think about audit AI or computer-based learning, etc., all of those different elements we embedded into the DNA of the product that is built. So as we collect all of this data and threats, and information that's out there that we're picking up on millions and millions of devices, how do we take that and analyze that to then better protect and notify our install base? It's inherent to what we do. We don't market ourselves as an AI company, but within our product brains, that is a key element to how we do a better job of of identifying and notifying our customers of potential threats.

CF: What do you find most surprising and dangerous about the current threat landscape?

CW: The most surprising is the fact that most traditional folks in the market don't yet realize how exposed they are from a mobile standpoint. People feel relatively secure if they've got iOS. And Apple does a phenomenal job from an iOS perspective and device management, and siloing the different applications and things on there.

But what I think everybody knows around security and many security companies have been saying it for years is the biggest threat is the individual. And it's the mistakes that the user makes. Most people think iOS is more secure than Android, and if you assume that's true for a second, regardless of that, you've got this application world and the average person has approximately 90-110 applications sitting on their mobile device. And those are all different entry points. Over in Europe, the mobile app store is now being opened up. Apple used to have kind of a monopoly on that in EMEA, and they've opened that up. Third-party app stores are now available and you can go download from there. So that has created an additional threat. And I assume that's going to happen in the United States. I think folks think because I'm downloading an app from an app store that it's secure, it's safe. And the reality is there's tons of phishing and malware that comes through those. So I think that is the biggest factor that I'm seeing. It's not top of mind for more people in the market today.

CF: What can Zimperium partners expect for the remainder of 2024?

CW: You’ll see a continued commitment to the partner ecosystem, aligning on our field focus accounts and our priority accounts that we're trying to engage with. So where we align, we stay together. And then as we get toward the end of our fiscal year and the end of the calendar year, we will be formally announcing a partner program that allows more leverage and more predictability. Every single net-new logo that we bring to bear should be aligned to a partner, and that is going to continue. I also think our partners should expect the market to continue to expand, and they should get on this wave of mobile security, be more of a mid-adopter versus a late adopter. I think that will drive volumes of opportunity for them as we move forward.

The last thing I'd say is they can expect to see continued investments. When I got here, we had two people in North America focused on the partner ecosystem. Today we have six. That's just in the last four or five months. And we're continuing to make investments. I'm investing headcount there more than I am in the field because we're expecting to leverage our partner ecosystem to scale the business, not a bunch of account executives running around.

In other cybersecurity news …

With the 2024 Paris Olympics now under way in France, FortiGuard Labs observed a significant increase in resources being gathered leading up to the event, especially those targeting French-speaking users, French government agencies and businesses, and French infrastructure providers.

Notably, since the second half of 2023, FortiGuard Labs saw a surge in darknet activity targeting France. This 80% to 90% increase remained consistent across the second half of 2023 and the first half of 2024. The prevalence and sophistication of these threats are a testament to the planning and execution of cybercriminals, with the dark web serving as a hub for their activities.

Documented activities include the growing availability of advanced tools and services designed to accelerate data breaches and gather personally identifiable information (PII), such as full names, dates of birth, government identification numbers, email addresses, phone numbers, residential addresses and others. For example, FortiGuard Labs is seeing the sale of French databases that include sensitive personal information, including the sale of stolen credentials and compromised VPN connections to enable unauthorized access to private networks.

Researchers are also seeing a rise in advertisements for phishing kits and exploit tools customized specifically for the Olympics, as well as combo lists (a collection of compromised usernames and passwords used for automated brute-force attacks) comprised of French citizens.

FortiGuard Labs anticipates hacktivist groups will focus on entities associated with the Olympics to disrupt the event, targeting infrastructure, media channels and affiliated organizations to disrupt event proceedings, undermine credibility and amplify their messages on a global stage.

Other cyber experts agree the Olympics will be a good target for cybercriminals.

Patrick Tiquet, vice president of security and architecture at Keeper Security, said the Olympics are a particularly attractive target for cybercriminals due to the global attention and massive scale of the event.

Keeper Security's Patrick Tiquet

“The convergence of international visitors, extensive media coverage and the reliance on critical infrastructure make it an ideal environment for cyberattacks,” he said. “Threat actors can exploit the high volume of online transactions, communication and data exchange to steal sensitive information, disrupt operations or launch misinformation campaigns. The potential for widespread chaos and the high-profile nature of the Olympics amplify the impact of any successful attack, making it a lucrative target for cybercriminals.”

Cybercriminals are leveraging the global attention and massive scale of the Olympics to exploit vulnerabilities and achieve their malicious objectives, Tiquet said.

“Individuals should be particularly cautious with unsolicited communications related to the Olympics,” he said. “Be wary of emails, messages or social media posts offering deals, contests or requiring urgent actions. It is essential to verify the authenticity of sources before clicking on links or providing personal information. Avoiding suspicious links and attachments is crucial, as these can lead to phishing sites or malware infections. Additionally, using secure QR scanners with built-in security features to preview links before opening them can help prevent falling victim to QR code scams.”

Stephen Kowski, field CTO at SlashNext, said both individuals and organizations, including athletes, spectators and sponsors, are being targeted.

“For Paris 2024, we can expect to see new tactics, techniques and procedures (TTPs) emerge, such as more sophisticated phishing scams, ransomware attacks and disinformation campaigns,” he said. “We expect to see an increase in disinformation efforts, distributed denial of service (DDoS) attacks, and phishing attempts as well. Finally, we should also expect increased threats to IoT devices and critical infrastructure.”

Disinformation campaigns can be highly effective at rapidly spreading false narratives, sowing confusion and fear, and undermining public trust in institutions, Kowski said.

“DDoS attacks can disable essential resources for travelers and residents in France, leading to unwarranted safety concerns about attending the Olympics,” he said. “In a worst-case scenario, these attacks could provoke real-world violence or significantly disrupt the Olympic Games and democratic processes in France. Proactively combating disinformation with robust defenses and public awareness is critical.”

Last week, KnowBe4 revealed it was duped into hiring a fake IT worker from North Korea, resulting in attempted insider threat activity.

KnowBe4 CEO Stu Sjouwerman detailed the incident in a blog. He said no illegal access was gained, and no data was lost, compromised or exfiltrated on any KnowBe4 systems.

“If it can happen to us, it can happen to almost anyone,” he said. “Don't let it happen to you.”

KnowBe4 needed a software engineer for its internal IT AI team, Sjouwerman said.

“We posted the job, received resumes, conducted interviews, performed background checks, verified references and hired the person,” he said. “We sent them their Mac workstation, and the moment it was received, it immediately started to load malware. Our HR team conducted four video conference-based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed, and came back clear due to the stolen identity being used. This was a real person using a valid, but stolen U.S.-based identity. The picture was AI ‘enhanced.’

The endpoint detection and response (EDR) software detected it and alerted Knowbe4’s infosec security operations center (SOC), Sjouwerman said.

KnowBe4's Stu Sjouwerman

“The SOC called the new hire and asked if they could help,” he said. “That's when it got dodgy fast. We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea.”

The scam is they are actually doing the work, getting paid well and give a large amount to North Korea to fund their illegal programs, Sjouwerman said.

Callie Guenther, senior manager of cyber risk research at Critical Start, said North Korean operatives are increasingly infiltrating Western companies by posing as legitimate IT workers, using sophisticated methods to bypass hiring processes.

“They create fake identities, use proxies and exploit remote work trends to avoid detection,” she said. “Companies can identify potential threats by scrutinizing resumes, verifying identities and monitoring for unusual behavior. Federal agencies like the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Justice (DOJ) and the Treasury Department can assist businesses by providing guidance, intelligence and legal support. The geopolitical threat includes generating revenue for North Korea’s regime, facilitating cyber espionage and straining international relations, particularly with China’s implicit support. Businesses must adopt stringent security practices and collaborate with federal agencies to mitigate these risks.”

John Bambenek, president of Bambenek Consulting, said ensuring employees, and especially contractors, has been a weak spot in corporate security for as long as there have been businesses.

“Unfortunately, this problem has gotten significantly worse since the pandemic with many companies remaining fully remote,” he said. “However, the 100% in-office workplaces are far from immune. There just aren’t good answers except trying to find the obvious bad actors up front and maintaining vigilant behavioral monitoring of key employees in the workplace looking for problematic activities.”

Last week, KnowBe4 revealed it was duped into hiring a fake IT worker from North Korea, resulting in attempted insider threat activity.

KnowBe4 CEO Stu Sjouwerman detailed the incident in a blog. He said no illegal access was gained, and no data was lost, compromised or exfiltrated on any KnowBe4 systems.

“If it can happen to us, it can happen to almost anyone,” he said. “Don't let it happen to you.”

KnowBe4 needed a software engineer for its internal IT AI team, Sjouwerman said.

“We posted the job, received resumes, conducted interviews, performed background checks, verified references and hired the person,” he said. “We sent them their Mac workstation, and the moment it was received, it immediately started to load malware. Our HR team conducted four video conference-based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed, and came back clear due to the stolen identity being used. This was a real person using a valid, but stolen U.S.-based identity. The picture was AI ‘enhanced.’

The endpoint detection and response (EDR) software detected it and alerted Knowbe4’s infosec security operations center (SOC), Sjouwerman said.

KnowBe4's Stu Sjouwerman

“The SOC called the new hire and asked if they could help,” he said. “That's when it got dodgy fast. We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea.”

The scam is they are actually doing the work, getting paid well and give a large amount to North Korea to fund their illegal programs, Sjouwerman said.

Callie Guenther, senior manager of cyber risk research at Critical Start, said North Korean operatives are increasingly infiltrating Western companies by posing as legitimate IT workers, using sophisticated methods to bypass hiring processes.

“They create fake identities, use proxies and exploit remote work trends to avoid detection,” she said. “Companies can identify potential threats by scrutinizing resumes, verifying identities and monitoring for unusual behavior. Federal agencies like the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Justice (DOJ) and the Treasury Department can assist businesses by providing guidance, intelligence and legal support. The geopolitical threat includes generating revenue for North Korea’s regime, facilitating cyber espionage and straining international relations, particularly with China’s implicit support. Businesses must adopt stringent security practices and collaborate with federal agencies to mitigate these risks.”

John Bambenek, president of Bambenek Consulting, said ensuring employees, and especially contractors, has been a weak spot in corporate security for as long as there have been businesses.

“Unfortunately, this problem has gotten significantly worse since the pandemic with many companies remaining fully remote,” he said. “However, the 100% in-office workplaces are far from immune. There just aren’t good answers except trying to find the obvious bad actors up front and maintaining vigilant behavioral monitoring of key employees in the workplace looking for problematic activities.”