The Gately Report: N-able Says More Automation Can Help Safeguard Partners, Customers
N-able's CSO is ensuring the company doesn't become the next SolarWinds or Kaseya.
Channel Futures: What have you done and what are you doing to ensure N-able isn’t the next SolarWinds or Kaseya?
N-able’s Dave McKinnon: It’s building programs. When I look at security, for me it’s very important to realize security isn’t just [the security team]. Security is something that’s everybody’s responsibility across the organization, so having a comprehensive program that includes all of our employees [is important]. We do training for everybody. We make sure that from a software development perspective we’re investing in helping our engineers understand how to code securely.
You have to ensure that you’re building a program. There’s no magic switch that we can flip and say, “Hey, we’re secure.” We’ve invested tremendously in building our teams and investing in products to help us answer those things. And then having the proactive nature of doing things like penetration testing and doing bug bounty. We have an internal team that does penetration testing so that when something goes out — vulnerabilities are inherently going to go out in all code — we identified it as fast as possible. We have a process to address it and reduce the risk of the impact to our customers. That’s the only way that you can do it. Everybody’s going to have an incident, but we need to reduce the the blast radius of that incident as much as possible with having that program to support it.
CF: With the threat landscape as it is, is your job increasingly difficult?
DM: Well, my job is never easy. I don’t think it’s increasingly difficult. What you have to focus on is twofold. One, security is a team sport. Collaborating across the industry … is absolutely critical. CISOs at the other RMM providers and I do talk and we share information, whether it be threat information or anything like that. While we compete for for market share, we have to work together from a security perspective. So having that network … is hugely beneficial and we continue to mature it.
The other aspect is making sure that I’m staying current on what’s happening in general. Like every time you read the newspaper, there is a another breach that impacted this customer. And fortunately, companies are releasing more information about how that has happened, like how they got to that point. And we are able to pivot that and say, “OK, how do we ensure that we’re protecting ourselves from that same attack vector?” So I don’t think my job is more difficult, but you do have to remain current and relevant. And fortunately, I have a huge team that is really solid.
I think I’m also in a situation where I’m with a company that does take security seriously, and that helps a lot. Obviously I don’t have an unlimited budget. Nobody does. But I do have the ability to push through critical risks to John Pagliuca, N-able’s president and CEO. We also have a cyber committee that sits at the board level. So I have a pathway at the board to say, these are the risks. We review the risks every quarter. This is what we’re doing and this is where I need help. So that also helps me reduce the overall pressures that come with the ever-changing landscape.
CF: Are you seeing more industry collaboration when it comes to cybersecurity?
DM: It’s still small pockets. I wish it was more. When I first started, [Datto CISO] Ryan Weeks reached out to me on LinkedIn. … And I immediately responded back and said, “Hey, let’s talk.” And it really took off. CompTIA is definitely playing in the collaboration space now specifically with MSPs. And I think that’s an area where as vendors we need to continue to participate and help because ultimately this is something we have to tackle together. So it needs to improve, but I think the desire is there to continue to improve that collaboration.
CF: What do you find most worrisome or dangerous about the current threat landscape? Obviously ransomware dominates the headlines, but is there a lot more beyond that?
DM: Ransomware is ultimately the final action or the objective. So when I think about any attack, there are layers. They have to figure out if the door is unlocked. And if the door is unlocked, how are they going to get in? And then once they’re in, they look around to see what the house looks like. And then once they know what the house looks like, then they go steal the data and steal a house, or steal whatever is of value. And then ultimately they deploy the ransomware. So there are [about] eight steps. So for me, from a threat landscape perspective, it’s understanding the tactics that are being used, and again that goes back to remaining current and relevant, and making sure that we’re staying on top of it.
The real challenge is that historically, not everybody had access to the tooling that was used by nation-state actors and those types of folks, versus now, and the tools themselves are very much commodity. You can go rent them and you can buy them. The source code is out there for someone. There is a whole underground that supports it. So that actually increases the risk for everybody because there are just more weapons in the arsenal to attack you. So we need to make sure that we’re staying on top of the tactics they’re using. How do we find them earlier in that life cycle? I had this conversation at my last job with our team. We were trying to figure out how we address ransomware. And I said. “If you’re telling me that our security alerting is going off when the ransomware is actually encrypting the boxes, we’re already screwed.” What I need to know is when they are knocking on the front door. When are they jiggling the handle? And then once we know how they’re going to get in, how do we detect that? So the earlier we can do it in that attack life cycle, we’ll be better for it. Whatever they do next, whether it’s ransomware 2.0 or tactically, it doesn’t really matter. They still attack in the same manner they always will.
CF: What are MSPs’ biggest security pain points and how is N-able helping with those?
DM: So I think one of the benefits is people are waking up to the security risks. It impacts all businesses. A lot of the mindset has been, historically it won’t happen to be. And I think MSPs were very challenged in positioning the security value. And now, during the conference, we had people talking about, “This is how we do security and you’re either a customer or you’re not.” And it’s really empowering the MSPs to have consistency for their customers.
And on the N-able side, it’s making sure we bring the best products to market, whether it’s something we’re building or we’re partnering to give MSPs more security muscle for their arsenal to support those end customers. So that’s where we need to work together to help them drive that security. But it’s definitely heard loud and clear in the SMB market that everybody has a piece of that overall equation and they’re having success there.
CF: Cyber insurance obviously is a big deal. Everybody is probably trying to get it or needs it because of the threats, but it seems increasingly difficult to get. How to MSPs meet that criteria?
DM: It is challenging. We just went through it. We had our renewal back in July. It takes a few months. There are a tremendous amount of questions they are very much interested in. What the insurance providers want to understand is what level of risk are they taking on in underwriting these policies, because I think for a long time cyber insurance policies were a cash cow for them. They never really had to pay out. And now they are, so they don’t want to write them. They make them very expensive. They make them difficult to get.
The benefit for MSPs, especially because they have adopted RMM solutions and things like that, when you look at all the different requirements, more than half of the technical security requirements that we were asked, N-able has solutions that can help them meet those criteria. So RMM users and their customers really have a benefit in that they can come up with a stack and help support it. And they can show how they’re how they’ve implemented those different programs to support it for them to have success. It’s definitely top of mind. It’s going to continue to be increasingly difficult and it’s going to continue to be increasingly more expensive.
I think [premiums] doubled over the last 12 months. We’re hoping it kind of plateaus. But they’re going to get more stringent. And ultimately, why they’re asking all those questions is because they don’t want to pay out if you have an incident. If you say, “Yes, I do all these things” and you have an incident, they can prove that you weren’t doing that, and then you’re on your own. They’re not going to give you a penny. And that’s why they’re being so thorough.
CF: Have you been receiving feedback here from partners? What have they been telling you?
DM: I’ve had lots of feedback. I think … the one thing everybody has loved is the collaboration not just from us, but across the MSP base. It’s been awesome to just have the opportunity to talk about what we’re doing. And then a bunch of the MSPs I’ve spoken to were just really happy with … community sharing that’s happened at the conference. We haven’t been able to do this in a couple of years and that in-person experience is what worked. It’s been awesome to be able to sit in and observe, but it’s definitely the feedback I’ve heard of. We just really enjoyed being back in person and able to collaborate.
CF: During a keynote, David Weeks, N-able’s senior director of partner experience, talked about how MSPs are heavily into peer engagement. Could increased peer engagement improve security?
DM: Security historically has had that already. I’m part of a number of different groups in various industries, just people I’ve met in my career where we all keep in touch. We have a monthly call; we exchange information. I think it’s absolutely critical that extends in the MSP space like I do with my peers on the CISO side. Ultimately, where we need to get to is how we make sure that we’re also delivering that information, whether it be through more secure products or sharing that information, like this is just best practice, something to be aware of and communicating that out.
And that’s why we have the security center on our website so we can get that information out. We need to do a good job of that. We’re fortunate that we have a big team. We can support sharing that information and leveraging that expertise. And I love being able to get with partners and talk about that stuff.
CF: In terms of security, what can we expect from N-able in the months ahead looking toward 2023?
DM: The biggest thing right now is bringing out some of the security automation and being able to protect your businesses. And from a cloud perspective, because the cloud is very complicated and continuing to build upon that, we have the platform, we have the modules, and now it’s, how do we continue to take the pain points that introduce potential risk to a business and help MSPs more effectively protect themselves and their customers via automated deployments or even in some cases, automated removal of users? If you have somebody leaving the organization, how do you make sure you’re removing them from all of your customers’ accounts? So that is really the focus for N-able. How do we continue to drive security through automation? And that’s what you’re going to see as we go through the end of 2022 and well into 2023.
In other cybersecurity news …
This week, Uber’s former security chief, Joe Sullivan, was convicted of concealing a massive data breach in a case that prosecutors tied to the company’s troubled past under its original leadership.
Sullivan was found guilty in federal court by a jury, which rejected his claim that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year. Sullivan was convicted of both charges against him. That includes obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers.
Casey Ellis is Bugcrowd‘s founder and CTO. He said the conviction is a “significant precedent” that has already sent “shockwaves” through the CISO community.
“It highlights the personal liability involved in being a CISO in a dynamic policy, legal and attacker environment,” he said. “It begs for clearer policy at the federal level in the United States around privacy protections and the treatment of user data. And it emphasizes the fact that a proactive approach to handling vulnerability information, rather than the reactive approach taken here, is a key component of resilience for organizations, their security teams and their shareholders.”
Rick Holland is CISO and vice president of strategy at Digital Shadows. He said only the jury had access to the evidence in the case, so “pontificating” specific details of the matter is counterproductive.
“There are some general conclusions to draw,” he said. “I’m concerned with the unintended consequences of this case. CISOs already have a challenging job, and the case outcome raises the stakes for CISO scapegoating. How might this impact the number of leaders willing to take on the potential personal liability of the CISO role? Could we see more whistleblower cases as we saw with Twitter? I expect to see more CISOs negotiating directors and officers (D&O) insurance into their employment contracts. D&O insurance offers personal liability coverage for decisions and actions the CISO might take. In addition, in the same way that both the CEO and CFO became responsible for corruption on the heels of Sarbanes Oxley and the Enron scandal, CISOs shouldn’t be the only roles guilty in the event of wrongdoing around intrusions and breaches. CISOs must effectively communicate risks to the company’s leadership team but shouldn’t be solely responsible for cybersecurity risks.”
New Hornetsecurity research reveals Microsoft Teams security and backup flaws. More than half of Teams users are sharing business-critical information on the platform. Most backup and security vendors overlook this vital communication channel.
Among the findings:
Seventy percent of respondents exchange more direct messages with colleagues via user chats than group channel conversations. This has a security implication because the study also found that while many vendors provide products and services that can back up data shared via channel conversations in Teams, they tend to overlook user chats.
Forty-five percent send confidential and sensitive information frequently via Teams. This rises to 51% often sharing business-critical information.
Forty-eight percent have accidentally sent Teams messages that should not have been sent. Of this group, 88% had been trained in the use of collaboration solutions, highlighting the need for increased and improved training on how to use Teams and the risks of sending sensitive data.
The Teams Backup survey conducted by TechConsult for Hornetsecurity polled 540 participants from companies with at least 50 employees from all industries.
Daniel Hofmann is Hornetsecurity‘s CEO.
“It’s not so much a matter of stopping the use of user chats as that could severely dent productivity as well as hindering internal communication, which oils the wheels of any organization,” he said. “It’s about providing users with adequate security awareness training and having the right tools in place to protect and back up the data shared via user chats as well as via channel conversations.”
Researchers with the Synopsys Cybersecurity Research Center (SCRC) have discovered a vulnerability in the Ikea Tradfri smart lighting system. An attacker could use the malformed Zigbee frame to turn lights up to full brightness. Users can’t turn them back down via app or remote control.
Another vulnerability makes Tradfri unresponsive to controls.
To recover from these attacks, a user could add each bulb manually back to the network. However, an attacker could reproduce the attack at any time.
Bud Broomhead is CEO of Viakoo, an IoT security provider. He’s thankful this was just lightbulbs, not door locks, cameras or industrial control systems, which can have more devastating consequences from being breached and exploited.
“The impact of not remediating this specific vulnerability may be minor, but still should be a call to action for operators of IoT devices to have a plan for remediating vulnerabilities,” he said. “IoT devices, whether in the home or in the enterprise, have for many years been treated differently from a security standpoint than traditional IT systems such as what would be found in a data center. Operators of IoT devices need to be prepared to have ways to both mitigate breaches, and be able to remediate and repatriate them back to full network operations. By targeting low-cost, high-volume IoT devices, threat actors are betting on many such devices remaining unpatched, and therefore creating a lengthy window of opportunity for cybercriminals to exploit them.”
Zigbee is a network of connected IoT devices, Broomhead said. This form of IoT where devices work together in a tightly-coupled way is very attractive to threat actors. That’s because of the ability to exploit multiple devices through a single network breach, as opposed to loosely coupled individual devices that do not impact each other if one is compromised.
“In addition to users of IoT devices being prepared to quickly remediate vulnerabilities, more work is needed on improving and securing Zigbee as a standard,” he said. “It is too easy for threat actors to intercept encrypted data transmissions then use those captured packets to impact device operations by replaying and injecting them against the device (or with enough time, decrypting them and exposing more details on commands used within the device).”
Mike Parkin is senior technical engineer at Vulcan Cyber. He said IoT devices have become ubiquitous in both professional and home environments.
“Unfortunately, they brought a new set of security challenges with them as this smart-bulb vulnerability demonstrates,” he said. “The challenge with a vulnerability like this is there is little chance the devices can be patched to address it. Fortunately, this is little more than a nuisance. But it could have been worse. Security on IoT devices is sorely lacking, and with some devices the vulnerability could lead to a much more damaging compromise than just some blinking lights.”
Vipre Security Group is making significant changes to the company’s channel-first model to help ensure the success of its partners, sales teams and distributors.
The changes to its global business model include:
Doubling the company’s channel sales team and placing them regionally to better assist partners.
Aligning the end user sales teams to the channel organization for co-selling and collaboration.
Opening the company’s product portfolio to make it easier to sell the entire suite of Vipre’s services and solutions.
Expanding channel sales and support operations across EMEA including the DACH and Benelux regions.
In North America, Vipre is also planning a series of cross-country, partner roadshows to share additional information about the company’s channel program, product roadmap and to learn more about the needs of its partner community.
Marc Malafronte is Vipre‘s newly appointed North American channel chief.
“Channels have been the lifeblood of our business for years, but we felt like it was time to reinvest in them with the goal to be a better partner, going forward, now and into the long-term future,” he said. “So, while the channel has always been an important part of the Vipre Security Group business, this retooling of the program ensures our commitment to our partners, and our revitalized attention toward them proves they are central to our growth and development as an organization.”
Vipre is always talking and collaborating with its partners about how it can better support their businesses and product needs, Malafronte said.
“Additionally, I am blessed to have worked at a very large partner for an extended period of time during which I managed many vendor relationships and grew several significant partnerships into long-term growth and service opportunities,” he said. “Because of this experience, I was able to see every part of the partner relationships, inside and out, and the good, bad and ugly, and saw how best to work toward beneficial relationships for all parties. Needless to say, we are utilizing much of this experience to replicate the pieces and parts that we know work, and devising action steps to work alongside and with partners where there are opportunities for growth.”
The main goal of restructuring the Vipre channel program is so partners are able to “enjoy even more benefits of partnering with us and to ensure that they have a very comfortable and profitable experience with us,”Malafronte said.
Vipre Security Group is making significant changes to the company’s channel-first model to help ensure the success of its partners, sales teams and distributors.
The changes to its global business model include:
Doubling the company’s channel sales team and placing them regionally to better assist partners.
Aligning the end user sales teams to the channel organization for co-selling and collaboration.
Opening the company’s product portfolio to make it easier to sell the entire suite of Vipre’s services and solutions.
Expanding channel sales and support operations across EMEA including the DACH and Benelux regions.
In North America, Vipre is also planning a series of cross-country, partner roadshows to share additional information about the company’s channel program, product roadmap and to learn more about the needs of its partner community.
Marc Malafronte is Vipre‘s newly appointed North American channel chief.
“Channels have been the lifeblood of our business for years, but we felt like it was time to reinvest in them with the goal to be a better partner, going forward, now and into the long-term future,” he said. “So, while the channel has always been an important part of the Vipre Security Group business, this retooling of the program ensures our commitment to our partners, and our revitalized attention toward them proves they are central to our growth and development as an organization.”
Vipre is always talking and collaborating with its partners about how it can better support their businesses and product needs, Malafronte said.
“Additionally, I am blessed to have worked at a very large partner for an extended period of time during which I managed many vendor relationships and grew several significant partnerships into long-term growth and service opportunities,” he said. “Because of this experience, I was able to see every part of the partner relationships, inside and out, and the good, bad and ugly, and saw how best to work toward beneficial relationships for all parties. Needless to say, we are utilizing much of this experience to replicate the pieces and parts that we know work, and devising action steps to work alongside and with partners where there are opportunities for growth.”
The main goal of restructuring the Vipre channel program is so partners are able to “enjoy even more benefits of partnering with us and to ensure that they have a very comfortable and profitable experience with us,”Malafronte said.
Cybersecurity was a big topic at this week’s N-able Empower 2022. MSP partners who incorporate more automation can help keep them and their customers safer.
That’s according to Dave McKinnon. N-able‘s CSO. N-able spun off from SolarWinds in July 2021. It previously was SolarWinds’ MSP business.
McKinnon said the biggest message for MSPs during N-able Empower was building automation and consistency into their security practices.
N-able’s Dave McKinnon
“Historically, we’ve done a lot with IT and that’s why RMMs exist and why they’re successful, and continuing that journey forward into your security practices, largely because they’re very time consuming,” he said. “If you’re not consistent in how you do those deployments or how you’re doing this configuration, you may introduce risk into your environment inadvertently. So that’s really been my message. I think that’s been a lot of the message around how to effectively scale that business out for the MSPs.”
Automation to the Rescue for N-able Partners
The intent of N-able Cloud User Hub is to make it easier for MSPs partners to automate the management and security of all Microsoft tenants, users and licenses, McKinnon said.
“[Increasing automation adoption] is the intent of the new products that we’re releasing as an organization,” he said. “That’s to help them in that journey so it’s not as manual. Also, it reduces the complexity. When you buy different cloud solutions, it’s the easy button. But what you actually get is a very difficult puzzle with lots of different pieces. And it’s hard to figure out how it all goes together. That’s where we’re on in our journey from an N-able perspective, to help those customers be successful as they go through that journey with their customers.”
See our slideshow above for more from McKinnon at N-able Empower 2022 and the rest of this week’s cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like