Kaseya spent heavily on security before its VSA remote monitoring and management solution was breached last summer. It’s spending more heavily now.
“I think most of the experts that we brought in will attest Kaseya security wasn’t bad,” said CEO Fred Voccola in a conversation with ChannelPro at the company’s ConnectIT event in Las Vegas this week. “But it could always be better, and we got hit, and we need to get better, and we will.”
In particular, he explains, Kaseya is now spending “millions and millions” of incremental dollars on both additional internal penetration testers and respected outside testers like the Krebs Stamos Group. Their mission, which is inspired partly by the unprecedentedly creative techniques used to compromise VSA before, is to increase the speed with which Kaseya anticipates new exploits and evaluates its readiness to withstand them.
“The rate that the bad guys and gals are innovating and accelerating means [that for] companies like Kaseya having good security today means tomorrow it’s average and two days from now it’s below average,” Voccola says. “You’ve got to keep innovating.”
Both the new and existing experts, he continues, are working in independent groups tasked with thinking like would-be intruders. “The best way of doing that is to take five, six, seven, eight really smart groups, have them not coordinate, and attack us any way that they want,” Voccola says.
To further augment its in-house security know-how, Kaseya has appointed Jason Manar its chief information security officer. Until last Monday, when he stepped into his new post, Manar was an assistant special agent of cyber counterintelligence, intelligence, and language service programs for the Federal Bureau of Investigation, and a member of the response team that worked with Kaseya after the VSA incident.
“It’s a nontraditional hire,” says Voccola, noting that he could have recruited an experienced CISO from the financial services industry, say, instead. The FBI, however, has cutting-edge knowledge of new threats and new techniques for foiling them.
“He also has access to people who will continue to have access to the cutting edge,” Voccola notes. “He knows everybody, so there are friends that can be helpful to our customers and to us as we build our policies and our practices.”
Manar too believes his vast exposure to attacks and attackers will be helpful in hardening Kaseya’s infrastructure and products. “You’re going to find very few CISOs that have been through hundreds of thousands of incidents and understand what a true crisis looks like,” he says.
In law enforcement for nearly 23 years and an FBI agent for the last 16, Manar was just four years away from retirement and a guaranteed pension when he accepted Kaseya’s job offer. His chief motivation was the opportunity to help cybercrime targets generally and SMBs specifically prevent incidents rather than respond to them.
“Over my 16 years, I’ve seen the little guy lose a lot. I’ve seen small and medium-sized businesses lose to threat actors time and time again because they don’t have the internal resources or the IT or security or anything else against these financially motivated threat actors,” Manar says. “Being a part of Kaseya, I feel I can directly do something.”
Manar’s chief duties will revolve around securing the financial, IT, and personal information in Kaseya’s databases as well as its cloud infrastructure and data centers, and he’ll also help certify that the product security engineering team led by CTO Dan Timpson follows best practices for safe development. To the extent those duties allow, he also looks forward to sharing his knowledge with Kaseya’s customers.
“My main focus is going to be securing Kaseya,” he says, “but I am going to get to work with some of the MSPs.”
Voccola, too, intends to stay focused on keeping Kaseya and its users safe and profitable. But with the VSA incident now behind him, he’s thinking more broadly about cybercrime’s social and financial impact.
“This problem is only going to get worse,” he says.
As he discussed at length during a ConnectIT keynote on Wednesday, Voccola views the security landscape as a “perfect storm” of mutually reinforcing circumstances. For starters, as IT has grown to play an increasingly strategic role in the economy, it has also become a bigger target for thieves.
“The systems are super important. The data is super important,” Voccola observes. “If you’re a criminal, you’re going to go after what people think is valuable because they will pay more for it.”
The penalties if those criminals get caught, moreover, are relatively light and the law enforcement agencies responsible for imposing the penalties are underfunded and overwhelmed.
“There are hundreds if not thousands of cyber victims on a weekly basis that reach out to the FBI. The FBI just doesn’t have the manpower to do anything about it,” Voccola says, noting that’s especially true when the victim is an SMB. “They don’t have the time or the resource to do it for the MSP that gets hit or the law firm that gets hit.”
The most insidious contributors to the cybercrime problem, Voccola believes, are the blockchain-based cryptocurrencies he calls “anonymous money.” The people who benefit most from anonymous currencies, he argues, are those with something to hide.
“Sex traffickers, drug traffickers, extortion people, and 100% of cybercrime is compensated for with anonymous currencies,” Voccola says. “I think they need to go away, or they need to not be anonymous anymore.”
Though Kaseya isn’t a lobbying group or political organization, Voccola plans to speak out on that issue in the future.
“We’re a fairly small company, but we have some resources and we have an audience,” he says. “By leveraging that to talk about how this anonymous currency situation creates horrific incentive conflicts, that benefits our customers. So we will use that platform to push that forward.”
Though Kaseya held ConnectIT in October this year, in hopes of avoiding coronavirus-related travel concerns, it will host the 2022 edition of ConnectIT in May, when the show usually happens.