Kaseya spent heavily on security before its VSA remote monitoring and management solution was breached last summer. It’s spending more heavily now.
“I think most of the experts that we brought in will attest Kaseya security wasn’t bad,” said CEO Fred Voccola in a conversation with ChannelPro at the company’s ConnectIT event in Las Vegas this week. “But it could always be better, and we got hit, and we need to get better, and we will.”
In particular, he explains, Kaseya is now spending “millions and millions” of incremental dollars on both additional internal penetration testers and respected outside testers like the Krebs Stamos Group. Their mission, which is inspired partly by the unprecedentedly creative techniques used to compromise VSA before, is to increase the speed with which Kaseya anticipates new exploits and evaluates its readiness to withstand them.
“The rate that the bad guys and gals are innovating and accelerating means [that for] companies like Kaseya having good security today means tomorrow it’s average and two days from now it’s below average,” Voccola says. “You’ve got to keep innovating.”
Both the new and existing experts, he continues, are working in independent groups tasked with thinking like would-be intruders. “The best way of doing that is to take five, six, seven, eight really smart groups, have them not coordinate, and attack us any way that they want,” Voccola says.
To further augment its in-house security know-how, Kaseya has appointed Jason Manar its chief information security officer. Until last Monday, when he stepped into his new post, Manar was an assistant special agent of cyber counterintelligence, intelligence, and language service programs for the Federal Bureau of Investigation, and a member of the response team that worked with Kaseya after the VSA incident.
“It’s a nontraditional hire,” says Voccola, noting that he could have recruited an experienced CISO from the financial services industry, say, instead. The FBI, however, has cutting-edge knowledge of new threats and new techniques for foiling them.
“He also has access to people who will continue to have access to the cutting edge,” Voccola notes. “He knows everybody, so there are friends that can be helpful to our customers and to us as we build our policies and our practices.”
Manar too believes his vast exposure to attacks and attackers will be helpful in hardening Kaseya’s infrastructure and products. “You’re going to find very few CISOs that have been through hundreds of thousands of incidents and understand what a true crisis looks like,” he says.
In law enforcement for nearly 23 years and an FBI agent for the last 16, Manar was just four years away from retirement and a guaranteed pension when he accepted Kaseya’s job offer. His chief motivation was the opportunity to help cybercrime targets generally and SMBs specifically prevent incidents rather than respond to them.
“Over my 16 years, I’ve seen the little guy lose a lot. I’ve seen small and medium-sized businesses lose to threat actors time and time again because they don’t have the internal resources or the IT or security or anything else against these financially motivated threat actors,” Manar says. “Being a part of Kaseya, I feel I can directly do something.”