Kaseya CEO: MSPs Are ‘Playing With Fire’ If They Can’t Get Their Customers To Pay For Security
‘For example, let‘s assume a dental practice of 25 employees as a standard MSP customer. How many of those dental practices are willing to pay every three months to certify every employee on security awareness training, like don’t click on links? …The bad guys know the dental practice is the one that‘s probably going to bite,’ says Kasey CEO Fred Voccola in an interview with CRN.
Bringing MSP Security Into The Light
While MSPs have typically done their work quietly behind the scenes, the idea of managed services achieved widespread publicity with the July ransomware attack against MSP platform provider Kaseya. In that attack, hackers from the REvil group went through the Kaseya‘s Virtual System Administrator (VSA) to attack 56 of Kaseya’s 37,000 MSP customers and about 1,500 of those MSPs’ end-user clients.
That attack, coming on the heels of earlier cyberattacks against MSP platform providers SolarWinds and ConnectWise, as well as via other solution providers including Accenture, brought attention to the question of how secure such platforms are against increasingly sophisticated attacks.
Fred Voccola, CEO of Miami-based Kaseya, is a champion of security in the MSP space. In a wide-ranging conversation with CRN, Voccola talked about the heavy emphasis on security Kaseya has made both before and after the July cyberattack and about key moves the company has made, including hiring a former FBI official, Jason Manar, as its new chief information security officer. “Jason’s one of the worldwide experts on fighting cybercrime and cyber best practices and all the data and infiltration kind of stuff,” he said.
Voccola also talked with CRN about his company‘s recently concluded Connect IT 2021 conference, which saw about 3,700 attendees, or about double the attendance of the last live conference in 2019. During Connect IT, the company rolled out its Kaseya One unified management platform. “Kaseya One is the first and only—how’s that for marketing, ‘first and only’—universal interface into IT Complete,” he said.
Voccola is known for his no-holds-barred style and his conversation with CRN is no exception. Here is what he had to say.
What’s the latest on the Kaseya VSA REvil cyberattack in July and August. Any recent updates?
Nothing that hasn‘t already been put out there.
Is Kaseya reimbursing MSPs that were impacted by the event?
We don‘t disclose what we do financially.
What has Kaseya done to make sure that that a breach like this doesn't happen again?
Well, considering we‘re one of, what, 800 software vendors that have had security issues in the last two years, we’re doing the best practices that everybody does. And I don’t say that lightly at all. We’ve doubled down on our existing security practices. We’ve increased the investments for [our] product security organization. I think the biggest piece to that is just following the protocols that all the experts in the world give us and everyone to do. It’s same things that ConnectWise probably did after their attack, and SolarWinds after theirs, and Microsoft after theirs. We’re dealing with a global—I hate the word ’pandemic’ because people use that with COVID—a global phenomenon. Here’s the reality: [Society has] created a perfect storm for crime. One, if someone were to go into a Citibank branch with a gun and point the gun and do a stick-up and walk away with $10,000, they get a much harsher punishment than if someone behind a computer stole $1 million from Citibank, or $10 million. Second, the amount of money and resources that we in the Western world like the U.S. and EU [European Union] spend combating cybercrime is like one one-thousandth or one three-thousandth of what we spend on combating illicit narcotics and illicit drugs. So that means the investigation rate of cybercrime is less than one out of every 5,000 cyber incidents. If you have a $100,000 ransomware attack, no one investigates. There’s not enough resources.
What else is causing this?
In a world of anonymous currencies, it is--‘impossible’ is a strong word, there’s no such thing--it’s very difficult to follow the money. And that’s how most criminals get caught, by following the money. Al Capone, one of the most famous criminals of all time, didn’t get caught by some big, tough macho guy knocking the door down. It was an accounting nerd who figured out he was doing tax evasion. They put him in jail for tax evasion.
We can‘t do that with all these anonymous currencies, which are used in 100 percent of at least ransomware and about 97 percent of all compensated cybercrime that has happened. [Systems and data are] the most valuable assets of companies, and we’ve created incentives for people to go and steal it. If you get caught, you get a slap on the wrist. And the chance of getting caught is almost zero, first, because it’s really hard to do it with an anonymous currency, and two, there’s no one to try to catch you. So we, Microsoft, and all the IT and security people are dealing with the same [stuff]. It has to be a layered approach. It has to be a compartmentalized approach. . ... Microsoft published what, a couple hundred vulnerabilities recently? It’s not a knock on Microsoft. Microsoft’s awesome. It’s not ‘if,’ it’s ‘when’ [you get hit], and the key thing you can do is build your architecture and your policies and your protocols [so that] when it happens, the impact is minimal.
And I think we demonstrated that in July. We had a breach and we had 56 out of 37,000 get hit. That‘s too many. How do we not get hit again? There are things we’re doing. Obviously, I’m not going to tell you what we’re doing because then the bad guys would have the information. But it’s about resource allocation. It’s about hiring really smart third-party companies. We had Krebs in here. We had FireEye in here. We have really smart people helping us and working with the feds on an ongoing basis. It’s not just, ’Hey, there’s a breach, help me.’
Do you think MSPs, not just Kaseya MSPs, but any MSPs, have learned any lessons? Do you think they’ve made any changes?
About 98 percent or 99 percent of ransomware attacks are people clicking on links. I think that it‘s not just MSPs. I think what happened this summer was kind of the straw that broke the camel’s back, or whatever that phrase is, in creating awareness among non-IT people about security and all the ramifications and implications that it has. I think that MSPs have a real struggle: If their customers aren’t willing to pay to be as secure as they need to be, they’re playing with fire. MSPs need to get better at selling and or articulating the value. I think most MSPs understand these realities.
For example, let‘s assume a dental practice of 25 employees as a standard MSP customer. How many of those dental practices are willing to pay every three months to certify every employee on security awareness training, like don’t click on links? How many of them will be willing to deal with multifactoring into every device? ’Ah, it’s a pain. I don’t want to do it. No one’s going to come after us. We’re a dental practice.’ Well, BS.
The bad guys know the dental practice is the one that‘s probably going to bite so they’ll ransom them for 10 grand or 20 grand. So what makes it hard for the MSP is they need to get that message through to the dentist, who’s an awesome person. He or she is a great dentist. They’re great at fixing our teeth. But they’re like, ’Why would these Russians or these North Koreans or these people in Silicon valley who are bad, why would they want to get me?’
What’s the reality here?
The reality is, the bad guys and gals, they’re very smart. And they realize that if they ransom or if they attack a little dentist in Ocala, Florida, for $10,000 or a small university in wherever for $40,000, that no one’s going to investigate. So now SMBs are being targeted at a much faster rate than the large companies. Because if you try to ransom Exxon or Chevron or some other big company, the FBI and Homeland Security have serious capabilities and they’re going to get you. But there’s not enough resources to protect small companies down the road who get hit. [MSPs’] customers are starting to say, ’Oh, maybe I should listen to my IT guy or my IT gal because they’re on to something.’ So it’s an interesting question you ask. And it’s a really thought-provoking one. I think that MSPs’ customers are becoming smarter, which is good for the MSPs.
Kaseya is officially unveiling Kaseya One, which was first announced in 2018, right?
Kaseya One is the first and only--how‘s that for marketing, ‘first and only’--universal interface into IT Complete. It brings every module of IT Complete together in one place: unified billing, unified support, single sign-on for everything Kaseya . It is a huge leap. And the product is free for every Kaseya customer. It’s been in beta for about three months. So we’re now announcing beta 2, picking up another 4,000 or 5,000 customers on it. And then [it] will be out live in about six to eight weeks. We’re telling the world it’s coming.
What else went on at the Connect IT conference?
We‘re releasing a new security product called VulScan. It’s a vulnerability scanner, purpose-built for our market, for MSPs and the customers they serve. It’s interesting. We have some data that shows around 54 percent of MSPs do not use vulnerability scanning technologies. … And the reasons are, they’re really expensive and they’re not necessarily the easiest things to use. They’re built for the enterprise. Rapid7 and Qualys are great products, but they’re not built for the MSP space in terms of pricing and usability. So we’re releasing VulScan. We actually pre-released it about four months ago. We got about 150 MSPs that bought it and are using it. So we’re pretty jazzed to open that up to the world.
We have a lot of enhancements--I‘m not going to call them new products. It’s things that we’re just giving for free to users of our IT Glue IT documentation platform. We have all sorts of stuff like automated security documentation being built in. That’s a big thing. They’re called security checklists. Having those things prebuilt in makes it really easy for the IT Glue user. These are things people should use. It’s just, like anything, IT people are getting crushed. There’s so many things they need to do. So we’ve got to automate as much as we can.
We also have some cyber certifications that we‘re doing. A lot of third parties are really interested in that. There’s a cyber security management certification.
You also introduced a new CISO, Jason Manar. Tell us about him.
He was one of the top cyber people at FBI Cyber Command. Jason joined us several weeks ago as our new CISO. That‘s a big, big announcement. Jason’s a worldwide expert on fighting cybercrime and cyber best practices.
Who was CISO at Kaseya before Jason Manar joined?
The CISO function was done in a couple of different functions and people. [Chief Marketing Officer] Mike Puglia‘s organization was overseeing that. Now we’ve moved Jason into that function. The prior CISOs weren’t publicly facing people. Our prior CISO will be working inside of Jason’s organization.
So you had a CISO before, but it was a much less visible position.
It wasn‘t an executive position. The interesting thing is, for software companies, there’s a couple of different kinds of security. The CISO is focused on information and data. Software product security is inside of the product security org. So CISOs, not just at Kaseya, but anywhere, they’re not inside of R&D or architecting products. CISOs typically deal with things like GDPR, best practices, that kind of stuff.
You mentioned that Kaseya has single sign-on for everything. Doesn’t that open the possibility of somebody maybe getting in and breaching a part of Kaseya and having more access to the other products?
No, we’ve had that single sign-on for everything Kaseya for years. With single sign-on access points, the way we compartmentalize our architecture, there are protocols that protect that. We’ll talk a lot about the architectures there, but the answer is no. Being able to breach as was demonstrated, you know, in July. One of our modules was breached and the breach didn’t expand beyond that module. It’s the same way that any single sign-on product in any architecture works.