The Gately Report: N-able Says Business Resiliency Key to Thwarting Attacks
Plus, the White House issues a policy to address AI risks.
![N-able and business resiliency N-able and business resiliency](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltcd569e0346a79c04/6525d2036868b4d27f3c823f/Resilience.jpg?width=700&auto=webp&quality=80&disable=upscale)
Robert Kneschke/Shutterstock
Channel Futures: What’s keeping N-able out of the headlines in terms of suffering a cyberattack or data breach?
Dave MacKinnon: Part of it is having a good cybersecurity posture. We've invested tremendously since we became N-able almost three years ago. We've grown the program tremendously. I've tried to be very transparent about what we're doing and how we're doing it. Everybody is at risk for this. I would never sit here and say N-able will never have a vulnerability in our product. We do have vulnerabilities in our product. We strategically work to fix them. Some of it is, how do you infuse security earlier in that development cycle? Before we write a line of code, how do you train your developers? How do you infuse security across the organization to ensure that security is not an afterthought? It's part of everybody's day-to-day responsibilities and we work very diligently to infuse that across N-able. And then once you release product, that's where I think it's good hygiene. It's making sure that you have a vulnerability disclosure program. Are we running an active bug bounty?
One of the big investments we made last year was we changed the way we do penetration testing. Historically, we had pen testing once a year. We would get an attestation and say, "Hey Mr. Customer, we're protecting this product and here's how we validated it." Last year, we actually moved to continuous pen testing. So now we're constantly being pen tested to ensure that if there's a change in the environment, we have the pen test teams on it immediately to help support us. The faster we can find those threats and those risks in the product and address them, the better. What you want to do is minimize the opportunity for attacks. The other big thing is, how do you share not across our organization, but across the larger MSP ecosystem?That's another area where I think as we continue to mature those relationships and ensure that we're sharing effectively between our organizations, we're making the community safer, which is ultimately what we want.
CF: What prompted that need for more frequent pen testing?
DM: It's really just the best practice. Historically, everybody has been doing once a year because that's what you need to do for ISO or SOC 2, or for whatever other compliance. We change our software once every month. The sooner we can find a risk in the product, the better. So for me, it's just more of a proactive approach to ensuring that we're protecting our products. There is no catalyst. It was an effective way for us to identify risks in our product as soon as possible, so we made the investment in that solution to continue improving our overall cybersecurity posture.
CF: In the past, there have been challenges as far as trying to foster information sharing across the broader cybersecurity community. Is that improving?
DM: It definitely is, and the Cybersecurity and Infrastructure Security Agency (CISA) has helped tremendously. Its Joint Cyber Defense Collaborative (JCDC) group meets monthly. We have active initiatives. There are pledges currently in the works for these different organizations. We have a shared Slack channel now so we can share information in real time. The other piece is having direct access to the other CISOs does help. So it's something that has moved along. [Former Datto CISO] Ryan Weeks was a great champion of this when he was at Datto. When I got into the space, he was one of the first people to reach out and foster some of those relationships. I definitely feel like it has legs now and it's creating that opportunity to make sure that we are effectively sharing across the community.
CF: I’m sure cybercriminals are constantly launching attacks against N-able. Who’s targeting you?
DM: So attribution is hard. I don't want to say it in a dismissive way, but with the tactics that are being used now being so easy to execute, it's hard to say it's this country or this specific threat actor group, or anything like that. That's not something that we typically spend time on. I can tell you the tactics they use and how they're trying to do it. But more what we focus on is, as they evolve their tactics, what protections are we putting in place to protect N-able, our intellectual property, our systems. I don't want to name any specific vendors, but last year, there was multifactor authentication (MFA) bombing; that's how they were breaking in. They would just keep hitting users until they finally [would say], "I'm going to approve this just so you stop bothering me." We have controls in place to ensure for that specific threat. We have ways to say, "OK, if a user does receive those messages and rejects a certain amount, we automatically disable accounts and they don't unlock." So we've proactively put controls in place.
The other piece that we've invested tremendously in is making sure that the machines connecting into our network are our machines. So we don't allow BYOD or anything like that to connect onto our VPN. You have to be on an N-able-issued machine, or if you're a contractor who doesn't have an N-able-issued machine, using cloud-based PCs like Azure Virtual Desktop. So we've made significant investments there to ensure that we're limiting that blast radius to protect our organization and keep our customers safe. And that's ultimately the goal, to keep ourselves and our customers safe.
CF: Are there scenarios where MSPs won’t do what N-able tells them they need to do to protect themselves and their customers? If so, are there scenarios where N-able then won’t work with them?
DM: I don't know that we've walked away from customers, and that's just not my space. One of the challenges I think all customers have is maturity when it comes to security. Not all MSPs are created equally, and some of those MSPs are behind on versions and things like that, and that creates risks because we make security fixes with every release. We're constantly enhancing the product overall. Those are challenges where our PSM team is proactively reaching out to those customers saying, "Hey, how do we help get you moved to this most recent version? How do we help secure you," basically trying to implement those best practices and then leveraging folks like our Nerd teams and things like that to understand how you do security.
It's still early, but obviously cyber insurance is big right now. Everybody's worried about it, what it costs, what good hygiene looks like when they're going through their questionnaires. And the customers who are lagging behind, they're the ones who are going to assume the most risk. And in some cases, it might not even be the MSPs lagging behind as much as their customer. Does that MSP want to deal with that customer anymore? Are they a good customer for them? So I think that's where you're going to see: the continued evolution of figuring out not just is the MSP lagging behind, but is the customer lagging behind, and are they at a level of risk profile that the MSP wants to accept?
CF: Last time we spoke, you said it’s important for MSPs to build automation and consistency into their security practices. Have you seen progress there?
DM: It varies. It depends upon where they are. We've obviously made investments in the product to help, adding in artificial intelligence (AI) and things like that to help streamline that. We're continuing to make improvements with Cloud Commander and tools like that to help normalize it. Ultimately, it just depends upon how they want to attack security and take that on. Is it something they want to build in-house? Is it something where they want to partner with, something like an MDR service, and it's figuring out what is the right dial to turn for those individual MSPs. You have to do more with less; that's the reality. We just came out of a partner meeting and there was a comment about how many people do you get to hire for that, and, of course, everybody laughed because you're not getting tons and tons of headcount. You just have to knock it out. And that's where the RMMs and PSAs are extremely powerful to help streamline those business operations and make them more effective, not just for security, but overall for company management.
CF: AI is a hot topic in security, both from making use of AI to improve protection, and cybercriminals using it to improve their attacks. How is N-able making use of AI and can it help MSPs make use of AI in their security?
DM: So it's already integrated; we integrated it into N-central last year. That's the path we went. We knew that MSPs could benefit from that and we took that on very early on. It actually came out of an internal hackathon. We started brainstorming and AI was one of the things we started brainstorming, and it turned into a product idea. So those are opportunities we take to leverage the internal knowledge and experience for the teams.
I think the other half is, how do we give effective guidance to our internal teams for how to use AI? Because it's still a bit of the Wild West; there's not a lot of governance right now. But developing policies and giving people guidance for how to engage it [is important], what not to put in it because there are obviously risks there. But we know it's proven that it will continue to make MSPs more effective, especially as it gets more training data and becomes a better source of information. Unfortunately, the threat actors can also use it. It can be used for good and for bad, and that’s just the risk of the technology itself.
CF: What do you find most surprising and dangerous about the current threat landscape?
DM: I wouldn't say that it's surprising. It's just the reality that everybody continues to be a target. Threat actors don’t have to change their tactics greatly because there's just a prime landscape of customers for them to target. If you follow any of the ransomware sites, it’s just how frequently these companies are getting hit and having to respond to it. A lot of that challenge goes back to those core three things. Are you patching or do you have surfaces closed, and do you have effective layers of control for those phishing emails?
What I worry about personally is there's going to come a point where those insurance companies, they don't want to pay out; unfortunately, that's the reality of insurance. Insurance rates went way up and they're staying up. But how much of a challenge are they going to put in place in the future to fight paying things out? So to me, it’s not necessarily a cybersecurity threat actor specifically, but it's just from an ecosystem perspective. I'll be interested to see how that continues to play out on the insurance front, because insurance is not a security strategy. Insurance is intended in the event of, and some of that gets down to the business resiliency. How do you figure out your business? How do you understand the risks? How do you figure out what assets are the most critical? And from a restoration perspective, what do we focus on? That's where those conversations need to pivot.
CF: When it comes to cybersecurity, what’s next for you and N-able?
DM: We never stop working. One of the things we talk about internally ... is called "iterating to awesome." It's [about] how do you set a bar that everybody can work to? And then once we hit that bar, we move it up. So for us, it's continuing to mature. So you take what we did last year with pen testing and that evolution. How do we move that forward? What investments can we make with Copilot for code generation and how do we make sure we're properly securing it? For us it's adapting those technologies that are helping make us more efficient as a business, but also making sure that we're effectively monitoring and securing them. So that's what's next. We're going to continue working through that trend and making sure that we're protecting the organization. We're never done. Fortunately, there's job security in that, too.
In other cybersecurity news …
The White House is ordering all federal agencies to name chief AI officers to oversee the federal government's various approaches to AI and manage the risks that the rapidly evolving technologies might pose.
The directive is part of a governmentwide policy from the White House's Office of Management and Budget (OMB) that Vice President Kamala Harris announced, following a sweeping AI executive order President Biden signed in October.
The White House is trying to push the federal government to keep up with the changes in the field of AI.
"We have directed all federal agencies to designate a chief AI officer with the experience, expertise and authority to oversee all — I'm going to emphasize that — all AI technologies used by that agency," Harris said. "And this is to make sure that AI is used responsibly, understanding that we must have senior leaders across our government who are specifically tasked with overseeing AI adoption and use."
The new OMB policy also requires federal agencies to establish AI governance boards to coordinate and establish rules for the use of AI technologies across each agency. The White House said the Defense, Housing and Urban Development, State and Veterans Affairs departments have already set up governance boards.
The Biden administration plans to hire 100 AI professionals across agencies by this summer. By December, federal agencies must also put in place what the White House calls "concrete safeguards" when they use AI "in a way that could impact Americans' rights or safety."
Marcus Fowler, CEO of Darktrace Federal, said while establishing AI leadership is an important step in ensuring the safe use of AI technologies, and there are existing frameworks around secure AI system development provided by CISA and the United Kingdom National Cyber Security Center (NCSC), these efforts and resources are not the only thing organizations can do to adequately encourage the safe use of generative AI technologies.
![Darktrace's Marcus Fowler Darktrace's Marcus Fowler](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltc2bc81a86c2de8fb/660aec572485e7c5c2d53bd8/Fowler_Marcus_Darktrace_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Darktrace's Marcus Fowler
“In order to ensure the safe and effective deployment of these tools in their workplaces, it is vital that AI officers and their associated teams have a firm understanding of ‘normal’ behavior across their networks and IT environments, and take part in a dedicated effort to educate their broader organizations with these findings,” he said. “Through this approach, AI executives and their teams can ensure their broader organizations are equipped with a general understanding of the use cases and risks associated with leveraging AI tools, how these issues relate back to their roles and areas of business specifically, and best practices for mitigating business risk."
Fowler said there are three areas of AI implementations that governments and companies should prioritize: data privacy, control and trust. But it’s vital that organizations remember that each of these areas require significant influence from leaders to remain effective.
“In addition to leveraging industry standards and appointing key leadership teams tasked with ensuring the effective use of these technologies, it’s critical that organizations also establish trust in these roles across their companies by highlighting the value that AI-focused roles bring to the broader organization,” he said. “This will help to ensure that each and every team member is familiar and comfortable with the internal resources available to them – encouraging stronger collaboration between teams in tandem with the supervised use of these tools, ultimately strengthening an organization’s broader security posture.”
Gal Ringel, co-founder and CEO at Mine, a global data privacy management firm, said these rules will be somewhat successful in safeguarding AI use, but it's key to understand this only applies to the government, and thus, the public sector.
“The American private sector, from where much of the technological innovation of the past few decades has come, is still operating with mostly free rein when it comes to AI,” he said. “Regarding the rules for government itself, internal assessments and oversight could provide a loophole for lax AI governance. While I understand the security concerns, independent third parties would be better suited for running AI-related assessments, which might necessitate the need to create a specific government agency to do just that. Utah just passed an AI law, which is opening Pandora's box since it paves the way for each state to pass its own AI law in the same way each state has sought to pass its own data privacy law. There needs to be a federal law that oversees the private sector, and while you don't need to take the same risk-based approach the European Union and United Kingdom have, meaningful legislation needs to come through to promote the same principles of transparency, harm reduction and responsible usage echoed in today's announcement.”
Narayana Pappu, CEO at Zendata, a provider of data security and privacy compliance solutions, said the rules for AI are very similar to privacy regulations like the General Data Privacy Regulation (GDPR) in the United Kingdom.
“The AI bias and transparency problem is a data governance problem,” he said. “If you feed AI biased data, you have biased results and if you don’t have governance in place for mission-critical systems (things like shadow IT) again you have biased results and lack of transparency, two main things the laws are trying to address."
A new Aryaka report shows CIOs, CISOs and IT leaders are drowning in complexity as they manage hybrid workforces, cloud adoption and the ever-evolving threat landscape.
The Secure Network Transformation Report 2024 surveyed 202 IT, security and network professionals, director-level and above, across North America, EMEA and Asia.
The report highlights key emerging trends:
The rise of hybrid work arrangements, coupled with hybrid infrastructure and security deployments, is fueling the need for adaptable and secure network solutions. Eighty-one percent of respondents said hybrid work is driving demand for secure access service edge (SASE) and zero-trust networking. This highlights the critical role these technologies play in connecting a complex, hybrid world.
SASE and SD-WAN are no longer seen as niche solutions. The survey found 84% of respondents believe SASE is either mature or somewhat mature, with 91% saying the same about SD-WAN. SASE integrates security features with SD-WAN’s network optimization capabilities.
Seventy percent of respondents said they see value in converging SASE and SD-WAN solutions. The primary benefits for doing so are multi-pronged. Thirty-four percent want stronger network operations and security, 24% want less operational burden and 19% want vendor consolidation.
As more organizations embrace hybrid work, securing access points becomes paramount. The survey revealed 64% of respondents consider zero-trust security a crucial component of SASE for hybrid work deployments.
The exponential growth of cloud-based applications and services, including AI, is placing a notable strain on traditional network architectures, according to the report. Sixty-seven percent of respondents see managed services and SASE playing a greater role in managing these complex environments.
Additionally, the report explores the shift in enterprises moving away from legacy MPLS services, with 76% planning to eliminate MPLS, either in the immediate future or in the next two to three years. Moreover, 10% of respondents have already eliminated MPLS completely.
![Aryaka's Pete Harteveld Aryaka's Pete Harteveld](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt3ab5e8ee6deec939/660aecd5f5fc799951562458/Harteveld_Pete_Aryaka_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Aryaka's Pete Harteveld
“Our report shows that the IT and network security landscape is undergoing a major transformation driven by the rise of hybrid work models and the ever-increasing adoption of AI, and cloud-based applications and services,” said Pete Harteveld, Aryaka’s chief revenue officer. “Aryaka is listening to its customers and the IT industry at large to deliver innovative solutions that address businesses’ most pressing needs.”
A new Aryaka report shows CIOs, CISOs and IT leaders are drowning in complexity as they manage hybrid workforces, cloud adoption and the ever-evolving threat landscape.
The Secure Network Transformation Report 2024 surveyed 202 IT, security and network professionals, director-level and above, across North America, EMEA and Asia.
The report highlights key emerging trends:
The rise of hybrid work arrangements, coupled with hybrid infrastructure and security deployments, is fueling the need for adaptable and secure network solutions. Eighty-one percent of respondents said hybrid work is driving demand for secure access service edge (SASE) and zero-trust networking. This highlights the critical role these technologies play in connecting a complex, hybrid world.
SASE and SD-WAN are no longer seen as niche solutions. The survey found 84% of respondents believe SASE is either mature or somewhat mature, with 91% saying the same about SD-WAN. SASE integrates security features with SD-WAN’s network optimization capabilities.
Seventy percent of respondents said they see value in converging SASE and SD-WAN solutions. The primary benefits for doing so are multi-pronged. Thirty-four percent want stronger network operations and security, 24% want less operational burden and 19% want vendor consolidation.
As more organizations embrace hybrid work, securing access points becomes paramount. The survey revealed 64% of respondents consider zero-trust security a crucial component of SASE for hybrid work deployments.
The exponential growth of cloud-based applications and services, including AI, is placing a notable strain on traditional network architectures, according to the report. Sixty-seven percent of respondents see managed services and SASE playing a greater role in managing these complex environments.
Additionally, the report explores the shift in enterprises moving away from legacy MPLS services, with 76% planning to eliminate MPLS, either in the immediate future or in the next two to three years. Moreover, 10% of respondents have already eliminated MPLS completely.
![Aryaka's Pete Harteveld Aryaka's Pete Harteveld](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt3ab5e8ee6deec939/660aecd5f5fc799951562458/Harteveld_Pete_Aryaka_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Aryaka's Pete Harteveld
“Our report shows that the IT and network security landscape is undergoing a major transformation driven by the rise of hybrid work models and the ever-increasing adoption of AI, and cloud-based applications and services,” said Pete Harteveld, Aryaka’s chief revenue officer. “Aryaka is listening to its customers and the IT industry at large to deliver innovative solutions that address businesses’ most pressing needs.”
Ensuring business resiliency is key to preventing cyberattacks and minimizing the damage if an attack is successful.
That’s according to Dave MacKinnon, N-able’s chief security officer. We caught up with him at last week’s N-able Empower conference in Frisco, Texas.
During Empower, N-able introduced Cloud Commander, a multitenant solution with Microsoft for the cloud. The company also recently rolled out its new managed detection and response (MDR) solution.
“Security is not a checkbox,” MacKinnon said. “What we're really looking at is business resiliency for MSPs’ customers. So how do we ensure that you're coming up with solutions to understand the risks that are impacting those businesses, designing solutions to help protect those businesses and ensure that, if a security event occurs, they're in the best possible situation to recover from that event.”
One of the challenges is that people don’t want to spend money on cybersecurity, he said.
“But I think when you start to tie security to a risk and then you tie that risk to your business resiliency, that naturally becomes a pathway for those customers to understand exactly the value you're adding to their business by having that resilient solution,” MacKinnon said. “So that's one of the things I really hope customers take away from Empower.”
Business Resiliency Addresses Threat Pathways
There are three pathways for cybercriminals to target MSPs and their customers, MacKinnon said. Those are email phishing, some level of missed patching and an exposed surface to the internet.
“Fortunately for MSPs, they're primed with solutions to help identify opportunities for patching or surfaces that are exposed to the internet, additional controls for monitoring, etc.,” he said. “So some of it is if you do the basics, and that's really when we talk about that business resiliency, how do we come up with a very resilient pathway for those customers to keep them protected? The basics will help everybody.”
![N-able's Dave MacKinnon N-able's Dave MacKinnon](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltbbbe2374fe1b30fc/660ac9d912eb40277a28f72b/McKinnon_Dave_N-able_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
N-able's Dave MacKinnon
The challenge is there are commodity markets for attackers, MacKinnon said.
“If you talk about ransomware, if you want somebody who's selling identities, you can buy those on the underground,” he said. “ If you want somebody who's selling phishing kits, you can buy those on the underground or you can just use a different ransomware. So that commodity market has simplified for threat actors to get into that space. It's not like 15-20 years ago where you had to be this tall to ride this ride. Now it's a lot easier to get in. And the challenge is everybody's a target and how quickly you see these threats move.”
Threat actors continue to evolve their tactics, and when it comes to ransomware, as long as customers keep paying, they don't have a reason to stop, MacKinnon said.
“It’s a cash cow,” he said. “And whether it's the customer pays or they have their cyber insurance pay, there's no reason for them to stop running those attacks against any size business because at the end of the day, they're in it for the cash.”
Scroll through our slideshow above for more from MacKinnon and more cybersecurity news.
About the Author(s)
You May Also Like