Just after the MSP business was starting to recover from ransomware attacks launched in 2020 through MSP platform providers ConnectWise and SolarWinds, the year 2021 brought fresh attacks at the channel via another key platform, Kaseya: the July REvil ransomware attack launched by Russian attackers, and the December Log4j exploit which attacked a wide swath of the IT industry, including via Kaseya.
While the impact to Kaseya and its MSP partners from Log4j was limited, the REvil attack caused issues for over 50 Kaseya customers. However, Kaseya was able to do something few have successfully done: fight back. The company brought in the FBI and other government entities and helped not only recover much of the ransom that was paid out, but also helped catch at least one Russia-based suspect.
Fred Voccola, CEO of Kaseya, told CRN that his company, and the MSP business as a whole, saw the value of transparency and of working with authorities to combat hackers, despite what he said were pressures from so-called experts to keep the FBI out of the loop.
“There were experts that were telling us, ‘Don’t engage with the FBI,’” Voccola told CRN. “Like that’s the dumbest [reaction]. Literally, a playbook from a lot of experts we engaged with, whether they’re law firms or other types of organizations, said do not bring the FBI into your four walls. My advice to every company in the world, if something happened from cyber, is, the FBI’s the best friend you could ever have.”
As a result of the experience from the attacks of the last couple years, Voccola said, MSPs and their customers are now much more secure. However, he said, there is much work to be done, especially for smaller MSPs who have been late to make security a core competency, he said. “Every MSP is now an MSSP (managed security service provider), or else they’re going outta business,” he said.
There is much work to be done to secure the small and midsize businesses that are by and large served by MSPs. Click through the slideshow to see what Kaseya is doing, and what Voccola says MSPs need to be doing.
What’s one of the biggest lessons that you learned from 2021?
I think the first thing is the importance of transparency to those who depend on you in a time of uncertainty and crisis. That it seems like common sense. So I’m obviously talking about the [REvil ransomware] security incident that happened in July. And there’s 37,000-ish customers who depend on our stuff. And some irresponsible attention-seeking reports by people, not yourself, but others, in the hours immediately following it, scared the bejesus out of a lot of people. The lesson learned was, when people are dependent upon you and there’s a crisis, where that dependency may come into question, transparency and constant and rapid, honest, transparent communication is the only thing to do, despite what advisors may tell you. And I say that because, if you look at what we went through in July, we had had 57 of our approximately 37,000 customers getting hacked. And we’ve said this once, and then I’ll say it again: If it’s only one, it’s still too many, because it’s our job to make sure that crap doesn’t happen. And it happened
And when things like that happen, there’s a lot of uncertainty. People are scared, fear creates uncertainty. The worst thing is the lack of communication and information. There can be no question about honesty. Now people may not like what you do, but you have to respect people to say the truth and to do it frequently and often. And a lot of people, a lot of quote-unquote experts, said, ‘That’s not the playbook to follow.’ I think that a lesson learned is, that is the playbook. Not just in work, but in freaking life, because that’s how I wanna be treated. That was a big thing for me personally.
I don’t know that it was a lesson learned. It’s probably a lesson reinforced.
What were the experts telling you?
There were experts that were telling us, ‘Don’t engage with the FBI.’ Like that’s the dumbest [reaction]. Literally, a playbook from a lot of experts we engaged with, whether they’re law firms or other types of organizations, said do not bring the FBI into your four walls. My advice to every company in the world, if something happened from cyber, is, the FBI’s the best friend you could ever have. And you should publish that, because the FBI needs that message to get out there, because people are scared like, ‘Oh, I don’t want to bring that in. They might find something bad.’ No, that’s not what they do. They’re helping. I think it’s just common sense. Like if someone, I don’t know, robbed your house or kidnapped your loved one, you’d call the FBI. You’d be transparent with your friends and your family as much as you legally can about what’s going on because people that way can get some level of comfort. It was a [terrible] experience I wouldn’t wish on my worst enemy.
If you look at 2022 versus 2021, are MSPs and their customers more secure or less secure now?
Much more secure. As you look at the pure dollar and or Euro or whatever, the pure financial spend is much higher, and there’s much more awareness around it. Not just from the MSPs, but the MSP customers are more willing to spend more on security than the numbers show. I will say this: More or less secure is maybe not the right way of measuring it. How do you quantify more or less secure? More much more money is being spent. There’s much more awareness. We’ve certified about three times as many people on the Kaseya security certification track than we have in the previous year. That’s everything from anti-phishing. Our security business grew over a hundred percent this year. Our backup business: One of the reasons people buy backup is if they’re it hit by ransomware or something, they’re not totally hosed. They can recover and restore. And that’s the last line of defense against many security attacks. We had a record year this year, as I’m sure all my competitors did.
I do think the threat landscape is different. And I think small businesses are much more of a target now than they were three years ago. If I was a bad actor, I’m going to attack someone who I think, A, can’t defend themselves as well, and, B, if I attack them, there’ll be no retribution from law enforcement. As law enforcement around the world will tell you, they’re grossly understaffed, and it’s not because they’re bad. FBI, all these guys, cyber command, these folks are awesome. There’s just not enough of them. You know, we spend about a thousand times more on illicit drug trade policing than we do on cyber crime. And cyber crime has about the same economic impact worldwide as the illicit drug trade does. That’s tough. The resources typically are allocated to go after people who attack places like Citibank or the Department of Defense. Not after who attacks Fred’s Bank of Monmouth County, New Jersey. So the criminals are smart. These people are very highly intelligent. They’re going to try to take advantage of that difference. So it’s like Dickens’ A Tale Of Two Cities: There’s a lot more awareness and a lot more money being spent and a lot more desire to be secure and a lot more like people investing in their skillsets, but at the same time, the threat landscape is moving more towards small to midsize businesses because there’s a better chance of getting away with it.
What is a key issue?
The piece to all this, which just has to be figured out, is anonymous currencies. And that scares me. Because not 99 percent, not 99.9 percent, you can write it like this, 100 percent of compensation provided to cyber criminals is in the form of anonymous currencies. And as we all know, the No. 1 weapon that’s used to combat non-violent crime is to follow the money. That’s how we caught Al Capone. Elliot Ness wasn’t some big, tough, strong guy. He was a freaking accounting nerd. And that’s how they got Al Capone: tax evasion. It’s a lot harder if not impossible to do that with anonymous currencies. Especially when those anonymous currencies are in countries that don’t have the same rule of law that we might.
So that’s a problem. And that problem is getting worse and worse and worse as more and more people embrace this stupidity of anonymous currency. Until the people who make the laws fully understand the danger that anonymous currencies pose, we’ve basically given a free pass to these very intelligent, very resourceful cyber criminals, with limited resources to stop ‘em or limited resources to prosecute and pursue them. [We’re] defending critical infrastructure, we’re defending Citibank, we’re defending huge organizations. They’re targeting small companies. So MSPs and people like us that work, that live, for MSPs, we have our work cut out.
What changes has Kaseya put in place over the last six to 12 months to improve the situation?
Obviously, we can’t make anonymous currencies illegal. [But] we’re a fairly large cybersecurity software vendor. We spend a lot of time and money making sure that our customers are aware of everything we can do to help them with anti-phishing, dark web monitoring, intrusion detection. From an internal perspective, we’ve spent untold tens of millions of dollars to make sure that we’ve hardened not just our infrastructure, but our software development life cycle, and what’s called product security.
I think there’s another atomic bomb sitting out there and that’s open source. Most MSPs are not software engineers. But I’m a nerd. I grew up coding … and I saw the open source thing happen front and center. I remember people like Bill Gates and Larry Ellison saying open source is long-term bad. It’s long-term bad. Now I’m not an open source expert. I’m sure there are people in the open source community who will fight ‘til they’re blue in the face about why open source is the most secure and is so secure. And maybe they’re right. But I know if you have libraries that are being leveraged by the entire world, we saw this recently with the [Log4j] open source hack, there are libraries that the entire world is using in everything. That creates a great incentive and a great target of mass destruction.
So one of the things that we’re doing is, we are committed to being open source-free as soon as we can. For those who are software engineers, that sounds like an impossible feat. It’s what we need to do. It’s an initiative that we started about four months ago. The first step is no more incremental functionality created on open source. And then how do we replace open source in all of our products? Any software engineer will tell you that’s a years and years and years process. But we have to de-risk it. Because if I was a bad guy, that’s one of the first things I’d be looking at. If I could take a huge amount of resources and target something, why not? Because your target, no matter how hard it is, these people are really smart. They find a way. So that’s something that we we’re doing. It’s a monster initiative. And I wanna be really clear. I am not saying I think open source is bad. I’m not the expert on it, but I do know it’s one less vector that we wanna have open.
What was the financial impact to Kaseya from the July REvil ransomware attack, and what did you see from the Log4j exploit?
It’s hard to answer that question because when you ask, ‘What is the financial impact,’ if one of my people spends a minute on it, there is a financial impact. But no, nothing material from Log4j. Obviously, we spent internal time and resources and we did a lot of stuff. So that burned a lot of money. But nothing that anyone else in the industry, in the world, didn’t experience. The [ransomware] incident we had in July had a huge impact on how we look at our customers and value them. So we probably spent, I don’t have my notes here, but it’s pretty substantial. It’s in the tens of millions of dollars in direct costs. So substantial there, and that comes from all kinds of things. It comes from consultants that we’ve hired, all kinds of engineering work. We had all kinds of experts we brought in. Additional penetration testing. Probably an ongoing increase in the tens of millions of dollars to make sure that things like this don’t happen anymore, or to the best of our ability. Every software vendor gets hit. We want to be at the cutting edge of prevention.