Bonus Post: Channelholic Hits Lucky Seven at Right of Boom
There’s a reason an estimated 800 people flew into Las Vegas last week to attend this year’s Right of Boom security conference. A few reasons, actually:
78% of MSPs call cybersecurity a top IT challenge for their clients, according to research published by Kaseya last week. The second most listed challenge on the list—AI and machine learning—was cited by just 37%.
51% of MSPs name cybersecurity among their most in-demand services, ahead of SaaS subscriptions (47%) and remote management (41%), according to CompTIA research presented during the industry association’s Communities & Councils Forum in Chicago this morning.
41% of MSPs expect cybersecurity revenue to grow significantly in the next two years, ahead of money made on automation services like AI and RPA (32%) and managed services (30%), according to the same CompTIA study.
I was too busy up the road at HP’s partner conference last week reporting on an interesting but less heralded MSP opportunity to attend Right of Boom myself, but I did manage to squeeze in interviews from some of the show’s sponsors just before they left town with their slot machine winnings. Here’s a rundown of what they’re up to these days and where they see the security market headed.
SaaS Alerts and FifthWall have a new cyber insurance option for MSPs
Time to ‘fess up. I may have been a little too quick to predict the imminent arrival of relief from cyber insurance headaches last year.
Sure, premiums declined slightly for the first time since 2018 in both the third and fourth quarters of 2023, but though Apptega, Blackpoint Cyber, Kaseya, and others have all streamlined the process of getting and using security coverage in innovative ways, plenty of MSPs are still manually helping clients fill out giant questionnaires, file claims, and monitor compliance with policy requirements.
It’s nice, though, to see vendors continuing to experiment with new models for making cyber insurance a less painful experience for both MSPs and their customers. The latest example, announced during last week’s conference, comes from SaaS Alerts and FifthWall Solutions. SaaS Alerts, as we’ve written here a few times before, is one of the industry’s very few pure play cloud security companies. FifthWall is an MSP-friendly cyber insurer collaborating already with ConnectWise and more recently CyberFOX among others on MSP-focused initiatives.
Together, the two companies are bundling Beltrex, a FifthWall policy expressly designed for MSPs and SMBs, with SaaS Alerts subscriptions. SaaS Alerts partners will now receive customized links they can give clients who need coverage. Customers who click through will be guided to an online application site that verifies their eligibility and provides a quote, in many cases, FifthWall says, within minutes. Signatures and payment are handled electronically too, and unlike most carriers, which hide the criteria they use to evaluate risk, Beltrex spells it out in plain English.
“We want to put a transparent, easy-to-use platform in the hands of MSPs to provide to their own clients,” says Reid Wellock (pictured), FifthWall’s president.
That FifthWall specifically had MSPs in mind when designing Beltrex is part of what drew SaaS Alerts CEO Jim Lippie to the company.
“When MSPs know that you’re focused on their business, it makes them feel more comfortable and more willing to adopt,” he says.
Beltrex’s emphasis on simplicity weighed in its favor too. “Anytime you’re building a product for the MSP community, it has to start with simple,” Lippie says. “If it’s not simple, you’re never going to get the right amount of mind share to be able to effectively roll this out in a meaningful way.”
Unlike cyber insurance offers from Apptega and Kaseya that draw on automated back-end telemetry connections with insurance underwriters to secure discounted rates for buyers, Beltrex policies sell at industry-standard rates for now. In time, however, FifthWall hopes to draw on the deep well of reporting data SaaS Alerts maintains to prove that businesses the company protects are significantly less vulnerable to attack. According to SaaS Alerts, the 726 partners using its Respond module last year stopped 7,900 potential breaches.
“We know their client base as a whole is going to be lower risk,” Wellock says. In the meantime, he continues, MSPs can draw on their relationship with SaaS Alerts and FifthWall to position themselves to customers as “true security risk advisors,” something their clients increasingly demand that they be anyway.
SaaS Alerts isn’t Beltrex’s first or only alliance partner. The company announced a pact with SIEM vendor Blumira two weeks ago, and will disclose a deal with a third as yet unnamed vendor shortly. Don’t expect a flood of further names to follow soon though.
“It’s a crawl walk run,” Wellock says. “We’re just doing a couple partners at a time right now.”
[Note: SaaS Alerts is currently a client of Channel Mastered, the vendor consultancy I work with when I’m not writing here. This story is not a paid placement.]
Token hijacking goes mainstream
Cliches generally become cliches because they bear a measure of truth. The SaaS Application Security Insights (SASI) report SaaS Alerts posted last week illustrates the point with respect to the all too familiar saying that “some things never change.”
For example, can it really be true that just 35% of SMB end user accounts have MFA enabled? Unfortunately, yes, and while that’s up a hair from the 32% recorded in the last SASI report, it’s still way too low.
“I don’t know what else the industry has to do, what other alarm bells need to go off, before people figure out that they need to be covering everyone with MFA,” Lippie (pictured) says.
The report shows that hackers are still leaning heavily on the crudest, oldest weapon in their arsenal—brute force attacks—too. “We see 5,500 brute force attacks a day,” Lippie notes.
That figure is actually down by as much as half from last year’s report, though. “Attackers are finding better, more efficient, ways to get into environments,” Lippie says.
Some of the most intriguing findings in the new report document that shift from old school techniques to newer ones like token hijacking. That’s when attackers intercept a legitimate user’s session token (typically via a man-in-the-middle exploit) to gain unauthorized access to a web server, which then becomes a starting point for lateral movement. SaaS Alerts is seeing a lot of token hijacking these days, and so are its partners.
“It’s absolutely pervasive,” Lippie says.
Most MSPs think they’re safer from it than they are too, he continues. “They still believe that MFA and conditional access protect their customers,” Lippie says. “They don’t. Token hijacking bypasses both.” MFA validation has already happened by the time a threat actor steals a token, and conditional access rules that prevent logins from China, say, are easy to fool by setting up a VPN account in Chicago.
Here’s another sign of changing threat vectors: though Slack figured in a mere 1.16% of the nearly 2.7 billion events SaaS Alerts monitored in 2023, 12.11% of those alerts were critical. Doesn’t sound like much until you see that just 1.3%, 1.11%, and 1.55% of events affecting Microsoft 365, Google Workspace, and IT Glue, respectively, were critical.
“People don’t realize there’s a lot of information sharing that happens in Slack and it’s just one more way in,” Lippie says. “MSPs don’t even pay attention to it.”
That’s largely because so few of them have the tools or training needed to understand SaaS security risks, he adds. “We are in a transition as an industry from a traditionally on-prem and device-centric focus to being user-focused,” Lippie says. “Most transitions are painful, and it takes time for people to start to understand what’s going on.”
CyberFOX wants to end living off the land
Token hijacking isn’t the only increasingly popular technique among threat actors. Malwareless “living off the land” attacks are gaining momentum too.
“Traditionally, somebody would click on a link or open a PDF file or whatever it may be, and malware would get on a network. Now there’s really strong social engineering and a bad actor can get into a network without a payload,” says Adam Bensinger (pictured), chief technology officer of CyberFOX. “They get credentials through phishing and spear phishing and all the other tactics out there, and then they can traverse the network using native applications within Windows or other third-party applications.”
The new Blocker module in CyberFOX’s AutoElevate privileged access management solution is designed to mitigate the problem by “blocklisting” hundreds of executables in Windows and Windows-based apps that attackers find useful. “We’ve curated a list of about 220 threat vectors that are native to Windows or drivers or DLLs of other applications,” Bensinger says.
After running in audit mode for a while following installation, Blocker automatically checks to see how many people in an organization ever use one of those files. Typically, according to Bensinger, no one does with perhaps three or four dozen exceptions. AutoElevate automatically blocklists the software that legitimate users never touch and lets administrators set allowlist exception policies for the others. The goal, Bensinger explains, is to simplify an important zero-trust security process that many MSPs find overwhelming.
“The challenge that MSPs have is you put a piece of security software on a network and it uploads incredible amounts of data and logs that you have to pour through,” he says. Then you have to build a blocklist based on what you learn.
“It takes hundreds and hundreds of hours to curate that,” Bensinger notes.
Blocker’s debut last week came six months after the addition of just-in-time user rights functionality to AutoElevate that employs biometrics and a special QR code to give technicians temporary, one-time administrative privileges.
“It’s for all intents and purposes a password-less methodology to log in as an admin on a local machine to do your task,” Bensinger says. MSPs that use the feature no longer have to rotate passwords every time a tech exits the company.
CyberFOX plans to extend the capability beyond admins later this year. “We would like to move this down to end users where end users no longer have to know their passwords onto the machines that they’re accessing,” Bensinger says.
Blocker is the latest reflection of a product philosophy at CyberFOX designed to hit a difficult trifecta of effectiveness, simplicity, and affordability for typically less mature MSPs just now waking up to the when-not-if quality of today’s threat landscape.
“It’s new to a lot of the smaller MSPs,” Bensinger says. “You really need to double down on your security stack.” Lowering entry barriers like complexity and price, CyberFOX hopes, will make that easier.
Cork’s leveraging MSSPs to partner with MSPs
CyberFOX has a trifecta-based product strategy. Cyber warranty provider Cork has a trifecta-based marketing message. A complete security offering, it tells MSPs, requires three things: the right solution stack, the right people, and the right “right of boom” recovery resources, including financial resources.
“This is where the Cork warranty comes into place in case something happens,” says Carlson Choi (pictured), the company’s CEO.
In the less than 12 months it’s been recruiting partners, though, the company has already learned that not every MSP is equally trifecta-ready.
“In order for us to be successful, we’ve got to have an MSP that is security focused,” Choi says. “You can have the best tech and the best recovery financial coverage, but not having the security focused operator, that’s really where the gap comes in.”
MSSPs face the same challenge, which is why Cork has forged an alliance agreement with FutureSafe, an MSSP based in Austin, Texas. According to Choi, the company has a trifecta-friendly combination of the right stack (based on technology from Heimdal, a European security vendor making its way into North America), the right people, and now via Cork the right post-breach financial resources.
“Every existing customer and new customer of theirs will now be getting baseline warranty coverage,” Choi says.
That, of course, is a win for Cork too, as the deal connects the company with more than 300 security-focused MSP partners of FutureSafe in one fell swoop. “That’s a really unique opportunity for us, because now it’s not just ‘let’s go one at a time,’” Choi says.
Cork will forge similar agreements with additional MSSPs in the coming months, he continues. “A lot of times they get what we’re talking about.”
As you’ve read in Channelholic before, Cork was created in 2022 by a board of directors that includes Datto founder Austin McChord and former Tesla executive Jon McNeill. The company began recruiting partners in the U.S. last summer and in Canada last fall. As of January, its remote monitoring service, which warns MSPs when a client has shut off MFA or otherwise violated the terms of their warranty agreement, was managing over 200,000 endpoints.
“It’s been quite a wild ride for the last nine months,” Choi says.
Cork warranties, which cover dozens of third-party security solutions, are meant to complement cyber insurance coverage by paying MSPs the money they need to get customers back on their feet after a breach in days versus the months it typically takes insurance claims to be approved.
“We’re getting right back to recovery instead of debating who’s going to pay for this,” Choi says.
Moreover, state laws barring MSPs from selling insurance directly to consumers don’t apply to warranties, so Cork (and now FutureSafe) partners can build coverage into their standard security subscriptions at marked-up rates and use it as a marketing tool.
“The goal is [to say], ‘I trust my service so much that I’m going to put $100K of warranty coverage against it,” Choi says.
FutureSafe is Cork’s latest but not only strategic alliance partner. The company announced similar pacts with Barracuda Networks last August and attack surface management vendor Liongard last October. The Liongard deal had the added benefit of giving Cork’s monitoring team access to a rich new telemetry stream.
“With our platform, we get enough indication to see where things are, but with Liongard we get deeper integration into configuration and detail level,” Choi says. Cork plans to partner with more telemetry providers in the future.
Thread wants to put an end to tickets
At first blush, Thread isn’t a natural fit to be sponsoring an event like Right of Boom. The company’s core solution is a service experience platform, after all, not security software.
Yet a big part of service experience optimization is enabling real-time communication and collaboration, both within an MSP and between the MSP and its clients, notes Mark Alayev (pictured), Thread’s founder and CEO. And what’s exceptionally important in the hours after a breach?
“Communication,” Alayev says. “Communication is paramount when you’re dealing with any kind of incident of any size, really, that needs to be mitigated.”
Thread describes its platform, which integrates with ConnectWise PSA and Datto Autotask, as a “universal inbox” built specifically for MSPs that helps technicians manage support issues of all kinds collaboratively and in real time, rather than asynchronously via service tickets.
“Nobody wants to work in tickets,” Alayev says. “We really believe that tickets are no way to treat your customers and no way to treat your employees.”
Thread is no great fan of email either. Its software lets users ask questions, exchange knowledge, and coordinate replies via chat in Microsoft Teams and Slack, and communicate with clients in those same systems as well. Once, the company had to persuade MSPs they needed that feature.
“Now MSPs are coming to us and saying, ‘we need chat because our customers are saying we want to chat,’” Alayev says.
Communication is one of Thread’s strong suits. Automation via bots and other mechanisms is another. Alayev describes Thread’s automation functionality as a complement to hyperautomation solutions from companies like Rewst, Pia, and now ConnectWise, though, rather than a potential replacement. Those other systems, he says, interact primarily with an MSP’s RMM, PSA, and other “back office” applications.
“We’re really on the front office collecting the data, reaching out to the right people to do change management approvals, and then enabling these back-office platforms to actually perform the change on the system.”
Those platforms include an MSP’s RPA system. “If you want to run an automation, we can reach out and say, ‘do you approve? Yes, I approve,’ and then trigger change of status and trigger that automation,” Alayev explains.
A built-in AI companion analogous to ConnectWise Sidekick writes emails for users, proposes next steps, and answers technical questions. “Now your tier two, tier three isn’t getting pulled into these micro escalations,” Alayev notes.
According to Thread, techs who use the system save an hour per day on average and resolve issues 30% faster. Their employers, meanwhile, see a 21% average improvement in gross profit margin. Thread placed first in last year’s ConnectWise PitchIT competition for promising startups based in part on that value proposition.
Planning functionality due in the second quarter of the year will let users schedule real-time collaboration for later. Further enhancements are on the roadmap for this year and beyond.
“The future of the company is about being the single platform for all customer and service team interactions and communication,” Alayev says.
Auvik says inventory everything
Like Thread, Auvik isn’t a security vendor per se. Its network and SaaS management solutions are security adjacent though in a critical way, according to John Harden, the vendor’s senior product marketing manager for SaaS (pictured).
“Where every security message and story begins is with knowing what’s out there,” he says. Auvik’s network and SaaS management software aims to fill that need by inventorying every device and cloud app on the network.
Auvik’s 6,300 customers have a lot of both to inventory. Collectively, users are managing one million devices and three million SaaS applications with Auvik products at present.
Two recently introduced features highlight the connection between discovering assets and protecting them. One helps users identify which services in a client environment are using single sign-on and which aren’t but probably should be. Another provides a comprehensive list of user accounts, whether work, personal, individual, or shared.
Auvik users gained visibility into user accounts and other SaaS resources last summer when the company shipped its Auvik SaaS Management solution, following its acquisition of SaaS management vendor Saaslio (which Harden founded) late in 2022. Visibility into PCs and servers, in addition to switches, access points, and other network devices, begins arriving this summer with the beta release of an endpoint management solution we first told you about a few months ago.
Both rollouts reflect Auvik’s larger ambition to help MSPs and other IT professionals monitor, manage, and secure all of the resources touching the network, including “shadow IT” resources they wouldn’t otherwise know are there. According to Harden, users can expect to see the vendor’s currently discrete products merge increasingly into one over time.
“Our messaging is inventory everything, manage everything, support everything. I think it’s a natural evolution that we start centralizing things into the platforms,” he says.
As Auvik has told Channelholic before, though, it’s not building a replacement for the monitoring and management that industry titans like ConnectWise, Kaseya, and N-able do.
“We’re really focused on that inventory advantage,” Harden says.
Cynomi declares 2024 the year of the vCISO
Cynomi for its part is focused on something MSPs are increasingly focused on as well: launching vCISO practices.
“2024 is the vCISO year, straight up,” says Royi Barnea (pictured), the company’s vice president of channel sales. “We see the demand, we see the need, we see basically that many service providers that are not offering it today understand that they need to do so and are interested.”
Research from Cynomi published last year quantified that interest, showing that the number of MSPs and MSSPs in North America delivering vCISO services will soar 480% by the end of this year, from 19% to 86%.
Barnea credits those numbers to the combined impact of rampant threat activity, regulatory compliance mandates, and cyber insurance obligations, which have SMBs increasingly seeking strategic security guidance, and MSPs increasingly eager to satisfy that demand.
“All three together are really creating a huge need,” he says.
To help fill that need Cynomi will soon launch a partner portal for users of its vCISO platform. “It’ll add a lot of know-how, training, videos, recordings, a lot of knowledge transfer,” plus a lot of co-brandable marketing resources, Barnea says.
That resource, due in April, will arrive some seven months after the addition of a new compliance readiness module offering real-time compliance status information and control-by-control guidance on required tasks for implementing the NIST and CIS security frameworks.
According to Barnea, Cynomi’s solution differs from cybersecurity products on the one hand and governance, risk, and compliance (GRC) offerings on the other by tracking both topics in a single place.
“We really preach that if an end client is compliant, it doesn’t necessarily mean it’s secure and vice versa,” he says.