WatchGuard: Partners Must Deploy Tools That Can Spot Malware, Anywhere

Seattle-based threat management vendor WatchGuard said the channel should take advantage of its enhanced capabilities to detect cyberattacks in every part of a customer's network, but solution providers should also have a response prepared if prevention doesn't work, according to Brendan Patterson, WatchGuard's vice president of product management.

"We're not going to block 100 percent. You just can't," Patterson said Tuesday during a breakout session at XChange Solution Provider 2018, hosted by CRN parent The Channel Co. "It's a cat and mouse game where we have to keep up with them."

[Related: 2018 Security 100: 20 Coolest Network Security Vendors]

Patterson said WatchGuard has extended its capabilities beyond traditional products and services like signature-based antivirus and intrusion prevention to include a network sandboxing tool, where files can be detonated in a secure environment and examined for any indications of malware.

Some 43 percent of the malware detected on WatchGuard boxes in the past month was zero-day, Patterson said, meaning standard antivirus signatures wouldn't have been good enough to detect it. Customers would have needed to use an advanced sandboxing suite to detect them, Patterson said.

The company also recently rolled out a malware detection and response service that puts an agent on the endpoint to collect information coming through the system, correlates that with what's been seen on the network, and looks for patterns that could potentially signal malware, Patterson said.

From there, Patterson said WatchGuard can take remediation actions like killing a process, quarantining a file, or updating or changing a registry entry that might have been affected by malware. All of this presents an opportunity for MSPs to look at their data and set up a NOC or SOC to monitor what's happening on the firewall since most SMBs lack the expertise to manage this on their own.

"It's too hard for companies to manage," Patterson said.

WatchGuard's more advanced systems can be turned on or off, with end users paying only for what they've used in the given month, according to Patterson.

The best and most important defense that MSPs should strengthen is user education, according to Patterson. He urged solution providers to put tools in place such as KnowBe4 that do phishing simulations and security awareness training.

"The biggest problem is not the computer," Patterson said. "It's what's between the chair and the keyboard. You need to educate them."

Contact between end users and MSSPs shouldn't only be limited to when things go wrong, Patterson said. Instead, Patterson said MSSPs should be providing reports to their customers on a regular basis showing all of the attacks and malware that they've blocked.

WatchGuard has a customizable executive report that MSSPs can use to show customers the number of attacks they blocked last month and the value clients are getting from the contract, according to Patterson.

The company has also done API-level integrations with ConnectWise and Autotask in recent months, Patterson said, enabling asset information to be synced up so that all of the firewalls can be seen in the professional services automation portal.

Additionally, WatchGuard has rolled out closed-loop service ticketing where any security or malware event will automatically generate a ticket. And whenever new information comes in, Patterson said the same ticket will be updated automatically.

"We don't create a new ticket related to the same event over and over again," Patterson said.

Integrative IT was intrigued by WatchGuard's integration with Autotask as well as their sandboxing capabilities, according to President Jay Harris. The Denver-based solution provider isn't currently able to automatically open up tickets based on information compiled by the firewalls, Harris said, and instead has to access the tool on its own to manually retrieve the information.

"Being able to do that pre-emptively would be helpful," Harris said.

Integrative IT can procure sandboxing through its current network security vendor, but customers have to commit to an annual subscription, which Harris said is too expensive for many of them. Having the ability to control costs by turning the sandboxing on or off at will based on the current level of security risk would make sandboxing a more appealing option for clients, Harris said.

"If they offer functionality my current vendor doesn't, I would consider switching to them," he said.