ConnectWise CISO On R1Soft Vulnerability: We Have Some Work To Do

‘One of our big goals is transparency through what we do with our own stuff,’ says ConnectWise CISO Patrick Beggs.

ConnectWise’s top security executive believes the Tampa, Florida-based maker of IT management software has “some work to do on the education side,” after patching a critical flaw in October in the ConnectWise R1Soft server that could have infected 5,000 servers.

“The biggest lesson learned is we had some hiccups on how it came in the front door,” ConnectWise Chief Information Security Officer Patrick Beggs told CRN. Going forward, he is focusing on vulnerability management, phishing simulations and education on all things cybersecurity so that the ConnectWise team is ready even before bad actors try to infiltrate their ecosystems.

“We’re going to be red teaming where it’s hardcore cyber experts that basically try to break into our own networks. Threat hunting is more internal looking for behavior that exists but that shouldn’t be there,” he said.

[RELATED STORY: ConnectWise Patches ‘Critical’ Flaw That Could Have Infected 5,000 Servers: Huntress]

A part of that is the newly formed product security response team who will have a security-first mindset to all phases of product, engineering development, planning, design and execution.

“We have our ear to the ground to what some of our partners are going through,” he said. “I hope to pass on some of that knowledge to some of our folks and say, ‘Listen, I’m not necessarily promoting one product over another, but it’s just a capability that I want folks to know about.’

Along with the product security response team, the software vendor also recently launched ConnectWise Labs, a new special operations unit, will analyze data to anticipate what’s coming and build solutions that help partners solve problems they aren’t facing yet through ConnectWise Access Management.

The ConnectWise Access Management tool, also recently anounced, will provide credential-less, temporary administrative logon accounts and credential-less approval and denial of end user elevation requests. Many of the benefits include decreased ticket volumes, enhanced security, improved customer experience and the opportunity to redeploy resources to generate additional revenue, according to the company.

And it all starts with education, Beggs said.

“Security awareness training isn‘t just pushed one time a year. If you’re failing or if you have challenges on these tests, you actually get training as it goes,” he said. “One of our big goals is transparency through what we do with our own stuff.”

Here’s more of what Beggs had to say about cybersecurity trends, education and the recent R1Soft vulnerability.

What was the biggest lesson you learned from R1Soft vulnerability?

One of the bigger and more positive things is the collaboration and interaction with the research community. The biggest lesson learned is we had some hiccups on how it came in the front door. I think we have some work to do on the education side. I actually did a livestream and talked about our revamped vulnerability disclosure capabilities and processes. It’s how we’re going to work and how we’re going to better formalize and mature working with folks that want to talk about, or they have discoveries on, our products from a vulnerability standpoint. So that‘s the biggest lesson learned is we’ve got to get more mature on the intake side of the house. I’ll say I’m very proud of my team and the product team for really working closely together. This was like their first battle test. Also in the mix we had the [threat hunters firm] Huntress researchers. For me it was great because I got to integrate with the CEO Kyle [Hanslovan].

But not just Huntress, we had some other folks that were helping out, like [CEO] Jason Slagle with [Ohio-based MSP] CRNW who was being a really good faith kind of middleman. We‘re going to get better at this for sure. We’re bringing folks in house on the research side. One of our bigger pushes is on the vulnerability and discovery side versus management. We want to find it before somebody else does.

After the R1Soft vulnerability, are you going over everything one more time with a fine-tooth comb to make sure things are airtight?

The biggest thing is making sure that they patch. I can‘t say that enough, is to make sure that they do their diligence on that. We’re making sure that nothing was missed. We are peeling back and we continue to revisit and peel back the code and to ensure the validation that the researcher did, that the patch is pushed out. We don‘t just forget about it. It’s a continuous process.

When it comes to cybersecurity, what are you hearing the most from partners? What is their biggest ask?

Their biggest ask is don‘t break my stuff. The biggest thing is to understand the nuances of how we’re deploying your product and put them into how you‘re approaching security. You don’t use a 10-pound hammer on a one-inch nail. We want to make sure it‘s scalable to what they’re doing. The biggest challenge is understanding their challenges as we‘re rolling things out. We want security baked in. I want less security patches. For 2023 I’m going to be grading my folks. I want to look for patches we put out on the product last year versus this year. I want, in new products rolling out, there to be X amount less because if we‘re doing our jobs that’s already baked in. Baked in versus layered on.

What’s one big cybersecurity trend you're watching right now?

Vulnerability management, attack surface reduction and automation. Automation around identifying assets that you didn‘t previously know about. We’ve piloted some tools and rolling them out internally. It’s just the ease of implementation to integrate them into our environment but also really identifying applications and assets and telling us instantly if they‘re in compliance or out of compliance. right, and we’re not that big of a company I mean, we‘re similar size to some large MSPs. From a malware standpoint, we’re actually getting behavioral tools in place for quarterly phish testing. What we‘re doing is we’re identifying higher value users and higher value assets, we‘re correlating those and testing those folks on a continuous basis.

What keeps you up at night?

On the ransomware side out of the house, it‘s quiet. It’s quieter, not quiet. They’re not making as much noise. The government whacked them in 2021 in the sense that they said, ‘This is an act of cyber terrorism.’ So I think they’re not as noisy and that makes me nervous when they’re not as noisy.

Do you think an incoming recession would impact the frequency of ransomware attacks?

Absolutely. It’s what you saw with COVID, there was an uptick because folks were home more.

I think with a recession or anytime where folks are out of work or financial situations are strained, you‘re going to see spikes.

What are you going to focus on in 2023?

On vulnerability management side we‘ve made huge strides this year. We’ve killed it. [We put] people, processes and technologies in place to really be successful going forward. That was one of my biggest pushes when I got here. We‘re going to be doing threat hunting and routine analysis in house as well. We also are starting to build this dossier of folks that understand our products because they use them so much, and we’re building good relationships. We know we‘re not going to get burned if we reach out and say, ‘Hey, we’re seeing something internally that we‘re not sure what it is. Can you maybe take a look at what it might be?’

We’re going to be red teaming where it‘s hardcore cyber experts that basically try to break into our own networks. Threat hunting is more internal looking for behavior that exists but that shouldn’t be there. The red teamers are doing more fun jobs in cyber. It‘s one of the more coveted jobs. You’re a hacker.