ConnectWise CISO On R1Soft Vulnerability: We Have Some Work To Do
‘One of our big goals is transparency through what we do with our own stuff,’ says ConnectWise CISO Patrick Beggs.
What was the biggest lesson you learned from R1Soft vulnerability?
One of the bigger and more positive things is the collaboration and interaction with the research community. The biggest lesson learned is we had some hiccups on how it came in the front door. I think we have some work to do on the education side. I actually did a livestream and talked about our revamped vulnerability disclosure capabilities and processes. It’s how we’re going to work and how we’re going to better formalize and mature working with folks that want to talk about, or they have discoveries on, our products from a vulnerability standpoint. So that‘s the biggest lesson learned is we’ve got to get more mature on the intake side of the house. I’ll say I’m very proud of my team and the product team for really working closely together. This was like their first battle test. Also in the mix we had the [threat hunters firm] Huntress researchers. For me it was great because I got to integrate with the CEO Kyle [Hanslovan].
But not just Huntress, we had some other folks that were helping out, like [CEO] Jason Slagle with [Ohio-based MSP] CRNW who was being a really good faith kind of middleman. We‘re going to get better at this for sure. We’re bringing folks in house on the research side. One of our bigger pushes is on the vulnerability and discovery side versus management. We want to find it before somebody else does.
After the R1Soft vulnerability, are you going over everything one more time with a fine-tooth comb to make sure things are airtight?
The biggest thing is making sure that they patch. I can‘t say that enough, is to make sure that they do their diligence on that. We’re making sure that nothing was missed. We are peeling back and we continue to revisit and peel back the code and to ensure the validation that the researcher did, that the patch is pushed out. We don‘t just forget about it. It’s a continuous process.