Huntress CEO On 2023 Cybersecurity Trends, Vendor Claims And Curricula Plans

‘I would say, flat out, an emerging trend of charlatan level is the channel has to start auditing the claims of most of the security vendors,’ says Kyle Hanslovan, Huntress CEO

Huntress CEO Kyle Hanslovan said MSPs should audit security vendors’ claims that they provide 100 percent security, because people believe such claims, and that the best way to spread security awareness is through training and education.

“I would say, flat out, an emerging trend of charlatan level is the channel has to start auditing the claims of most of the security vendors,” Hanslovan told CRN. “When I hear someone tell me they provide a 24-by-seven security service and I look at their staff and they have six people, somebody either is a robot or they’re BS-ing.”

The most effective way to amp up security is through education, he said.

“Still to this day we see partners buy amazing products, like great next generation EDR, but they don’t configure it, they don’t manage it or to be frank, they don’t have the team on staff with the skills to manage it. So they have to solve that problem somehow at a cost that makes sense, whether that’s internal training or standardizing outsourcing,” he said.

The threat researching firm has always been a managed security platform, he said, but all the work that has been done, even through acquisitions, was at the endpoint.

“We started looking back and asking our partners, ‘Where are you struggling to manage?’ The number one thing we hear is, ‘No talent, still.’ And even if they do have talent, nobody wants to manage the mundane monotonous anywhere. They don‘t want to manage the cloud monotonous. They don’t want to manage user training,” he said.

To help with that, Huntress in August paid $22 million to buy Curricula, a story-based security awareness training platform that empowers employees to better defend themselves against hackers. About 15 employees came over in the acquisition.

“Now we have a whole team full of shady hackers and how do we help do all of that for [MSPs] and bring that expertise,” he said. “It’s going to take me probably three quarters to get it to where my standard is, but it’s totally usable today. It’s just I’ve got high standards for elevating it beyond just security awareness training.”

And with training also comes holding security vendors accountable.

CRN sat down with Hanslovan to discuss the impact of security awareness training, how a recession will impact ransomware attacks, 2023 security trends and why MSPs should audit security vendors going forward.

What do you want to do with Curricula at the start of 2023?

So we launched a little while ago the Neighborhood Watch Program. This was this idea of, ‘We are stronger as a community if everybody has a default stack, plus Huntress gets to learn about the threats in the community a lot better.’ I made a $5 million investment in giving away free product into Neighborhood Watch. We did that on our managed EDR side. Recently we made another massive investment for 5,000 partners. If they sign up for Neighborhood Watch, they get free security awareness training. You can imagine investors like to see me making money but I think it actually goes a lot further when you‘re able to get people using the product, testing their product and learning from that.

There’s a lot of talk about an impending recession and how that will affect ransomware incidents. Some security experts are saying it’s unusually quiet right now, but then there will be an uptick in incidents. Are you seeing that?

I would confirm, we are also seeing less ransomware attacks. Across the 1.8 million computers that we manage, ransomware attacks are currently at four percent. They’re usually at seven to 10 percent.

Why do you think it's quiet right now?

We actually started seeing the downtrend happen, and it could be correlation–not causation, in February when Russia and Ukraine started having more back and forth. It’s kind of convenient that both of them have a large cyber actor presence, and I don’t know maybe they’re going at each other. Maybe it changed when the Biden administration started labeling some of these as terrorism. So we have seen a downtrend, period. Bitcoin now has less value too, so some of these could be many reasons, but bottom line I can tell you is we are definitely seeing a lull.

With the economy changing, there is no doubt that folks have to get paid. Threat actors have to make money somehow. We‘re noticing, even in some places, they’re holding the data for ransom, but they‘re not actually encrypting. They’re skipping that part and just only holding for extortion, or threatening to maybe call a regulator or threatening like, ‘I’m going to call your customer and show them I have your data.’ So there’s still other ways even by not using ransomware to still hold data theoretically for ransom. For me, it‘s not going anywhere. It’s such a great source of income for them, it‘s clearly not going away in 2023.

What are you hearing from partners about that? Are they getting more worried?

It’s the awareness of this stuff, it’s the cyber insurance companies. I don‘t think there’s been a massive awareness change on ransomware, everybody‘s kind of there. But the end clients are getting much better education. Now they have to renew their cyber insurance and they actually have to say, ‘If you want it, you have to have A, B, C and D.’ So it’s crazy. Like we’re actually seeing cyber insurance drive more adoption of the SMBs in security than regulation.

Are partners still having a hard time relaying that message to their clients?

I think they’ve gotten better telling the story, specifically around educating the SMB clients. I am seeing partners get better, but I don‘t think it’s because they‘re telling better technical analysis. I think they’re telling better business risk stories, and I think that comes with maturity. It‘s not perfect because I still meet partners who tell me, ‘I have customers who refuse to have backups.’ I usually still challenge those partners and say, ‘Why are they still your customer?’ So yes, I am seeing the end customers get better because I think we’re just getting better at communicating. For a bunch of geeks that‘s a pretty big accomplishment.

What cybersecurity trends will you be watching in 2023?

Threat actors are starting to go after identities more often. Think about it, ConnectWise has one set of logins, your Outlook has one set of logins, Huntress has a set of logins. When those credentials do get compromised, can they be used to spread? Can you even determine that somebody has access to that? We‘re seeing this more and more often of your stuff could be compromised. The three big incidents that just recently happened, the Uber incident, you had Cisco and then earlier in the year even Microsoft was compromised, they stole source code. All of these tend to start from a credential lost, it was sold on a black market…a dark web forum. That credential was used to get in either a VPN credential or some other creds and then they spread laterally. So we’re seeing more and more targeting of the identity, more and more stolen credentials and then of course, it eventually makes it to the endpoint. And I would say the channel is wholeheartedly unprepared for that. We‘re just not prepared to even do detection or response.

So what should partners be focusing on in 2023?

I would say, flat out, an emerging trend of charlatan level is the channel has to start auditing the claims of most of the security vendors. When I hear someone tell me they provide a 24-by-seven security service and I look at their staff and they have six people, somebody either is a robot or they‘re bullshitting. If you have these folks that say, ‘We’re going to provide you the next greatest security at a price point.’ But then you say, ‘Wait, there was an industry big security event and no one on your staff even wrote a blog about it let alone did something to lead the community effort.’ They’re pushing bullshit. If you think about how outsourcing security is becoming more common, whether you have somebody else manage it or you‘re going to manage it in house, who the heck is actually managing your security for you? If I can’t go and look at your company or team and say, ‘I know those people.’…you can’t tell me these people are active in the security community. I think that‘s going to be a really important part. Folks have to start figuring out when you’re trusting your company’s security, who‘s doing it.

I don’t know if the industry is quite ready to start challenging some of these claims and I see it being a big problem because I usually am on the receiving end of it. People believe that they will deliver on those promises. These are the companies that promise perfect 100 percent security. These are the companies that promise they have experts, and then you just go to look and you find out they don’t exist.