Masergy's Ray Watson On The Lessons Learned From WannaCry And How To Prevent The Next, More Sophisticated Cyberattack

Preparing For What's Next

The WannaCry ransomware attacks earlier this month called more attention to evolving IT security threats, like wormable ransomware, and put an emphasis on the need for solution providers to stay vigilant and be proactive when assessing cybersecurity threats.

On May 12, Masergy blogged about the new ransomware variant it was seeing and pointed customers back to a patch that Microsoft issued on March 14. A week later, CRN caught up with Masergy's VP of Global Technology, Ray Watson, at the BCE 2017 event in Austin to discuss the increase in cyberattacks, as well as the opportunities and advantages Masergy's partners and managed security service providers (MSSPs) have in this market.

Masergy has more than 500 employees serving 1,200 enterprise clients in over 80 countries. The company's revenues for its 2016 fiscal year were $276 Million. About 80 percent of Masergy's business comes from partners, and the rest is from direct sales. Watson joined Masergy in 2008.

During our chat, he outlined the four main threats to enterprise IT security and how each one poses a unique threat. Read on to find out more and, fear not, this interview has been edited for content and length. And worms.

It's the worst and best of times, isn't it? IT security is under threat, and that means your business is front and center.

We see a crazy increase in cyberattacks. We've been preaching for years that everything is vulnerable. Not just everyone, but everything.

I mean, emergency rooms were turning away ambulances last week. Think about that development. Imagine being turned away because the hospital was running Windows XP Embedded!

But, yes, this is an area that is white hot for us. As a business, you now have to think, not just about my own systems, but about my suppliers and customers. We've seen an immense amount of interesting in how to integrate these various disparate technologies, about how to have a vast response team to incidents.

What made the most recent ransomware attack so effective?

Within minutes of what happened last week, we had already started putting in filters in our network because it was wormable – that's the key. There are two different types of urgency around attacks – the ones that are traditional phishing, which is the vast majority of data breaches … almost all the time it's because some person clicks something that they shouldn't. The reality is that some of these phishing schemes are extremely sophisticated. We can no longer blame the user for that.

But there's a totally different urgency when something is spreading without user assistance … we're notifying global companies that they've been affected by this and they don't even know it yet.

One of the things that happens with ransomware that is particularly devious is that an end user might have their hard drive compromised, they might just pay the ransom because they're embarrassed not realizing that they're creating a backdoor. This was the case in WannaCry; it used an exploit to both encrypt the hard drive and as well as to leave a persistent backdoor so that it could continue to spread.

Even if the attacker succeeds in getting a ransom, they could use the infected system to attack others?

Or to mine bitcoin, or to send out spam, or whatever – yeah. In many cases, with most ransomware, paying does get you your files back. However, once you are known as someone on the dark web who will pay, you're going to be attacked by 12 or 13 times as many people because now they know they've got one.

One of the reasons ransomware is so completely pervasive in the hospital community is because they're known to pay for it.

Think about the person who pays for this. It might be a mid-level office administrator. It might even be the head of IT. He might see that something was HIPAA-affected and he might send off the bitcoin and not realize that now the whole world knows he's the type of person who will pay.

In the case of one hospital in Philadelphia, they only got about 5 percent of their files back because they just kept getting attacked before they could even decrypt (their data).

And you believe the attacks will get worse?

One reason these problems are going to get worse is that the ransomware attacks that we've seen so far have not been that sophisticated. A lot of these are brute force, smash-and-grab type attacks. Now that nation-states are starting to allegedly get involved, we can expect to see attacks becoming much more pervasive.

And, as we saw with [recent cyberattacks involving] Netflix and Disney, attackers are realizing that you can extort people just by stealing their content.

Now the criminals have realized that you can extort people with an extremely low risk of getting caught.

An unsophisticated criminal can spend $1,200 to $1300 on the Dark Web to get an exploit kit, launch ransomware at their former employer or someone else and make $20,000 or $30,000 in a few days.

How do you classify the threats to enterprise security? What groups are involved most cyberattacks?

There are really four main categories of hostile actors that are out there. At the very lowest level are the script kiddies and cyber criminals who do not have technical skill. They go out and purchase these toolkits and in some cases, they purchase your credentials on the dark web.

A little bit higher up the chain are the sophisticated, non-state-sponsored actors. These are the professionals, the black hats, and they're more interested in stealing your data and selling it. Those are much harder to guard against but there are far fewer of them.

The nation-state actors – it is practically impossible to guard against them. If you are trying to, as a company, defend yourself from being penetrated by a trillion dollar defense industry that is determined to get in, if you're trying to fight the three-letter agencies in the U.S. or the People's Liberation Army Unit 61398 – you can't. The only thing you can hope to do is detect it, mitigate it and respond to it.

The threat that nobody ever talks about is the insider. Disgruntled employees and employees that are somewhat disgruntled but still acting like they're not – and former employees. They may do this for malicious intent or, increasingly, for profit, because they still may have access to your systems, your social engineering information such as who does what, or what someone in HR might say when they call and ask to reset a password.

How difficult is it to defend against all four types of attackers?

For an IT director and CISO, looking at all four of these things is like trying to defend your house from someone breaking in with a crowbar, from professional spies and from termites, all at the same time. These are all totally different attack vectors.

If you're trying to manage all four of these, you can't. You have to have experts that do nothing but security helping you. They can parse through what is noise and what is actionable intelligence.

Most enterprises already have some kind of protection in place. Is there an art to getting all the systems to work together and prevent attacks?

There is. The challenge around the Balkanization of security solutions is that some of the largest names are the worst at the smaller, niche jobs. In many cases, there are really adaptive, agile companies specializing in a security subset, and when they get acquired by one of the big three in IT security, the product suddenly becomes not quite as agile and not quite as good.

What approach does Masergy take and how does that help your partners?

The vast majority of our revenue comes from the partner and reseller communities: traditional agents, VARs and system integrators.

As an MSSP, we've seen an immense about of interest in our security services even from people who sell firewalls and hardware-based solutions. We integrate with existing intrusion detection systems, firewalls, and even SIEMs.

We use network behavior analysis to aggregate data and look for anomalies. For example, if a receptionist comes in every single day and checks Yahoo, Hotmail, Facebook and maybe a bank website, and one day she starts accessing payroll and HR systems – or, it's three in the morning, and she starts accessing those systems, that's a really easy example [of an anomaly to flag].

Does that give MSSPs an advantage?

We think that managed detection and response – watching out for things and then responding to them – is a unique offering for MSSPs, in general, because most companies cannot do this themselves. Unless you're one of the biggest banks in the world, you can't staff enough global security experts around the clock who can monitor the various types of alarms and alerts and not get burned out on it.

Also, MSSPs can aggregate data from other companies and other vendors, too. Because we've got visibility into a lot of firewalls, IPSes and IDSes [intrusion prevention systems and intrusion detection systems], we can come up with more intelligent rule sets than you might be able to come up with on your own because we're looking at thousands of data feeds, not hundreds.

Give me one more reason partners should be pushing managed security?

There's a commonly quoted stat out there that something like 80 percent of all advanced security systems are not deployed correctly. There are either features that aren't turned on, or features are misconfigured, or there are things that are not patched and up to date, or there are things that the systems aren't monitoring that they could be – there's just a litany of reasons why.

We see it all the time. We come into an environment where they have existing vendors in place, and there's a bit of a shock when you tell them this because they were convinced they were using the technology correctly.

The exploit from last week [WannaCry] was based on SMB, a Microsoft protocol, specifically Version 1 of that protocol, which had been deprecated. Obviously, there were still a ton of people who had that service enabled – either because they didn’t know how to turn it off, or they didn’t know it was an urgent issue. That is, in many cases, how things like this happen.

And we can expect to see more.