Continuum CEO Michael George On The Growing Security Threat To MSPs, Platforms
“If you think things are bad now, wait until the Internet of Things takes hold … The lid hasn’t even blown off this problem yet, and it’s going to. Because the Internet of Things is taking hold and creating a whole new set of vulnerability points in the spectrum of the network and network access points,” Continuum CEO Michael George tells CRN.
A Rough Road Ahead
The security environment for MSPs has not improved in the nine months since the U.S. Department of Justice publicized its warning to solution providers that even the smallest among them was a target for state-sponsored cyber criminals.
And awareness of the problem has not mitigated recent attacks against ConnectWise, Kaseya, Wipro and Webroot, which have only served to underscore how vulnerable MSPs, their clients, and their platform providers are to cybercrime.
“It’s more than just a watch word for the moment,” Michael George, CEO of Continuum told CRN. “This is a hot topic that’s getting hotter and hotter everyday. It’s a very complex issue that’s not going to go away anytime soon.”
He said platform providers sit at the center of a vast IT ecosystem that can reach millions of end-user devices, making them prime targets for attack. But if that is not enough to worry about, George, points out that as enterprises incorporate more IoT devices into their firms to find efficiencies, they are also deploying access points which bad actors can use to infiltrate systems.
In a talk with CRN this week, George gave an overview of the threat landscape and what lies ahead.
Why are MSP platform providers at risk?
They’re a macro-target, because they’re companies that have access to multiple MSPs who have access to multiple end clients, who have access to multiple end users. They’re going after the massive actors in the equation.
Those are deliberate attacks as I think you know. If you look at the dentist in Boise, Idaho that the MSP is covering, that’s not an intentional attempt. That’s just a broad reaching piece of malware that is grinding its way across the network in general. But when you have someone like IT By Design, they’re being very deliberately targeted. Its quite an interesting set of phenomenon.
What is the worry with IoT?
If you think things are bad now, wait until the Internet of Things takes hold and companies not only have 2.7 devices or access points per employee, but when they have 27 access points because they have digital cameras and temperature sensory systems, the lid hasn’t even blown off this problem yet, and it’s going to. The Internet of Things is creating a whole new set of vulnerability points in the spectrum of the network and the network access points.
Can you talk a little about the disruption coming to the MSP market?
The single largest and most valuable retailer has no inventory (Alibaba). The largest accommodations provider in the world has no real estate (Airbnb). The world’s largest taxi companies own no vehicles (Uber and Lyft).
I think the MSP of the future is going to have no or virtually no technical people on staff because they’re going to be using a high degree of automation, and they’re going to use outsourced services. That’s what all of these digital disruptors have done to very traditional markets.
You have some recalcitrant, more traditionally minded MSPs out there who say “No. No. No. I’d never outsource this stuff. My help desk is my strategic differentiator.’ They’ll literally think that way and say that, and so did the taxi driver.
That is the MSP who thinks, and is hugging all of their hardware thinking, ‘I have to touch every knob and turn every dial and answer every phone call and do all of that.’ They’re going to get wiped out. We’re helping enable that because we’re providing that automation and providing that outsourcing. This has all been about addressing the skills gap challenge. That has been our single-minded approach to this market.
The people that will be working in these MSPs will be doing high-value work that has a high touch point with the end customer and providing high value services.
And you said this is tied to cybersecurity?
Security is the catalyst for this transformation. Some MSPs could fool themselves for a while into thinking they could hire enough staff, get enough of the right people in place and make them happy long enough to stick around and do this kind of work, but this whole cyber security issue has blown the lid off that dynamic in this market. That is the piece that’s transformational here.
What security is doing, which has been the most helpful to our business, is it’s eliminating the MSPs who used to fool themselves into thinking they could hire enough people to do this work.
It’s a massive transformational pivot. Its not like this is Microsoft Windows, and I have to upgrade to the latest version. That’s an incremental change. Security is an exponential skills gap change. Is it only a matter of time.
A lot of platform providers have been hit this year. Is Continuum next?
First of all, nobody is immune to the issue. I think you have to expect that everyone is going to get hit. Everybody is a target and everybody is going to get hit. This is not about thinking you can get away with 100 percent protection, and that you’re going to make yourself not-vulnerable to an attack.
What this is about is understanding that you will be vulnerable. You ought to do everything that you can at a practical economic level to protecting and securing your environment.
This is about the ability to identify some anomalous piece of activity in your network and be able to isolate it and remediate it. That’s really what this is about. Thinking ‘I’ve completely battened down my hatches and I’m water tight and no one can get in,’ those days are over. That’s not how the world works anymore.
I should still anticipate that I’m going to get hit. What I’ve really done is I’ve invested an appropriate amount of time, money and resources, so that when I do get hit I can identify it immediately. I can isolate it immediately and I can remediate it immediately. That’s what our product Fortify does for our partners so they can do that for their customers.
We’re as much of a target as any of the other guys who have gotten hit. Don’t think that we don’t have our product and our services and our team working in our environment everyday.”
What are MSPs telling Continuum they need for better security. What are they telling you they need?
At the moment we do have, and I don’t want to invite bad actors to come and test this, we have a fully fortified product that is meeting the needs of the market. So we don’t have anyone saying, ‘Hey this is great. You’re doing a great job over here. Can you do this too?’ Right now we’re staying right ahead of the curve on what the problems are and what the dynamics are.
I think the whole IoT issue is going to be a whole new kettle of fish. That’s a place we’re starting to invest in and make sure we stay a head of. We have a pretty good handle on what the needs of the market are and we’re doing a pretty good job of meeting that today.
Its our job to look around corners and figure out what is next. It is going to be in the IoT category, and we are going to invest in that.
So what are you doing to prepare for the onslaught of IoT devices?
Security is one of those nuanced market segments. There’s a fine line between how much you share about what you are doing to solve problems because you don’t want to expose your tactics and approach in a public way that invite bad characters to come in to exploit it.
What we’re doing is, we’re thinking of IoT as something that’s going to evolve in a way where we think about it like it has its own compute capabilities, like its got its own CPUs, and processing capabilities. Certain pieces of software can get developed by bad characters that basically spoof and imitate that device and make it look like its feeding information or registering information from an IoT device, to be able to go infiltrate into those network. So they’re going to be access points.
I want to be cautions about the way we expose how we mitigate these issues for our partners, but we’re basically thinking about and treating something as simple as a camera and thinking about it as a complete compute device and protecting it with agent-based software and a super light-weight footprint agent that might even sit on every one of those devices to make sure the behavior of that devices has not been altered by again, a piece of cyber software.
Will automation solve security problems because you are removing humans, and end-user error from processes, or will it enable threats to spread more rapidly?
Today, most of the bots that are getting deployed out there are being done in an automated fashion, so cyber criminals are ahead of the market in that regard. Continuum’s system is unique because we have a NOC, a SOC, and a help desk.
I mean this with all due respect to all our competitors, assuming they have a SaaS based platform, they have the ability to capture the source of every alert that gets generated from their environment. If it all goes up to their cloud, they would have the ability to say, ‘We see this problem and it’s the same problem over and over again.’
The challenge that they have is they take that alert and they cascade that down to the MSP who is serving that customers and it’s the MSP that actually solves the problem. Our competitors don’t solve the problem. It’s their customer that ultimately does. We’re the only company in the world that not only captures the source of every alert in our network, we are also solving that problem for our customer because we have our NPC operation. We’re the only company in the world that does that. We’re capturing every piece of data on the source of the problem as well as the resolution to the problem.
We have fact pattern recognition of all of these issues as they occur in the system. We’ve got almost a million and a half end points today under management. So we’re looking at a million and a half devices, capturing all the fact patterns, of all the things that are causing these problems, all the hack attacks, all of the different phishing campaigns, and also what resolves that problem. We’re the only company in the world that does that. Everyone else is relying on the MSP to solve it, and nobody is capturing that information at a macro level.
MSPs are not sharing that information with other MSPs, because that’s your competitive advantage.