Who better to join a company to ensure information security is properly addressed than the FBI agent that investigated the exploitation of the company's own systems?
Jason Manar joined Kaseya as chief information security officer in October, only a few months after the REvil cyber criminal group exploited the company's remote monitoring software update to launch a ransomware attack that affected the company's managed security provider clients and downstream customers. Manar had most recently been named assistant special agent in charge for the FBI, overseeing all cyber, counterintelligence, intelligence and the language service programs for the San Diego office.
And what was the appeal of transitioning to the private sector for Manar? He spoke about that experience with Brad Barth, director of community content for SC Media, during a recent eSummit on ransomware.
Let's set the stage here. On July 2, 2021, the REvil cyber criminal group exploited a Kaseya VSA remote monitoring software update to launch a ransomware attack that affected some of the companies managed service provider clients and their downstream customers. At some point you enter the picture as an FBI agent investigating the case. How, ultimately, do you become the CISO of Kaseya about three months later?
Manar: Yeah, it's a great question. It has a lot to do with personal faith, belief. And then obviously there was a need that Kaseya had that I was able to meet, and it was a relationship that was forged in the middle of an event. And what better way to truly know how a person reacts and what their processes are than go through something like that with them? So July 2nd was like any other day that I had in the FBI. And, unfortunately, it's an all too common occurrence. I often say that I've worked probably close to, if not over 1,000 intrusions from Fortune 100, 500 companies to small-, medium- and large-size companies. I often say it's never a matter of if, but when something happens.
So how did I get here? Well, it was an amazing company, one like I'd never seen before that really made me think. And when I say that I'd never before seen a company that reacted to an event the way Kaseya did: they had a CEO that took immediate responsibility and said that we can do better. You had actions that were taken that were contrary to business decisions of any other company that I'd seen, where they took every single salesperson off the floor to personally contact customers. And they had a relationship with customers. And that means quite a bit to me, based upon my background and my faith. So that really struck me.
I'd just been selected as the assistant special agent in charge in San Diego. So I was literally getting ready to move to San Diego. And all these things happened in alignment. Even though I was four years away from retirement that I really felt a higher power was leading me.
I have to imagine Kaseya saw the advantage of recruiting someone familiar with their case into their security leadership role. But even if you hadn't worked specifically on their case, I mean, there's certainly benefits to bringing someone onto your security team of your company who has extensive investigatory and law enforcement experience.
Law enforcement oftentimes has that insight that no other CISO has. And when you've been through those intrusions time after time, after time, you've seen the good, bad, and the ugly. You have seen companies that have done the right thing. And you've seen companies that even though they've been intruded upon, they have the right processes in place, they have the right vendors in place, they may have stopped, quarantined, segmented off; they have a layered security approach where it's only affected a small subset of their customers and or clientele. And then you, unfortunately, see the flip side of that, where entire companies get destroyed by these actors that are out for financial gain.
Can you offer an overall sense of what security philosophy you've brought to the company?
We want to make sure that our best practices and policies are living, breathing documents. And what I mean by living, breathing documents is that they're not just stagnant, and we are constantly taking a look and making sure that they align with the hardening of our infrastructure and that they are guiding the principles and the strategic mindset that we want within the security realm. The other thing is ensuring that we have cyber champions throughout our whole organization – incentivizing that in different ways, making sure that we provide training so that we have basically these centers of excellence within the organizational structure, within every facet of the company, to ensure that we are strengthening, hardening, and at the end of the day, driving security forward on a daily basis.
I imagine it's also useful employing former law enforcement officials on your team to ensure compliance with federal laws and regulations, and to encourage public and private cooperation and communication. Is that fair?
So as a CISO, while you would love to share information, first and foremost is always the safety and the privacy of our customers. However, if you're truly going to get actors that are behind the keyboard, there are things that you can share to move the investigation forward without endangering the company or its clientele in any way. And at the end of the day, I think everyone in this space wants that. The theory is without some level of cooperation, we are not going to truly dissuade the adversary from doing what they're doing if law enforcement can't go after the people behind the keyboard.
With threat intelligence sharing between private and public sector, I know a lot of times it comes down to trust; but you have some built in trust because of your past relationships and experience, right?
So you not only have that built-in trust, but you understand what some of those programs are. And at the end of the day, it's making sure that you educate. You educate your [legal] team, you educate the executives. We’re ensuring that law enforcement has the information that they need to go after known bad actors. Even think about that data, where we know that somebody is scanning or pinging on our firewalls. We don't know what type of information would be helpful to law enforcement unless we potentially push that along. It's little tidbits that has nothing to do with your information that may be a very pivotal key in helping them find that next person.
Before we go, I would be remiss not to note that on Jan. 14, Russia, under some recent diplomatic pressure from the U.S., arrested 14 alleged members of the REvil ransomware gang, who of course were responsible for Kaseya and other prominent attacks. [Editor's note: This interview took place before the invasion of Ukraine by Russia, which has resulted in a general deterioration of U.S.-Russian diplomatic cooperation]. I'm sure that development brought a certain amount of satisfaction to you and Kaseya leadership.
So anytime that an adversary or a known bad actor has to face penalties, wherever that may be, it's a good day. As far as commenting specifically on the outcome or what Russia may be doing, I just don't want to get into that geopolitical can of worms. But I know anytime that we can get someone that is trying to harm people – that I've seen over the years literally destroy livelihoods, family fortunes, dreams of small doctors, dentist office, mom and pop bakeries – any kind of justice that we can get for those people is a win in my book.