Ransomware attacks against billion-dollar corporations tend to garner the most provocative news headlines, but meanwhile plenty of small- and medium-sized businesses have silently suffered from this cyber scourge.
Ransomware gangs are infiltrating small businesses in two ways: one, by individually assaulting them via phishing and exploit attacks; and two, by first compromising a managed services provider (MSP) and then leveraging that breach to infect their various small-business clients all at once.
As infosec representatives across multiple industries collectively put their heads together and debate how to tackle the ransomware crisis, it’s important that both MSPs and SMBs have a seat at the table. After all, incident prevention and response recommendations for larger enterprises may not be suitable for mom and pop operations that use their modest tech budgets to outsource IT security.
Ryan Weeks, chief information security officer at Datto, does not work at a small enterprise or an MSP, but he does understand their pain. The company provides cloud-based software and technology solutions for managed service providers (MSPs), many of whom typically cater to SMBs, fulfilling their IT and infosec needs.
This week, Datto was accepted as founding member of the Institute for Security and Technology’s (IST) newly minted Ransomware Task Force, which soft-launched this past December. While first and foremost Weeks hopes to combat ransomware across all sectors, he also knows it will be his responsibility to represent MSPs and their small-business clients, communicating their needs and struggles in the ever-evolving battle against cybercriminals.
SC Media spoke to Weeks Tuesday to better understand the unique perspectives and experience that he lends to the new task force.
Tell me what you and Datto as a whole bring to the table as one of the founding members of the task force.
What we do every day is help MSPs and small- and medium-sized businesses recover from ransomware and other types of business-impacting events.
It hasn’t felt to me like as a community, as a whole, we’re making progress [against ransomware]. I would say, at best – which is a stretch – maybe we’re holding ground. But more likely we’re probably losing ground. And so you look for those things that are going to be gamechangers… We’re always on the lookout for those things within our own community.
It became very clear in the initial conversation [with the IST] that there is a mutually aligned objective of doing whatever it takes to improve the situation. So if me and my team need to work nights and weekends to conduct the work of the task force, and that creates change, we’ll do it. There doesn’t have to be an incentive in this for anybody other than to make an actual commitment and real change that reverses the pattern to… where we hold our ground and then maybe we even advance, and we make some ground back up.
So here we are, we’re part of the task force and we’re ready to get to work.
What in your mind makes this task force different from previous collaborative efforts to tackle the ransomware epidemic?
We have these information-sharing communities, ISACs and ISAOs… Everyone [says] that’s an effort in the vein of community collaboration and defense. [But] I think where this task force is different is: it’s global, it’s multi-sector, and it involves expertise along several different verticals.
It’s not purely a technology problem. Threat intelligence tends to be technology centric. [But we’ll be] talking about this problem from a socioeconomics perspective, a political perspective, a technology perspective. It’s really going to allow us to take this wholistic look at the problem.
Even if we can identify something that reduces the prevalence of ransomware by 20 percent, that’s a win. I’m not going to claim that this task force is going to eradicate ransomware, but I think it’s the first step in a number of steps that we need to take. I know there’s been other efforts like this in the past but to me, this one feels like the right makeup, the right time, the right set of people, the right objectives, the right method of approaching and attacking the problem.
It sounds like you will act as a voice for both MSPs and the small businesses that often outsource their IT security to these services providers.
The intent is, one, to make sure that the core objectives of the Ranosmware Task Force are successful. But in the process [also] make sure that the voice of small and medium sized business through MSPs is heard.
In the past… we’ve seen other efforts that are like: “Oh we’re gonna make a bunch of recommendations about how to prevent ransomware,” but it’s entirely focused on enterprises. And this doesn’t work for small businesses that don’t have IT shops or MSPs. You’ve effectively created an artifact that works for a very small portion of the population. And so our hope is that with the expertise we have and the viewpoint we have as a technology creator, as a security practitioner, and as someone who’s plugged in very strongly to the MSP and SMB communities, that we can provide a very useful voice in this forum and make sure that those needs are heard.
That’s one of my core objectives. The other thing too is, by becoming part of the Ransomware Task Force – depending on how things unravel, how we structure ourselves – there might be opportunities for there to be collaboration. I would love where those opportunities for collaboration come up to be able to include MSPs and SMBs in those conversations, so it’s not just me acting as a proxy or close approximation. It’s their actual voice with me as a conduit. I’m really excited about that potential as well to involve them in the conversation – either indirectly or directly.
You mentioned ransomware defense recommendations that smaller businesses have been unable to follow due to lack of resources or budget. Can you give me an example?
I think generally they fall into one major bucket, which is attainment of some kind of security standard, which is unreasonable to expect in a short amount of time. Or the deployment and the use of technologies which are just completely divorced from the reality of the financial ledger of a small- or medium-sized business.
Sure you can tell small medium sized business, “Hey you need to go have a SIEM.” But even a crappy SIEM could be six figures. Some SMEs can’t even afford that. You really need to meet the… vulnerable population where they are. This task force is designed around innovative approaches; not trying to hold everybody to a set standard, but trying to figure out how we incentivize the right behavior, disincentivize the wrong behavior at scale, in a way that works for SMBs and enterprises, and also the public sector.
There probably won’t be a standards document that we come out with that says everybody shall do “X.” I think it’s more about finding what those two or three gamechanger things are, and then figuring out how to drive those wherever they are, whether it’s changes in cyber insurance, changes in international policy, making technology more accessible. Whatever those things are we’ll put our energy behind.
But that’s just a fundamentally different approach to me than, “You need to have better backups and endpoint detection and response and email security.” Everybody’s heard that 1,000 times, it’s not making a difference. Let’s think differently about this problem and what we can actually do that will actually make a difference.
What would you personally like to see on the task force’s agenda?
When you talk to MSPs and SMEs, the number-one reason that there’s a lack of an uptake in prevention, detection and response, and recovery controls and capabilities is a lack of resources – whether it’s staff or money to invest. Some of the tools that exist just are not affordable for them.
It’s not that they don’t want to do the right thing, it’s that they can’t, or it’s just out of reach. So I don’t know exactly what I would advocate for there yet. But the interesting part, to me, is that [the task force] is made up of a group of people that have these ideas… So if we wanted to make these technologies more accessible to vulnerable populations, what levers can we pull? If we wanted to make expertise more available to vulnerable populations, what levers can we pull? What talent pools exist? How do we combine those talent pools with these vulnerable populations – and in ways that no one’s thought of yet? To me, that’s the thing that needs to happen now. Because the current trajectory is not one that’s going to lead us to a good place.
We’ve spent a lot of time talking about SMB needs, but MSPs are also a major ransomware target, especially because attackers can infect many businesses at once through their MSPs. Correct?
I would agree with that… When you think about it in broader terms, it’s a supply chain problem. Who is [a] supply chain [partner] to whom, and who in that supply chain is vulnerable? And then how could that have trickle-down effects? That to me is a whole different problem of a scale that we’re only starting to get an idea of, with the U.S. government hacks recently.
When you look at the full stack of the problem… Where is there an opportunity in the chain of how an attack perpetuates to… kill the ability of the threat actor to realize their ill-gotten gains? If you think a large amount of municipalities are affected due to poor MSP security practices, well then maybe that’s an area where the task force tries to focus.
Are there representatives of other industry sectors on the task force that you’re particularly interested in speaking with?
As a developer of technology, as someone who helps people recover from these types of threats, we focus a lot on, technically, how does this happen? What we don’t generally think about is the flow of money, and how just following the money was effectively the idea that took down organized crime in the U.S. and the mafia. And so how do we instantiate that idea? There are people at the table that have ideas and have experience and work in those fields of following the money, and so I think that’s going to be a big area of interest and collaboration for sure for me.
And then… the policy side to me is interesting. I’m looking forward to thinking through that area more and really in the process expanding my own thinking in how technology marries with these two other concepts… in a way that incentivizes the right behavior.
Since you mentioned policy, where you do fall in terms of whether or not paying ransomware attacks should be made an illegal act?
I don’t agree with it, because I don’t think you should ever take an opportunity to recover someone’s business off the table for them. What that’s saying is: Here’s an extremely high penalty for failure, instead of incentivizing them for success. So I don’t think it approaches the problem from the right angle. But it probably does have a part to play. And this is the kind of devil’s advocate in me that says, well, if everybody in the world banded together as one and said, “No one is ever going to pay ransom again,” you would kill – just dead – the entire market for it.
It’s really enticing argument, but there will be collateral damage in the interim, in the intervening space. Some people will not be able to survive those events without paying, and so you’re effectively saying we’re going to be okay with collateral damage.
Those are really difficult conversations, but they need to be had… I think if we’re going to do that as a country, as the world, you need to be able to enforce it. That’s a big question. And if you’re going to do that, you have to give people time to prepare, give them time to do the right thing… Maybe you have to go, “develop strong recovery capabilities for a year and then we’re going to pull the trigger.”