Channeling Security: Proficio Seeks MDR Partners, Tech Data Adds SIEM
This week I spoke with Proficio CMO John Humphries, who holds executive responsibility for the MSSP’s channel program, and company CEO Brad Taylor. Proficio is focused on managed detection and response, with a twist. It operates two security operations centers, one in Northern Carlsbad, California, and one in Singapore, with a European facility on the drawing board. The expansion will be fueled by a just-announced $12 million investment round.
That MDR twist, says Taylor, is that the company collects business context and policy data for each customer’s infrastructure and endpoints and uses the insight to customize correlation rules while reducing false positives.
“It’s a very different way of providing security monitoring and alert notification," he said.
The result of receiving high-quality alerts, from whatever source, is that immediate attention must be paid to response. However, an ongoing skills shortage means customers often don’t have the processes, procedures or people needed for remediation.
“A lot of companies will have an outdated incident response plan, but they can’t really react fast enough when we give them a notification that they have a compromised device communicating out command and control to a known abusive attacker," he said. “They just go ‘let’s reboot the machine’ rather than saying ‘let’s contain the threat by blocking the IP address of the attacker at the firewall, then let’s take a snapshot of the device, then let’s scan the device to see what happened, let’s do remediation, let’s do investigation."
As a result, Proficio has added that managed detection and response to its portfolio, so it can help customers launch an automated response in minutes rather than days. Taylor says that capability puts it in a lucrative market, and that partners are supplementing this automated detection and response with select services, such as supplying a tiger team for forensic investigations.
“That’s something that we would outsource," said Taylor. “It’s extended, it’s putting someone on-site, it’s on-call services. That’s not what we’re looking to do."
As to the company’s Synergy partner program, Taylor says there’s no tension between the MSSP end of the business and its partners. Humphries adds that in 2017, Proficio intends to ramp up its channel engagement and expand the number of partners it deals with, as a way to help solutions providers add value to the security and networking products and services already on their line cards.
“There is a whole range of folks that might want to add a managed security type of solution to their portfolio," says Humphries, to handle alerts thrown up by existing products, such as a Palo Alto firewall. “But to actually suit up and operate a 24x7 security operations center, run redundant analytics platforms — many partners think that’s a bridge too far in terms of investment."
Proficio’s customer base is midsize to large organizations, with a focus on industrial control, healthcare, financial services and other verticals. While Humphries says the partner base now is mainly resellers, the company is recruiting MSPs, especially those looking to add a security practice without operating a SOC or hiring SIEM experts.
“There’s just a lot of excitement in the space," he says. “It’s an opportunity for these organizations to gain more control, add more value and also be part of an ongoing recurring revenue model."
Humphries says margins are around 25 percent, and that payments aren’t reduced after the first year, as is the case with some competitors’ subscription programs.
That $12 million infusion will also let Proficio add salespeople and expand its Active Defense technology, says Taylor. Say a customer outsources its help desk. Taylor says a partner could automatically assign an alert on a compromised device to the help desk, which would scan and reimage the endpoint. “Then, we’ll perform a reassessment of the device, make sure what was supposed to be done was done," he says. “We enter that into a case management system," so a partner can document issues and resolutions.
Proficio is also investing in behavioral analytics, the latest security buzz phrase, and adding more cloud security capabilities for workloads in AWS and Azure.
“Customers have been asking us for more capabilities around user-based behavioral analytics," said Taylor. “We’re also expanding cloud application-based monitoring, detection and response services."
That market for cloud-access security brokers is growing as businesses adopt Office 365 and other software as a service and need security from the endpoint into the cloud.
Proficio competes with the likes of SecureWorks, EiQ Networks and Solutionary as well as managed services offerings from AT&T, Verizon and others. What makes it different? Taylor cites that ability to tailor alerts to the customer.
“An IP address is an IP address for all of those [competitors]," he says. “They don’t have the ability to do asset modeling or prioritization of assets. A finance server is an IP address. The janitor’s PC is an IP address, and to any other MSSP in the marketplace, they both have the same priority, and the same behaviors, and the same responses."
He says that in order to discover anomalies and provide the correct responses, you need to differentiate between classes of assets: “When we provide an alert notification, we can tell you that this is a high-priority asset in the finance group that has a potential attack, that system has a vulnerability to that exploit, and you need to respond within 30 minutes by doing X, Y and Z."
Taylor says this capability is also valuable in hospitals, which may have medical devices that are on the network but running old OSes and no antivirus.
“An attacker may target a medical device server and use that as a pivot point" he says. With the ability to classify IP devices as an asset group that resembles a subnet and define acceptable and anomalous behaviors, apply rules and fire off alert notifications for suspicious activity. That principle also applies to IoT devices in SCADA and industrial control systems.
As to the trend of a SIEM in every shop, Taylor is skeptical that any customer outside the Fortune 100 has the expertise needed to make the investment pay off.
“We jumped into this business a few years ago saying, ‘let’s be that Fortune 100-style security operations center with all the tools, people and process and offer in in a service-based model," he says. “It’s the people and process that fails in [a small SIEM] implementation over and over. They think it’s a magic box. It doesn’t work like that."
Tech Data Adds BlackStratus SIEM
Speaking of providing a security information and events management system to customers, MSP-focused security services provider BlackStratus announced this week an exclusive agreement with Tech Data, under which Tech Data will deliver BlackStratus' cloud-based CyberShark SIEM service to its U.S. solution providers in a white-label model. The company says the CyberShark SIEM platform is designed specifically to monitor and remediate cybersecurity threats and compliance violations for SMBs at an affordable price.
"Our agreement with BlackStratus gives Tech Data the ability to offer security-as-a-service (SECaaS) to our solution providers and help them reduce risk, manage compliance and remediate threats for their clients," said Tracy Holtz, director of product marketing, security and information management at Tech Data. "We are excited to add BlackStratus to Tech Data's portfolio of industry-leading security solutions and look forward to bringing SIEM capabilities to our SMB and midmarket partners."
CyberShark can be delivered in a multitenancy model to silo customer accounts and files. As a SEIM, its mission is to use advanced analysis to spot zero-day attacks and problems that could affect ISO, PCI, HIPAA, SOX and other compliance mandates without flooding responders with false positives.
Ransomware Going Mobile?
Quick Heal Technologies this week released its third quarter Threat Report. One finding is a big increase in vulnerabilities on the Android platform and a 33 percent rise in mobile ransomware. The report also found a slight decrease in Potentially Unwanted Applications (PUA) and Adware, dropping by 3 percent and 12 percent respectively.
Quick Heal provides the Seqrite line of cloud-based endpoint security and data loss protection solutions.
Compared with Q2, it found a 14 percent increase in the detection count of malware on Windows-based computers. However, malware detection on the Android platform grew an alarming 158 percent in Q3, while mobile ransomware rose 33 percent.
For 2017, the company predicts an increase in ransomware-as-a-service attacks as well as new variants and propagation techniques from the CrypMIC ransomware family. It also expects attackers to ramp up their assaults on Android users. In our new report that helps partners manage mobility for smaller customers, we discuss EMM systems that can reduce risk. Still, as devices carry more and more company data and banks embrace mobility, they will remain attractive targets.
Dell Looks to Bring VDI to Knowledge Workers
One way to mitigate the risk of compromised endpoints is VDI or desktops-as-a-service — if you can get skeptical customer end users on board. Dell announced this week a new thin client, the Wyse 5060, that the company says is suitable for knowledge workers, easy to deploy and manage, secure and compatible with Citrix XenDesktop, Microsoft RDS and VMware Horizon and Blast Extreme.
Dell says the enterprise-class thin client, available Dec. 13 through Dell PartnerDirect partners and distributors, can be easily scaled for deployments to tens of thousands of devices and offers a low total cost of ownership by reducing IT’s time on ongoing management and maintenance. Pricing is not yet available.
The Wyse 5060 features an AMD 2.4GHz quad core processor that supports up to 8GB RAM and 64GB flash, and you can connect dual 4K monitors, a sticking point on current thin clients. As for security, a big reason for VDI, the device includes an embedded Trusted Platform Module (TPM) chipset with the ability to recognize if a system’s integrity has been compromised while safely storing encryption keys, certificates and passwords. At the software level, Dell says the Wyse ThinOS is ultra-secure, and those opting for a Windows-based thin client can add advanced threat protection.
Amoroso: Major Attack Is Coming
Don’t miss my colleague Carol Wilson’s important coverage of an address by Ed Amoroso, AT&T's recently retired chief security officer. Amoroso said this week that there will be a “major and devastating cybersecurity attack on the US in the next four years." He challenged security professionals to prepare now.
Follow editor-in-chief @LornaGarey on Twitter.