John Shier, senior security advisor at Sophos, found a bit of good news at the annual Black Hat conference held this week in Las Vegas: Fewer new vulnerabilities in some, though not all, systems mean security vendors may finally be able to catch a break.
“This year at Black Hat I’m noticing that many of the talks are derivative,” says Shier. “That isn’t to say there isn’t some groundbreaking research being done, and I’m not using the term in a negative way. What it does indicate to me is that our industry is maturing, and instead of dealing with many giant issues, researchers are finding new techniques to exploit old problems and technologies. This means that as we iteratively fix more and more problems we’re reducing the number of vulnerabilities in some systems.”
Of course, he points out that new opportunities are opening up, notably with IoT devices, such as home automation and automotive systems.
Sophos announced this week a beta program for its Sophos Intercept endpoint protection software, which partners can install on top of existing antivirus to help block ransomware, spyware and zero-day threats. The product includes the signature-less endpoint threat detection and response technology Sophos acquired when it purchased SurfRight in December. Intercept is scheduled for general release later this year, but Sophos partners can get a look now by requesting a beta code.
Shier called out one interesting talk that used lessons from the design world to help create better security policies and technology.
“While this talk wasn’t technical, I found it dealt with a very important aspect of securing our organizations: users,” he says. “Users aren’t liabilities; they are assets. If we can empathize with our users’ experience and build better usability into our security processes, procedures and guidelines, we can develop a robust security culture. All the technology in the world won’t help us if users aren’t playing their part.”
Of course, Black Hat wouldn’t be complete without some new horror. Check out this Ars Technica story about a researcher from Red Balloon Security who turned a plain old laser printer into a radio transmitter with just seven lines of code injected into the device’s embedded computer. This improvised antenna could broadcast a customer meeting. The “Funtenna” exploit shows that embedded devices need their own built-in defenses. Even printers.
451 Research: Verizon, T-Mobile, AT&T Square Off With Sprint
How are you advising customers to pay for their mobile phone fleets: leasing, buying or traditional – and increasingly rare – two-year service contracts with device subsidies?
451 Research‘s new ChangeWave survey of 4,168 primarily North American respondents shows a levelling of the playing field among the four major wireless providers, with the narrowest-ever gap between No. 1 and No. 4 in terms of customer satisfaction, loyalty and future demand. (To get access to this and other data, join the 451 Alliance.)
The consultancy found that monthly device-payment plans are most common, with Verizon Wireless and T-Mobile each seeing six-point increases since the last time it asked, in March, in the percentage of recent smartphone buyers signing up. Sprint customers who recently bought smartphones, in contrast, are most likely to have opted for the provider’s leasing program. However, 32 percent say they signed up for a two-year service contract — a 13-point leap since March.
It’s not just consumers facing these decisions as the practice of carriers subsidizing new devices on a regular schedule changes. Small and midsize companies that provide devices to some or all employees face decisions, and 451 says Sprint seems to be filling a void as the lone major provider to still offer contracts and absorb some of the cost of increasingly pricey smartphones.
The research firm also looked at overall customer satisfaction and found T-Mobile up four points since March, to its all-time best level — a close second to Verizon Wireless. AT&T remains narrowly ahead of Sprint, which registered a big improvement for the second time in the past three surveys. Coincidence?
New Partner Program
Have you heard of Paessler? The German network monitoring company has expanded its headcount in North America by 50 percent and says channel sales here have increased by 16 percent in the first half of 2016 — though it won’t say what percentage of sales are channel versus direct. It’s also launched a new partner marketing toolbox, certifications and training platform and updated its marketing resources.
Paessler says its vendor-neutral PRTG network monitoring software is in use by more than 150,000 customers worldwide and that North American revenues have increased by 20 percent among its largest partners so far in 2016.
“From the beginning, Paessler has been committed to its channel partners in North America, and with this expansion in both our team and our offerings to partners, we have reaffirmed our support,” said Andrew Cutting, Paessler’s North America director of channel sales, in a statement. “The first half of 2016 has been a tremendous success that came on the heels of a very productive 2015. With a larger channel organization and enhanced resources, the sky is the limit for the second half of 2016 and beyond.”
Paessler is a member of the Cisco Solution Partner Program and a VMware Technology Alliance Partner.
7 Pen Testing Must Haves
In my visit to Intronis last week, the company’s senior director of product development, Chris Crellin, offered some security advice for partners, including advising customers to engage a third-party penetration tester. But independent pen tester Netragard says even those who have regular examinations may be living with a false sense of security.
To be realistic, threat penetration tests for a customer must meet some minimum characteristics:
- IT/security staff must not be aware of the test.
- Must include solid reconnaissance.
- Must not depend on automated vulnerability scanners.
- Must include realistic social engineering not just elementary phishing.
- Must include the use of undetectable (and non-malicious) malware.
- Must be covert as to enable propagation of compromise.
- Must allow legitimate incident response from the customer.
The company recently completed penetration testing on payment card industry (PCI) systems for a large retail company that it’s calling “Acme Corporation.” Acme thought its corporate domain and credit card payment systems were secure. It was wrong. A job application listing on an external portal gave pen testers access to customer names, emails and credit-card details. See how in this detailed blog from company CEO Adriel Desautels.
Datto Adds Global Data Centers
Datto announced this week the opening of two new data centers, one in Singapore, managed in partnership with Equinix, and one in Calgary, the company’s second Canada location. In a statement, Datto said it’s seen a four-fold increase in Canadian partners since 2014. The addition of the Calgary data center will enable partners to provide data protection across bi-coastal sites in Canada as well as on a customer’s local SIRIS device.
Datto also has a presence in the U.K. and Australia, as well as distribution partners in continental Europe. And, there are open positions at the Toronto office. Just in case you’d rather skip the next few months of U.S. political drama.
How Did You Celebrate Startup Day?
Speaking of political drama, yesterday was officially “National Startup Across America Day.” To mark the occasion, the Small Business & Entrepreneurship Council released a report, Gap Analysis #3 – Entrepreneurship in Decline: Millions of Missing Businesses, that asserts a decline in entrepreneurship and startup activity.
By tabulating data from the U.S. Bureau of Labor Statistics, the U.S. Census Bureau and the IRS, the authors estimate that there are 722,000 fewer incorporated self-employed people and 106,000 fewer startups than expected. That’s a lot of unsold UC systems and Office 365 licenses.
“If we look at incorporated and unincorporated self-employed, and employer firms as shares of the relevant population, we see a significant gap in the number of businesses compared to where we should be,” said SBE Council chief economist Raymond J. Keating. “These numbers point to some 3.7 million missing businesses in the U.S. in 2015.”
The council blames the government, saying uncertainty regarding taxes, regulations and trade and monetary policy has created an “inhospitable climate” for entrepreneurship and small businesses. It’s calling for more access to capital and a simpler tax and regulatory system.
The tech industry doesn’t seem to be sitting around waiting. I profiled three cool new channel-focused startups last week. Here’s one more: Vectra Networks, winner of the Best of Black Hat award for most innovative emerging company. Vectra’s technology uses machine learning and behavioral analysis to spot threats in network traffic in real time, and it has a comprehensive channel program.
Noncompetes: What’s Your Stance?
I live in Massachusetts, and our legislature this week failed to pass a bill to restrict corporate noncompete contracts. The Boston Globe characterized this as a major disappointment for the local tech startup community, which says the agreements “stifle innovation and the free flow of talent and [block] would-be entrepreneurs from launching companies in the industries they know best.”
Large employers, including EMC, disagree, saying “noncompetes protect Massachusetts companies from competitors who might siphon away top employees and valuable trade secrets.”
We did not ask about noncompetes among channel companies in our 2016 U.S. Channel Compensation Survey, but I’m interested: Do you ask employees to sign a noncompete? Tell me in the comments, or join me, my colleague Lynn Haber, 451 Research and Women in the Channel at Channel Partners Evolution for an open discussion on the gender wage gap and more key findings and analysis from our survey, where nearly 300 peers weighed in to benchmark salaries by skill, job title, geography, gender and more.
Follow editor in chief @LornaGarey on Twitter.