Monday Morning Impact – July 4

Sophos: Attacker Dwell Time Increased by 36%

Sophos, a UK-based cybersecurity company, has released a study showing that attacker dwell time increased 36% in 2021, with a median intruder dwell time of 15 days in 2021 versus 11 days in 2020. The “Active Adversary Playbook 2022,” also reveals the impact of ProxyShell vulnerabilities in Microsoft Exchange, which Sophos believes some Initial Access Brokers (IABs) leveraged to breach networks and then sell that access to other attackers.

“IABs have developed a cottage cybercrime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turn-key access to ransomware gangs for their own attacks,” said John Shier, senior security advisor at Sophos. “It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralize attacks as fast as possible.”

Sophos’ research also shows that intruder dwell time was longer in smaller organizations’ environments. Attackers lingered for approximately 51 days in organizations with up to 250 employees, while they typically spent 20 days in organizations with 3,000 to 5,000 employees.

“Attackers consider larger organizations to be more valuable, so they are more motivated to get in, get what they want and get out,” added Shier. Smaller organizations have less perceived ‘value,’ so attackers can afford to lurk around the network in the background for a longer period. It’s also possible these attackers were less experienced and needed more time to figure out what to do once they were inside the network. Lastly, smaller organizations typically have less visibility along the attack chain to detect and eject attackers, prolonging their presence.”

The median attacker dwell time before detection was longer for “stealth” intrusions that had not unfolded into a major attack such as ransomware, and for smaller organizations and industry sectors with fewer IT security resources. The median dwell time for organizations hit by ransomware was 11 days. For those that had been breached, but not yet affected by a major attack, such as ransomware (23% of all the incidents investigated), the median dwell time was 34 days. Organizations in the education sector or with fewer than 500 employees also had longer dwell times.

The Sophos Active Adversary Playbook 2022 is based on 144 incidents in 2021, targeting organizations of all sizes, in a wide range of industry sectors, and located in the U.S., Canada, the U.K., Germany, Italy, Spain, France, Switzerland, Belgium, Netherlands, Austria, the United Arab Emirates, Saudi Arabia, the Philippines, the Bahamas, Angola, and Japan.

Channel Impact^®
Longer dwell times and open entry points leave organizations vulnerable to multiple attackers. Forensic evidence uncovered instances where multiple adversaries, including IABs, ransomware gangs, cryptominers, and occasionally even multiple ransomware operators, were targeting the same organization simultaneously. Channel partners are advised to look out for the detection of a legitimate tool, combination of tools, or activity in an unexpected place or at an uncommon time.

Kaseya Closes Acquisition of Datto

Kaseya has completed its acquisition of Datto for $6.2 billion, representing a share price of $35.50.

The move is believed to strengthen Kaseya’s “IT Complete” platform with a variety of new solutions filling gaps in the previous service line. Kaseya announced that at least 17 workflow integrations between Datto products and the Kaseya platform are planned within the first month, and that all commercial integrations are anticipated to be completed within 120 days.

The list pricing on all Datto technology is expected to be reduced by an average of 10% on new purchases.

“As we promised when we announced our intent to buy Datto, customers are going to see investment in innovation and integrations go up and prices come down,” said Kaseya CEO Fred Voccola. “We are increasing our technical investment in our products to ensure that every one of them will be supported and integrated, with enhanced functionality.”

“This is absolutely the best thing that could have happened to Datto, our employees and most importantly our MSP Partners,” said Rob Rae, Datto’s Senior Vice President of Business Development. “Datto has always been committed to building great technology and creating a culture where its MSPs customers always come first —and as part of Kaseya, we will be able to do this bigger, better, and at lower cost to the MSP.”

Datto will continue to operate as an autonomous brand from Norwalk, Connecticut, continuing its emphasis on unified continuity, networking, endpoint management and business management solutions. Headquartered in Miami with a presence in more than 25 countries, Kaseya provides unified IT & security management software for managed service providers and mid-market enterprises. Prominent brands include IT Glue, RapidFire Tools, Unitrends, Spanning Cloud Apps, TruMethods, ID Agent, Graphus and RocketCyber.

Channel Impact^®
The move is intended to help boost innovation at reduced prices. Customers and partners can expect to see investments focused on upgrades and innovations to all Datto product offerings.

Splunk Announces Partner Program Enhancements

Splunk Inc., a San Francisco-based network and security platform vendor, has rolled out partner program enhancements including access to the Splunk Cloud Sandbox, a dedicated, non-production Splunk Cloud Platform environment. For a duration of 12 months, eligible partners can access a 50GB, single tenant, cloud stack environment to learn about Splunk cloud products, build and test solutions, and demonstrate their solutions on Splunk Cloud to existing and new customers.

The company also released a new online Solutions Catalog where partners can showcase their expertise and Splunk-based offerings and services to attract and connect with potential customers.

In addition, Splunk launched a new Funded Partner Training benefit to help partners build solution competencies and drive enablement. Each eligible partner will receive two coupons for the Enterprise Certified Architect and/or the Cloud Administration course, both of which apply toward certifications. Eligible partners will continue to have access to a 50 percent discount on all individual instructor-led and self-paced training.

Splunk also announced it will work with Amazon Web Services to create a new Customer Immersion Experience Center in London.

Channel Impact^®
The new enhancements are expected to help Splunk’s 2,400+ partners expand and differentiate their offerings.