ConnectWise InfoSec Update for our Partners from CTO Steve Cochran
As worldwide damages of the cybercrime industry now are in the $ trillions, we know that the topic of security is top of mind for all our partners every day. I wanted to share some updates we discussed at recent events and some new resources available to support the partner community.
As a provider of cybersecurity, unified monitoring and management and business management solutions for ITSPs, we take our Information Security (InfoSec) Program seriously. This program focuses on the security of our products and architecture, the practices within our corporate and product environments, privacy, compliance, and more. We understand that the cybersecurity landscape is changing at hyperscale speed, and as such, we’re making constant investments to keep ahead of those threats and provide resources to our partners.
ConnectWise InfoSec Program: Our Journey to Best in Class
In 2015, we began our journey by increasing investments in a dedicated infosec team. Our first priorities were aligning with industry standards and addressing compliance. As we evolved those areas, we expanded our investments and focus to a broader InfoSec (or as some say “cybersecurity”) agenda. With InfoSec acceleration established as one of our top priorities for 2019, we made major strides, including a 10x increase in investments in this area with the support of our owner, Thoma Bravo. We also separated product management from engineering and core technology (naming a separate CPO and CTO), which allowed us to prioritize and resource InfoSec priorities independent of product innovation strategy.
And by 2020, we adopted a Shift Left strategy evolving our approach to be even more preventative with the focus on “security by design” and additional threat detection cycles to root out potential security vulnerabilities as early as possible in the software development cycle. The acquisition of Perch in 2020 was a huge milestone for us as a company, because we not only brought innovative solutions in-house to help our partners keep their customers secure, but also a deep bench of cybersecurity experts who helped us rapidly mature our approach to the security of our operations, how we secure our partners’ businesses and how we support them in protecting their customers.
Today, in addition to our dedicated SOC team of nearly two hundred, more than eighty full-time colleagues serve in roles that directly focus on keeping our partners and their customers safe. And dozens of third-party experts and contractors in the cybersecurity arena stand with us to support and strengthen our program. ConnectWise maintains a documented Information Security policy based upon NIST and ISO27000 standards that includes directives for Information Classification and Handling, Access Provisioning and Review, Personnel Security and Security Awareness, Application and System Security, Network Security, Vulnerability and Threat Management, Security Monitoring and Incident Management, and Business Continuity Management. Further, we explicitly define employee responsibilities and acceptable use of information system resources. Our preventative work is complemented by a rich detective controls strategy, which—through our 24/7 critical monitoring—has enabled us to protect our company and our partners from over one million potential security events annually.
You can read more about our expansive activities related to InfoSec, as well as our compliance and privacy practices in our ConnectWise Trust Center. I also encourage you to check out my presentation at IT Nation Connect (52:15) where I cover our journey and next steps. I’ll use the rest of this blog to highlight just a few items you may be interested in knowing.
Raising Our Game
Here’s some more recent evolution that has occurred within our program:
- Increased External Audits & Testing: We commission independent SOC2 type 2 audits of our security controls for all products twice a year. We also conduct external Pen tests annually for all products, and often more frequently for our agent-based products.
- Delivery Pipeline Automation: In late 2021, as part of our Shift Left approach, we consolidated our status testing and third-party library testing into the Veracode platform; which also integrates with our CICD pipeline delivery tools (GitLab); essentially automating security testing and providing the ability to interrupt the build based on findings.
- Internal “Red Team”: In addition to our third-party partners and programs, we have increased focus and effort of our internal “Red Team” focused on threat hunting across our entire product suite.
- Internal Line of Sight & Prioritization: In late 2020, we modernized our processes and tools for the identification, real-time tracking, and prioritization of vulnerabilities based on CVSS standards. We have continued to fine-tune and enhance these capabilities over the last year to improve our cyber-resiliency—all while driving internal teams to resolve issues within expected SLAs.
- Increased Investments: Since 2019, we have more than doubled our InfoSec investments year over year from three years ago when they increased tenfold. Further, we’ve grown the number of people focused on InfoSec in some capacity of their role internally to hundreds as we make InfoSec everyone’s priority, not just our technical teams.
- Program Governance: In 2019, we established an internal Executive Information Security Council to ensure executive-level visibility and steering for the InfoSec program while reviewing high risk issues and guiding investment strategy. In 2021, we added two more pieces: 1.) a Cybersecurity Committee of the ConnectWise Board of Directors and 2.) an Executive Crisis Management Steering Committee to ensure response readiness at all threat levels.
- Everyone’s Accountable: Regardless of if someone is in sales, engineering, or any other role in the company, they are required to participate in continuing education on InfoSec. Also, as part of Shift Left on the engineering side, our developers participate in an enhanced training curriculum.
- Equipping Partners: It takes everyone to keep this community and SMBs safe—we are only as strong as the weakest link. So, in 2020, we funded and launched the industry’s first and only Cybersecurity Conference of its kind to support partners in “protecting their house”, building their cybersecurity expertise, starting new practices, and keeping their customers safe—all while continuing our investments in community education and awareness by offering playbooks, resources, certification programs and more (IT Nation Secure). We also launched the ConnectWise Cybersecurity Research Unit (CRU) to keep partners current on the latest industry threats and remediation guidance. You can follow them at @ConnectWiseCRU (Twitter).
And as we continue on the journey with our Asio™ platform, “security by design” is a key tenant, followed by our modern engineering approach.
Addressing Technical Debt
There’s no question we are still in a transition phase as we modernize our solutions and bring innovation to market on the Asio platform. To address the technical debt associated with some of our older solutions, here are examples of our recent actions:
- Incentivizing Cleanup: We now incentivize our internal teams to identify, disclose and assist with the remediation of issues.
- Focused Remediation Teams: We now have dedicated teams of developers who exclusively work on vulnerability remediation vs. new product features/capabilities. We are grateful that—in addition to our dedicated information security team, our Red Team, our dedicated SOC, our Cybersecurity Research Unit, and our third-party threat intelligence partners—we have a team of industry comrades, many who are our partners, who come alongside of us to put our environments to the test and report potential vulnerabilities.
- Our Vulnerability Disclosure Program makes it easy for researchers to report potential vulnerabilities and allows them to share their findings publicly after we’ve evaluated and, where appropriate, addressed the issue.
- Our Bug Bounty Program, which is administrated in partnership with HackerOne, invites a private cohort of registered goodwill hackers to identify threats and compensates them for their work as part of an exclusive program.
Between our own ConnectWise critical monitoring and threat hunting, the results of our third-party testing, and these two detection programs, we have detected and remediated a number of potentially serious threats in the last year alone. This work continues and expands in 2022.
Transparency, Communications & Responsiveness
Here are just a few things we want to make sure all our partners are aware of:
- ConnectWise Trust Center: In 2020, we launched a resource center on our website that provides details on our InfoSec program, partner resources, real-time security bulletins on ConnectWise products (I encourage you to sign up for RSS feeds), advisories on industry threats that may impact our partners, and more. In 2022, we plan to enhance this "hub” by improving the user experience and publishing additional information.
- Communications: We now have a dedicated team of ConnectWise colleagues who are responsible for rapidly communicating with partners when there is an incident or vulnerability—whether within our environment or related to a third party—that may impact them. With this team being essentially “on call” 24/7, we have greatly improved our “time to mobilize”, with partner communications now going out within minutes of confirmed issues (you experienced this up leveling through the recent Log4j incident). We still have some cleanup to do with “how” we communicate—as a result of multiple acquisitions we are still working to integrate databases and partner communications models, which is a priority for 2022. In the meantime, our RSS feeds and advisories from the Trust Center will keep the broad partner community up to speed, and we will continue to also notify any impacted partners directly via email communications.
- Supporting Partners Encountering a Security Attack: We know that time is of the essence when a crisis unfolds. So, we want to make it easy for any partner who feels they may be under an active attack to contact us and connect with real people. Our email address firstname.lastname@example.org exclusively for this purpose continues to be monitored 24/7, but at IT Nation Connect in November 2021, we announced and launched 1-888-WISE911 as another vehicle to reach out to us. We hope you never need to use it but keep us on speed dial in case a crisis arises—we’re here for you.
In 2022, as a continuation of recent years, InfoSec remains the top priority for every team in the company, reflected in our corporate metrics. In addition to some of the priorities I mentioned above, planned efforts include but are not limited to continuing to improve our incident response process, improving our audit capabilities, enhanced SOC monitoring for all products, required security controls such as MFA for ConnectWise product adoption, increased application guardrails, and increased communication frequency as it relates to our program discoveries and enhancements.
There’s no way a single blog post could comprehensively do justice to all the things we’ve put in place to secure our company, our partners, and their customers. But I hope this gives you a glimpse with some resources to read further. If you take anything away from this update, it’s this: Our InfoSec program remains ConnectWise’s top priority, we’ve successfully matured it, but we’re not taking our foot off the gas. I hope to see you all at IT Nation Secure 2022 this Spring.
Chief Technology Officer