Business + Partners

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Staying a Step Ahead of the Hack

Hackers, never at a loss for creative deception, have engineered new tactics for exploiting the weakest links in the cybersecurity chain: ourselves! Social engineering and business email compromise (BEC) are two related cyberattack vectors that rely on human error to bypass the technology defenses businesses deploy to deter malware.

Social Engineering

Social Engineering is when hackers impersonate trusted associates or acquaintances to manipulate people into giving up their passwords, banking information, date of birth or anything else that could be used for identity theft. As it turns out, it’s easier to hack our trust than our computers. Social engineering covers a range of tactics:

  • Email from a friend or family member – A hacker gets access to the email password of someone you know. From there, they can send you a malicious link in an email that you’re more likely to click on because it came from someone you trust.
  • Compelling story (pretexting) – This includes urgently asking for help. This can read like, “Your friend is in danger and they need your help immediately – please send me money right away so they can get treatment!”
  • Standard phishing tactics – Phishing techniques include website spoofing emails appearing to come from an official source asking you to reset your password or confirm personal data. After clicking the link and entering the info, your security is compromised.
  • “You’re a winner” notifications ­– Whether a lottery prize or a free trip to Cancun, this tactic catches many off guard. It’s known as “greed phishing” and it takes advantage our fondness for pleasure or weakness for the word “free.”

Business Email Compromise

Business email compromise is a targeted attack against corporate personnel, usually someone with the authority to request or fulfill a financial transaction. Victims execute seemingly routine wire transfers to criminals impersonating legitimate business associates or vendors.

This form of fraud relies on a contrived pretext to request a payment or purchase be made on the attacker’s behalf. According to the FBI, BEC attacks resulted in more than $26 billion (you read that right) between June 2016 and July 2019. Here are a few tips for protecting users and businesses from BEC attacks:

Slow down – BEC attacks combine context and familiarity (an email from your boss) with a sense of urgency (I need this done now!). This causes victims to lose their critical thinking capabilities.

Don’t trust, verify – Never use the same channel, in this case email, to verify the identity of the requester. Pick up the phone and call, or use video chat.

Prepare for the inevitable – Use all the technology at your disposal to ensure a BEC attack doesn’t succeed. Machine learning-enabled endpoint security solutions can help identify malicious sites.

Address the weakest link – Train users to spot BEC attacks. Webroot testing shows that phishing simulations can improve users’ abilities to spot attacks.

Perfecting Your Posture

Webroot Security Intelligence Director, Grayson Milbourne, offers several suggestions that companies can do to increase their security posture. First, he says, “Whenever money is going to be sent somewhere, you should have a two-factor verification process to ensure you’re sending the money to the right person and the right accounts.”

Milbourne is also a big advocate of security awareness training. “You can really understand the security topology of your business with respect to your users’ risk factors,” he says. “So, the engineering team might score one way and the IT department might score another way. This gives you better visibility into which groups within your company are more susceptible to clicking on links in emails that they shouldn’t be clicking.”

With the increase in scams related to the global COVID-19 pandemic, timely and relevant user education is especially critical. “COVID obviously has been a hot topic so far this year, and in the last quarter we added close to 20 new templates from different COVID-related scams we see out in the wild,” Milbourne says.

“When we look at first-time deployment of security awareness training, north of 40% of people are clicking on links,” Milbourne says. “Then, after going through security awareness training a couple of times, we see that number dip below 10%.”

Where to learn more

Our newest research on phishing attacks and user (over)confidence, “COVID-19 Clicks: How Phishing Capitalized on a Global Crisis” is out now, check it out!

Why Workers Aren’t Confident in their Companies’ Security (and What to Do About it)

According to data from a recent report, only 60% of office workers worldwide believe their company is resilient against cyberattacks. Nearly one in four (23%) admit to not knowing, while nearly one in five (18%) flat-out think it isn’t.

In the anonymous, write-in responses to the survey, many workers agreed that their employers could be doing more to support them and ensure their security. When asked to elaborate on why they didn’t believe their company was resilient against attacks, the most-repeated answers were along the following lines:

  • My company has been hacked before.
  • My company doesn’t prioritize security/security spend.
  • My company’s equipment and software are poorly maintained.
  • My company outsources its security, so we have no direct control.
  • I still get phishing emails. Our filtering must not be good enough.

These types of responses highlight two things: a general lack of faith in the company’s security and the perception that companies aren’t investing enough in security systems OR their employees. When considered alongside another question from the survey, there seems to be a third factor at play: there is also confusion as to who should be responsible for a company’s cyber resilience in the first place.

Overall, only 14% of office workers worldwide consider cyber resilience to be a responsibility all employees share. If workers also feel their companies don’t invest enough in them or the tools that protect them, it makes sense that they might not feel like cyber resilience is something they should worry about. If a person feels their employer doesn’t value them appropriately or empower them with the right tools to do their jobs, then the notion of having to expend one’s own time and energy on the company’s security could rankle. So how do you overcome the challenge of personal investment?

How to empower your people and your security

Investment

Dr. Prashanth Rajivan, cybersecurity and human behavior expert, says businesses that want to foster a feeling of personal investment must first tackle the notion of shared responsibility. He explains that, when people perceive themselves to have a greater responsibility to others, their average level of willingness to engage in risky behavior decreases.

“If you’re asking individuals to make changes to their own behavior for the greater safety of all, then you need to make it clear that you are willing to invest in them. By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture.” – Prashanth Rajivan, Ph.D.

One way to both empower your workforce to become a strong first line of defense while also demonstrating investment is by implementing a security awareness training program with phishing simulations, as well as giving employees enough time to carefully and thoughtfully complete the learning exercises and understand any applicable feedback.

Consistency

According to Phil Karcher, principal product manager in charge of Webroot® Security Awareness Training, running regular, up-to-date training on an ongoing basis is one of the best ways to help end users avoid attacks and become a strong first line of defense for the company as a whole.

“Data from Webroot® Security Awareness Training shows that, if you want people to make lasting changes to their behavior, you have to run consistent, relevant training courses and phishing simulations that are also varied enough that people won’t get bored or find them predictable. Running a second simulation makes a dramatic impact — and it only gets better from there.”

– Philipp Karcher, principal product manager, Carbonite + Webroot, OpenText Companies
Number of Phishing SimulationsClick-through Rate
111%
2-38%
4-106%
11-145%
15-174%

Feedback

Dr. Rajivan also reminds us that human behavior is shaped by experience and reinforcement. He and Phil agree that consistency is key for empowering your workforce to become more resilient. But Dr. Rajivan also stresses the importance of feedback over consequences.

“Without appropriate feedback, no amount of training will be effective. And because the average person handles uncertainty poorly, training must include a variety of different scenarios. Human behavior is shaped through varied experiences, with a mix of positive and negative outcomes and applicable feedback.

This feedback and incentive structure needs to be carefully calibrated. Too much could lead to heightened anxiety and false alarms, but too little could lead to underweighted risk, i.e. people knowing the correct actions, but not taking them.”

– Prashanth Rajivan, Ph.D.

Next steps

As phishing attacks continue to be a primary way that businesses get breached, the need for consistent end user education is clear. And by implementing a regular training regimen, you can demonstrate care and investment in your people, educate employees on scams, risks and what to do if the unthinkable happens, and successfully build cyber resilience into your overall company culture.

To take the first step towards cyber resilience and trial an engaging Security Awareness Training program, Take a Free Trial.  

Small Businesses are Counting on Their MSPs this Small Business Saturday

This November 28 may be the most important Small Business Saturday since the occasion was founded by American Express in 2010.

As early as July, nearly half (43 percent) of small businesses had closed at least temporarily, according to a study published in the Proceedings of the National Academy of Sciences. Research also suggests that 30 percent of small businesses expect to exhaust their cash on hand before year’s end. Eighty-eight percent have already spent the funds allocated to them by the U.S. government’s Paycheck Protection Program loan.

While hopes will be buoyed for some by recent positive developments in the search for a vaccine, uncertainty and hard times no doubt still lie ahead. That’s why Webroot encourages advocates and partners to shop small this November 28. For our customers, we aim to be a source of support and sound consultation as we recover together.

Challenges and opportunities for small businesses and MSPs

Many of the small businesses affected by COVID-19 are among Webroot’s clientele. Many more, especially managed service providers, count small businesses as their most important customers. We’ve heard from many who are suffering from lost contracts following office closures, fewer onsite projects, disappearing budgets for business development projects and a general slowdown of new business.

Others are witnessing a shift in the work they do and the services most in-demand. For some, COVID-related challenges have presented opportunities to step up and offer services made necessary by new realities. Unsurprisingly, the already trending adoption of cloud infrastructure has quickened its pace in the age of remote work.

“We’ve had to speed up migrating some clients on-premise file servers to online cloud solutions,” according to Russell Harris, a support engineer and project manager at Maya Solutions Ltd., a UK-based MSP specializing in Apple product support

For David Yates, president of Geeks R Us, a West Coast provider of various technical services, the shift to remote work was the push some of his customers needed to leave physical servers behind.

“A few clients who were reluctant to move to the cloud have now embraced it. This was the impetus that they needed to finally migrate away from on-premise servers,” he said.

Many MSPs have also taken it upon themselves to guide their clients through the transition to remote work, especially in terms of security.

“We’ve had to shift to more cloud, VPN and helping our clients work remotely,” says Nathan Hardester, a telecoms administrator with Whidbey Tech Solutions, a Washington-based MSP.

Cybersecurity education is another opportunity for MSPs looking to help small business clients up their cyber resilience. We know that many office workers are overly confident in their ability to detect a phishing attack, so MSPs should position themselves as educators. Already, in the COVID-era, some are finding themselves do exactly that.

Asked what’s changed at Maya Solutions since the pandemic, Harris responds “needing to provide additional training on online safety due to many working from home on their own devices.”

Making it through together

Many MSPs—often small businesses themselves—rely on their small business clients run for their success. And on this Small Business Saturday, small businesses need us all more than ever. Despite the challenges, there are opportunities for MSPs to step up and guide their clients through the changing way we work.

For more tips on staying cyber resilient through COVID-19 and beyond, stay tuned to our Community threat and check out these tips for MSPs looking to help small businesses bounce back.

Getting to Know Cloudjacking and Cloud Mining Could Save Your Business

A few years back, cryptojacking and cryptomining emerged as relatively low-effort ways to profit by hijacking another’s computing resources. Today, cloudjacking and cloud mining capitalize on similar principles, only by targeting the near infinite resources of the cloud to generate revenue for attackers. Knowing this growing threat is key to maintaining cyber resilience.

Enterprise-level organizations make especially attractive cloudjacking targets for a few reasons. As mentioned, the computing power of cloud networks is effectively limitless for all but the most brazen cybercriminals.

Additionally, excess electricity consumption, one of the most common tipoffs for smaller scale cryptojacking attacks, often goes unnoticed at the scale large corporations are used to operating. The same goes for CPU.

Careful threat actors can also throttle back the amount of resources they’re ripping off—when attacking a smaller organization, for instance—to avoid detection. Essentially, the resources stolen at any one time in these attacks are a drop in the Pacific Ocean to their largest targets. Over time, though, and depending on particulars of a usage contract, the spend for CPU used can really add up.

“Hackers have definitely transitioned away from launching ransomware attacks indiscriminately,” says Webroot threat analyst Tyler Moffitt. “It used to be, ‘everybody gets the same payload, everyone has the same flat-rate ransom.’

“That’s all changed. Now, ransomware actors want to go after businesses with large attack surfaces and more pocketbook money than, say, grandma’s computer to pay if they’re breached. Cloud is essentially a new market.”

High-profile cloudjacking incidents

Arguably the most famous example of cloudjacking, at least in terms of headlines generated, was a 2018 attack on the electric car manufacturers Tesla. In that incident, cybercriminals were discovered running malware to leech the company’s Amazon Web Service cloud computing power to mine cryptocurrency.

Even with an organization of Tesla’s scale, the attackers reportedly used a throttling technique to ensure their operations weren’t uncovered. Ultimately, they were reported by a third-party that was compensated for their discovery.  

More recently, the hacking group TeamTNT developed a worm capable of stealing AWS credentials and implanting cloudjacking malware on systems using the cloud service. It does this by searching for accounts using popular development tools, like Docker or Kubernets, that are both improperly configured and running AWS, then performing a few simple searches for the unencrypted credentials.

TeamTNT’s total haul remains unclear, since it can spread it’s ‘earnings’ across multiple crypto wallets.  The fear though, now that a proven tactic for lifting AWS credentials is out in the wild, is that misconfigured cloud accounts will become prime targets for widespread illicit cloud mining.

SMBs make attractive targets, too

Hackers aren’t just launching cloudjacking attacks specifically against storage systems and development tools. As with other attack tactics, they often see MSPs and small and medium-sized businesses (SMBs) as attractive targets as well.

“Several attacks in the first and second quarters of 2019 involved bad actors hijacking multiple managed service providers,” says Moffitt. “We saw that with Sodonakibi and GrandCrab. The same principles apply here. Hacking a central, cloud-based property allows attackers to hit dozens and potentially hundreds of victims all at once.”

Because smaller businesses typically share their cloud infrastructure with other small businesses, compromising cloud infrastructure can provide cybercriminals with a trove of data belonging to several concerned owners.

“The cloud offers an attractive aggregation point as it allows attackers access to a much larger concentration of victims. Gaining access to a single Amazon web server, for instance, could allow threat actors to steal and encrypt data belonging to dozens of companies renting space on that server hostage,” says Moffitt. 

High-value targets include confidential information like mission-critical data, trade secrets, unencrypted tax information or customer information that, if released, would violate privacy laws like GDPR and CCPA.

Some years ago, smaller businesses may have escaped these cloud compromises without too much disruption. Today, the data and services stored or run through the cloud are critical to the day-to-day even for SMBs. Many businesses would be simply crippled should they lost access to public or private cloud assets.

The pressure to pay a ransom, therefore, is significantly higher than it was even three years ago. But ransoms aren’t the only way for malicious actors to monetize their efforts. With cloud mining, they can get right to work making cryptocurrency while evading notice for as long as possible.

How to protect against cloudjacking and cloud mining

Moffitt recommends using “versioning” to guard against cloudjacking attacks. Versioning is the practice of serializing unalterable backups to prevent them from being deleted or manipulated.

 “That means not just having snapshot or history copies—that’s pretty standard—since with ransomware we’ve seen actors encrypt all of those copies. So, my suggestion is creating immutable backups. It’s called versioning, but these are essentially snapshot copies that can never be edited or encrypted.”

Moffitt says many service providers have this capability, but it may not be the default and need to be switched on manually.

Two more tactics to adopt to defend against cloud jacking involve monitoring your configurations and monitor your network traffic. As we’ve seen, capitalizing on misconfigured AWS infrastructure is one of the more common ways for cybercriminals to disrupt cloud services.

Security oversight of devops teams setting up cloud applications is crucial. There are tools available that can automatically discover resources as soon as they’re created, determine the applications running on the resource and apply appropriate policies based on the resource type.

By monitoring network traffic and correlating it with configuration data, companies are able to spot suspicious network traffic being generated as they send work or hashes to public mining pools that are public and could help identify where mining is being directed. 

There tends to be a learning curve when defending against emerging attacks. But if businesses are aware of how cloud resources are manipulated by threat actors, they can be on guard against cloudjacking by taking a few simple steps, increasing their overall cyber resilience.

The Nastiest Malware of 2020

For the third year running, we’ve examined the year’s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we’ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.

For example, a new trend in ransomware this year is the addition of a data leak/auction website, where criminals will reveal or auction off data they’ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR.

But the main trend we’ll highlight here is that of modularity. Today’s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and/or financial success.

Here are a few of nastiest characters and a breakdown of how they can work together.

  • Emotet botnet + TrickBot Trojan + Conti/Ryuk ransomware
    There’s a reason Emotet has topped our list for 3 years in a row. Even though it’s not a ransomware payload itself, it’s the botnet that is responsible for the most ransomware infections, making it pretty darn nasty. It’s often seen with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.

    Here’s how an attack might start with Emotet and end with ransomware. The botnet is used in a malicious spam campaign. An unwitting employee at a company receives the spam email, accidentally downloads the malicious payload. With its foot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot spreads laterally through the network like a worm, infecting every machine it encounters. It “listens” for login credentials (and steals them), aiming to get domain-level access. From there, attackers can perform recon on the network, disable protections, and drop Conti/Ryuk ransomware at their leisure.
  • Ursnif Trojan + IcedID Trojan + Maze ransomware
    Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has resurfaced after being mostly dormant for a few years. In an attack featuring this troublesome trio, Ursnif might land on a machine via a malicious spam email, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the attackers’ chances of getting the credentials or intel they want. (Interestingly, IcedID has been upgraded to use steganographic payloads. Steganography in malware refers to concealing malicious code inside another file, message, image or video.) Let’s say the Trojans obtain the RDP credentials for the network they’ve infected. In this scenario, the attackers can now sell those credentials to other bad actors and/or deploy ransomware, typically Maze. (Fun fact: Maze is believed to have “pioneered” the data leak/auction website trend.)
  • Dridex/Emotet malspam + Dridex Trojan + BitPaymer/DoppelPaymer ransomware

Like TrickBot, Dridex is another very popular banking/info-stealing Trojan that’s been around for years. When Dridex is in play, it is either dropped via Emotet or its authors’ own malicious spam campaign. Also like TrickBot, Dridex spreads laterally, listens for credentials, and typically deploys ransomware like BitPaymer/DoppelPaymer.

As you can see, there are a variety of ways the attacks can be carried out, but the end goal is the more or less the same. The diverse means just help ensure the likelihood of success.

The characters mentioned above are, by no means, the only names on our list. Here are some of the other notable contenders for Nastiest Malware.

  • Sodinokibi/REvil/GandCrab ransomware – all iterations of the same ransomware, this ransomware as a service (RaaS) payload is available for anyone to use, as long as the authors get a cut of any successful ransoms.
  • CrySiS/Dharma/Phobos ransomware – also RaaS payloads, these are almost exclusively deployed using compromised RDP credentials that are either brute-forced or easily guessed.
  • Valak – a potent multi-functional malware distribution tool. Not only does it commonly distribute nasty malware such as IcedID and Ursnif, but it also has information stealing functionalities built directly into the initial infection.
  • QakBot – an info-stealing Trojan often dropped by Emotet or its own malspam campaigns with links to compromised websites. It’s similar to TrickBot and Dridex and may be paired with ProLock ransomware.

Combine protections to combat combined attacks.

If businesses want to stay safe, they need to implement multiple layers of protection against these types of layered attacks. Here are some tips from our experts.

  • Lock down RDP. Security analyst Tyler Moffitt says unsecured RDP has risen over 40% since the COVID-19 pandemic began because more businesses are enabling their workforce to work remotely. Unfortunately, many are not doing so securely. He recommends businesses use RDP solutions that encrypt the data and use multi-factor authentication to increase security when remoting into other machines.
  • Educate end users about phishing. Principal product manager Phil Karcher points out that many of the attack scenarios listed above could be prevented with stronger phishing/spam awareness among end users. He recommends running regular security training and phishing simulations with useful feedback. He also says it’s critical that employees know when and how to report a suspicious message.
  • Install reputable cybersecurity software. Security intelligence director Grayson Milbourne can’t stress enough the importance of choosing a solution that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages.
  • Set up a strong backup and disaster recovery plan. VP of product management Jamie Zajac says that, particularly with a mostly or entirely remote workforce, businesses can’t afford not to have a strong backup. She strongly recommends regular backup testing and setting alerts and regular reporting so admins can easily see if something’s amiss.

Discover more about the 2020’s Nastiest Malware on the Webroot Community.

What DoH Can Really Do

Fine-tuning privacy for any preference

A DNS filtering service that accommodates DNS over HTTPS (DoH) can strengthen an organization’s ability to control network traffic and turn away threats. DoH can offer businesses far greater control and flexibility over their privacy than the old system.

The most visible use of DNS is typically the browser, which is why all the usual suspects are leading the charge in terms of DoH adoption. This movement has considerable steam behind it and has extended beyond just applications as Microsoft, Apple and Google have all announced their intent to support DoH.

Encrypting DNS requests is an indisputable win for privacy-minded consumers looking to prevent their ISPs from snooping on and monetizing their browsing habits. Businesses, on the other hand, should not easily surrender this visibility since managing these requests adds value, helping to keep users from navigating to sites known to host malware and other threats.

Here are three examples of how.

1.  By enhancing DNS logging control

Businesses have varying motivations for tracking online behavior. For persistently troublesome users—those who continuously navigate to risky sites—it’s beneficial to exert some control over their network use or even provide some training on what it takes to stay safe online. It can also be useful in times of problematic productivity dips by helping to tell if users are spending inordinate amounts of time on social media, say.

On the other hand, for CEOs and other strategic business units, tracking online activity can be cause for privacy concerns. Too much detail into the network traffic of a unit tasked with investigating mergers and acquisitions may be unwanted, for example.

“If I’m the CEO of a company, I don’t want people paying attention to where I go on the internet,” says Webroot DNS expert Jonathan Barnett. “I don’t want people to know of potential deals I’m investigating before they become public.”

Logging too much user information can also be problematic from a data privacy perspective. Collecting or storing this information in areas with stricter laws, as in the European Union, can unnecessarily burden organizations with red tape.

“Essentially it exposes businesses to requirements concerning how they’re going to use that data, who has access to it and how long that data is preserved” says Barnett.

By optionally never logging user information and backing off DNS logging except when a request is deemed a security threat, companies maintain both privacy and security.

2. By allowing devices to echo locally

With DoH, visibility of DNS requests is challenging. The cumulative DNS requests made on a network help to enhance its security as tools such as SIEMs and firewalls leverage these requests by controlling access as well as corelating the requests with other logs and occurrences on the network. 

“Let’s say I’m on my network at the office and I make a DNS request,” explains Barnett. “I may want my DNS request to be seen by the network as well as fielded by my DNS filtering service. The network gets value out of DNS. If I see inappropriate DNS requests I can go and address the user or fix the device.”

Continuing to expose these DNS requests through an echo to the local network provides this, while the actual requests are secure and encrypted by the DNS protection agent using DoH. This option achieves the best of both worlds by adding the security of DoH to the security of the local network.

3. By allowing agents to fail open

DNS is instrumental to the functionality of the internet. So, the question is, what do we do when a filtered answer is not available? By failing over to the local network, it’s assured that the internet continues to function. However, there are times when filtering and privacy are more important than connectivity. Being able to choose if DNS requests can leak out to the local network helps you stay in control by choosing which is a priority.

 “Fail open functionality essentially allows admins to make a tradeoff between the protection offered by DNS filtering and the productivity hit that inevitably accompanies a lack of internet access,” says Barnett.

Privacy your way

The encryption of DoH enables options for fine-tuning privacy preferences while preserving the security benefits of DNS filtering. Those that must comply with the needs of privacy-centric users now have control over what is revealed and what is logged, while maintaining the benefits of communicating using DoH.

Click here to read related blogs covering the transition to DNS over HTTPS.

It’s Time to Talk Seriously About Deepfakes and Misinformation

Like many of the technologies we discuss on this blog—think phishing scams or chatbots—deepfakes aren’t necessarily new. They’re just getting a whole lot better. And that has scary implications for both private citizens and businesses alike.

The term “deepfakes,” coined by a Reddit user in 2017, was initially most often associated with pornography. A once highly trafficked and now banned subreddit was largely responsible for developing deepfakes into easily created and highly believable adult videos.

“This is no longer rocket science,” an AI researcher told Vice’s Motherboard in an early story on the problem of AI-assisted deepfakes being used to splice celebrities into pornographic videos.

The increasing ease with which deepfakes can be created also troubles Kelvin Murray, a senior threat researcher at Webroot.

“The advancements in getting machines to recognize and mimic faces, voices, accents, speech patterns and even music are accelerating at an alarming rate,” he says. “Deepfakes started out as a subreddit, but now there are tools that allow you to manipulate faces available right there on your smartphone.”

While creating deepfakes used to require good hardware and a sophisticated skillset, app stores are now overflowing with options creating them. In terms of technology, they’re simply a specific application of machine learning technology, says Murray.

“The basics of any AI system is that if you throw enough information at it, itcan pick it up. It can mimic it. So, if you give it enough video, it can mimic a person’s face. If you give it enough recordings of a person, it can mimic that person’s voice.”

There are several ways deepfakes threaten to redefine the way we live and conduct business online.

Deepfakes as a threat to privacy

A stolen credit card can be cancelled. A stolen identity, especially when it’s a mimicked personal attribute, is much more difficult to recover. The hack of a firm dedicated to developing facial recognition technology, for instance, could be a devastating source of deepfakes.

“So many apps, sites and platforms host so many videos and recordings today. What happens when they get hacked? Will the breach of a social media platform allow a hacker to impersonate you,” asks Murray.

Businesses must be especially careful about the data they collect from customers or users, asking both if it’s necessary to collect and if it can be stored safely afterwards. If personal data must be collected, security must be a top priority, and not only for ethical reasons. Governments are starting to enact some strict regulations and doling out some stiff fines for data breaches.

Ultimately, Murray thinks those governments may need to weigh in more heavily on the threat of deepfakes as they become even more indistinguishable from reality.

“We’re not going to stop this technology. It’s here. But people need to have the discussion about where we’re heading. In the same way GDPR was created to protect people’s data, we’re going to need to have a similar conversation about deepfakes leading to a different kind of identity theft.”

Deepfakes as a cybersecurity threat to businesses

It’s important to note the ways in which deepfakes can be used to target businesses, not just to spoof individuals.

“These business-related instances aren’t too common yet,” says Murray. “But we’re at the beginning of a wave right now in terms of AI-enabled threats against businesses.

A late 2019 attack against a U.K. energy firm could be a sign of scary things to come. Rather than video, this attack took advantage of voice-spoofing technology to pose as an executive’s manager, insisting he wire nearly $250 thousand to a “supplier” immediately. In the aftermath of the scam, the victim reported being convinced by both the accent and the rhythm of the fake speech pattern.

To safeguard against what could be a rising attack method, Murray recommends businesses understand what deepfakes are capable of and follow best practices for avoiding fraud, no matter the technology.

“Have well-defined protocol for changing account details and signing off on any invoices,” he advises “Train financial and accounting teams especially rigorously on these protocols and encourage them to pick up the phone and double-check when anything seems strange or off. In these days of increased working from home it’s also tougher for financial staff to walk up to other finance or sales colleagues and make informal double checks.”

Deepfakes and misinformation campaigns

Soon after deepfakes went mainstream, implications for politics and the weaponization of misinformation became clear, prompting the U.S. Senate to address the issue in 2018.

While initially used to humiliate or extort people, mostly women, malicious actors began to see them as a way to sway public opinion or sow chaos. Deeptrace, a company dedicated to uncovering deepfakes, has noted instances where manipulated video was used to promote social discord and scandal across the globe.

“Deepfakes further undermine our ability to believe what we read, and now even watch, on the internet,” says Murray. This leads to widespread distrust, especially on issues where understanding is crucial, like the coronavirus pandemic, where misinformation is bountiful.

To combat misinformation, Murray advises to keep in mind how much of it is out there. Always consider the source of the information you’ve received before acting on it, especially if it makes you angry or elicits some other strong emotional response.

Deepfakes will likely make the internet even more difficult to rely on as a source of information in the years to come. But reducing their impact starts with understanding how far they’ve come and what they’re capable of.

To learn more on Deepfakes and misinformation, listen to the podcast.

False Confidence is the Opposite of Cyber Resilience

Have you ever met a person who thinks they know it all? Or maybe you’ve occasionally been that person in your own life? No shame and no shade intended – it’s great (and important) to be confident about your skills. And in cases where you know your stuff, we encourage you to keep using your knowledge to help enhance the lives and experiences of the people around you.

But there’s a big difference between being reasonably confident and having false confidence, as we saw in our recent global survey. Featured in the report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, the survey data shows that, all over the world, people are pretty confident about their ability to keep themselves and their data safe online. Unfortunately, people are also still getting phished and social engineering tactics aimed at employees are still a major way that cybercriminals successfully breach businesses. These data points strongly suggest that we aren’t all being quite as cyber-safe as we think.

Overconfidence by the Numbers

Approximately 3 in 5 people (59%) worldwide think they know enough to stay safe online.

You may think 59% doesn’t sound high enough to earn the label of “false confidence”. But there were two outliers in our survey who dragged the average down significantly (France and Japan, with only 44% and 26% confidence, respectively). If you only take the average of the five other countries surveyed (the US, UK, Australia/New Zealand, Germany and Italy), it’s a full ten percentage points higher at 69%. UK respondents had the highest level of confidence out of all seven regions surveyed with 75%.

8 in 10 people say they take steps to determine if an email message is malicious.

Yet 3 in 4 open emails and click links from unknown senders.

When so many of us claim to know what to do to stay safe online (and even say we take steps to determine the potential sketchiness of our emails), why are we still getting phished? We asked Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, for his take on the matter. He had two important points to make.

Individualism

According to Dr. Rajivan, it’s important to note that Japan had the lowest level of confidence about their cybersecurity know-how (only 26%), but the survey showed they also had the lowest rate of falling victim to phishing (16%). He pointed out that countries with more individualistic cultures seem to align with countries who ranked themselves highly on their ability to keep themselves and their data safe.

“When people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is especially important to note for businesses that want to have a cyber-aware culture.”

– Prashanth Rajivan, Ph.D.

The Dunning-Kruger Effect

Another factor Dr. Rajivan says may contribute to overconfidence in one’s ability to spot phishing attacks might be a psychological phenomenon called the “Dunning-Kruger Effect”. The Dunning-Kruger Effect refers to a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability, i.e. we tend to overestimate our capabilities in areas where we are actually less capable.

How These Numbers Affect Businesses

Only 14% of workers feel that a company’s cyber resilience is a responsibility all employees share.

The correlations between overconfidence and individualism may also translate into a mentality that workers are not responsible for their own cybersecurity during work hours. While 63% of workers surveyed agree that a cyber resilience strategy that includes both security tools and employee education should be a top priority for any business, only 14% felt that cyber resilience was a shared responsibility for all employees.

How to Create a Cyber Aware Culture

The short answer: a strong combination of employee training and tools.

The long answer: when asked what would help them feel better prepared to avoid phishing and prevent cyberattacks, workers worldwide agreed that their employers need to invest more heavily in training and education, in addition to strong cybersecurity tools. Dr. Rajivan also agrees, stating that, if employers want to build cybersecurity awareness into their business culture, then they need to invest heavily in their people.

“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

– Prashanth Rajivan, Ph.D.

Additionally, he tells us, “Human behavior is shaped by past experiences, consequences and reinforcement. To see a real change in human behavior related to phishing and online risk-taking habits in general, people need frequent and varied experiences PLUS appropriate feedback that incentivizes good behavior.”

Ultimately, the importance of training can’t be emphasized enough. According to real-world data from customers using Webroot® Security Awareness Training, which provides both training courses and easy-to-run, customizable phishing simulations, consistent training can reduce click rates on phishing scams by up to 86.5%.

It’s clear a little training can go a long way. If you want to increase cyber resilience, you have to minimize dangerous false confidence. And to do that, you need to empower your workforce with the tools and training they need to confidently (and correctly) make strong, secure decisions about what they do and don’t click online.

Learn more about Security Awareness Training programs.

Cyber Resilience for Business Continuity

“Ten years ago, you didn’t see state actors attacking [small businesses]. But it’s happening now,” warns George Anderson, product marketing director at Carbonite + Webroot, OpenText companies.

Sadly, many of today’s managed service providers who serve small and medium-sized businesses now have to concern themselves with these very threats. Independent and state-sponsored hacking groups use sophisticated hacking tools (advanced persistent threats or APTs), to gain unauthorized access to networks and computers, often going undetected for months or even years at a time. In fact, according to the 2020 Verizon Data Breach Investigations Report, cyber-espionage is among the top patterns associated with breaches targeting businesses worldwide.

These attacks can be difficult even for highly sophisticated enterprise security teams to detect, stop or recover from. But all businesses, no matter their size, must be ready for them. As such, MSPs, themselves ranging in size from a few techs to a few hundred professionals, may find they need help protecting their SMB customers from APTs; that’s on top of the consistent onslaught of threats from ordinary, profit-motivated cyberattackers. That’s where the concept of cyber resilience comes in.

What does cyber resilience look like?

“Being [cyber] resilient – knowing that even if you’re knocked offline you can recover quickly – is essential for today’s businesses,” George says.

The reality is that today’s organizations have to accept a breach is pretty much inevitable. Their level of cyber resilience is the measure of the organization’s ability to keep the business running and get back to normal quickly. “It’s being able to absorb punches and get back on your feet, no matter what threatens,” as George put it in a recent podcast with Joe Panettieri, co-founder MSSP Alert & ChannelE2E.

Read more about how businesses can build a cyber resilient company culture.

How can businesses and MSPs achieve cyber resilience?

Because cyber resilience is about both defending against attacks and preparing for their inescapability,  a major component in a strong resilience strategy is the breadth of coverage a business has. In particular, having tested and proven backup and disaster recovery solutions in place is the first step in surviving a breach. If a business has reliable, real-time (or near real-time) recovery capabilities, then in the event of an attack, they could make it through barely skipping a beat.

Now, George has clarified that “no single solution can offer complete immunity against cyberattacks on its own.” To reduce the risk of events like data loss from accidental deletion, device theft or hardware failure, your clients need multiple layers of protection that secure their devices and data from multiple angles. Here are George’s top data protection tips:

Ultimately, George says ensuring business continuity for MSPs and the businesses they serve through comprehensive cyber resilience solutions is the primary goal of the Carbonite + Webroot division of OpenText.

“We want to up the advocacy and stop attacks from happening as much as we possibly can.  At  the  same time, when they inevitably do happen, we want to be able to help MSPs recover and limit lost time, reputation damage, and financial impact so businesses can keep functioning.”

To learn more about cyber resilience, click here.

MSP Insight: Netstar Shares Cyber Resilience Strategies for Remote Work

Guest blog by Mit Patel, Managing Director of London based IT Support company, Netstar.

In this article, Webroot sits down with Mit Patel, Managing Director of London-based MSP partner, Netstar, to discuss the topic of remote work during a pandemic and tips to stay cyber resilient.

Why is it important to be cyber resilient, specifically when working remote?

It’s always important to be cyber resilient, but a lot has changed since the start of the COVID-19 lockdown that needs to be taken into consideration.

Remote work has posed new problems for businesses when it comes to keeping data secure. Since the start of lockdown, there has been a significant increase in phishing scams, ransomware attacks and malicious activity. Scammers now have more time to innovate and are using the widespread anxiety of coronavirus to target vulnerable people and businesses.

Moreover, the sudden shift in working practices makes the pandemic a prime time for cyber-attacks. Employees can no longer lean over to ask a colleague if they are unsure about the legitimacy of an email or web page. Instead, they need to be confident in their ability to spot and avoid potential security breaches without assistance.

Remote work represents a significant change that can’t be ignored when it comes to the security of your business. Instead, businesses need to be extra vigilant and prioritise their cyber resilience.

What does cyber resilience mean to you?

It’s important to differentiate between cyber resilience and cyber security. Cyber security is a component of cyber resilience, referring to the technologies and processes designed to prevent cyber-attacks. Whereas, I believe cyber resilience goes a step further, referring to the ability to prevent, manage and respond to cyber threats. Cyber resilience recognises that breaches can and do happen, finding effective solutions that mean businesses recover quickly and maintain functionality. The main components of cyber resilience include, training, blocking, protecting, backing up and recovering. When all these components are optimised, your cyber resilience will be strong, and your business will be protected and prepared for any potential cyber threats.

Can you share some proactive methods for staying cyber resilient when working remote?

Absolutely. But it’s important to note that no solution is 100% safe and that a layered approach to IT security is necessary to maximise protection and futureproof your business.

Get the right antivirus software. Standard antivirus software often isn’t enough to fully protect against viruses. Businesses need to consider more meticulous and comprehensive methods. One of our clients, a licensed insolvency practitioner, emphasized their need for software that will ensure data is protected and cyber security is maximised. As such, we implemented Webroot SecureAnywhere AnitVirus, receiving excellent client feedback, whereby the client stressed that they can now operate safe in the knowledge that their data is secure.

Protect your network. DNS Protection is a critical layer for your cyber resilience strategy. DNS will protect you against threats such as malicious links, hacked legitimate websites, phishing attacks, CryptoLocker and other ransomware attacks. We have implemented DNS Protection for many of our clients, including an asset management company that wanted to achieve secure networks with remote working capability. In light of the current remote working situation, DNS Protection should be a key consideration for any financial business looking to enhance their cyber resilience.

Ensure that you have a strong password policy. Keeping your passwords safe is fundamental for effective cyber resilience, but it may not be as simple as you think. Start by making sure that you and your team know what constitutes a strong password. At Netstar, we recommend having a password that:

  • Is over 10 characters long
  • Contains a combination of numbers, letters and symbols
  • Is unpredictable with no identifiable words (even if numbers or symbols are substituted for letters)

You should also have different passwords for different logins, so that if your security is compromised for any reason, hackers can only access one platform. To fully optimise your password policy, you need to consider multi-factor authentication. Multi-factor authentication goes a step further than the traditional username-password login. It requires multiple forms of identification in order to access a certain email account, website, CRM etc. This will include at least two of the following:

  • Something you know (e.g. a password)
  • Something you have (e.g. an ID badge)
  • Something you are (e.g. a fingerprint)

Ensure that you have secure tools for communication. Collaboration tools, like Microsoft Teams, are essential for remote working. They allow you to communicate with individuals, within teams and company-wide via audio calls, video calls and chat.

When it comes to cyber resilience, it’s essential that your team know what is expected of them. You should utilise collaboration tools to outline clear remote working guidance to all employees. For example, we would recommend discouraging employees from using personal devices for work purposes. The antivirus software installed on these devices is unlikely to be of the same quality as the software installed on work devices, so it could put your business at risk.

Furthermore, you need to be confident that your employees can recognise and deal with potential security threats without assistance. Individuals can no longer lean across to ask a colleague if they’re unsure of the legitimacy of something. They need to be able to do this alone. Security awareness training is a great solution for this. It will teach your team about the potential breaches to look out for and how to deal with them. This will cover a range of topics including, email phishing, social media scams, remote working risks and much more. Moreover, courses are often added and updated, meaning that your staff will be up to date with the latest scams and cyber threats.

Implement an effective backup and disaster recovery strategy

Even with every preventive measure in place, things can go wrong, and preparing for disaster is crucial for effective cyber resilience.

In fact, a lot of companies that lose data because of an unexpected disaster go out of business within just two years, which is why implementing an effective backup and disaster recovery strategy is a vital layer for your cyber resilience strategy.

First, we advise storing and backing up data using an online cloud-based system. When files are stored on the cloud, they are accessible from any device at any time. This is particularly important for remote working; it means that employees can collaborate on projects and access necessary information quickly and easily. It also means that, if your device is wiped or you lose your data, you can simply log in to your cloud computing platform and access anything you might need. Thus, data can easily be restored, and you’re protected from potential data loss.

Overall, disaster recovery plans should focus on keeping irreplaceable data safe. Consider what would happen to your data in the event of a disaster. If your office burned down, would you be confident that all your data would be protected?

You should be working with an IT support partner that can devise an effective and efficient disaster recovery plan for your business. This should set out realistic expectations for recovery time and align with your insurance policy to protect any loss of income. Their goal should be to get your business back up and running as quickly as possible, and to a high standard (you don’t want an IT support partner that cuts corners). Lastly, your IT support provider should regularly test your strategy, making sure that if disaster did occur, they could quickly and effectively restore the functionality of your business.

What else should fellow MSPs keep in mind during this trying time?

In the last four years, cyber resilience has become increasingly important; there are so many more threats out there, and so much valuable information that needs protecting.

We have happy clients because their machines run quickly, they experience less IT downtime, and they rarely encounter viruses or malicious activity. We know that we need to fix customers’ problems quickly, while also ensuring that problems don’t happen in the first place. Innovation is incredibly important to us, which is why we’ve placed a real focus on proactive client advisory over the last 24 months.

That’s where a strong cyber resilience strategy comes into play. MSPs need to be able to manage day-to-day IT queries, while also focusing on how technology can help their clients grow and succeed in the future.There is plenty of advice around the nuts and bolts of IT but it’s the advisory that gives clients the most value. As such, MSPs should ensure they think like a customer and make technological suggestions that facilitate overall business success for their clients.

Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click?

That’s what we wanted to find out when we conducted our most recent survey. We checked in with thousands of office workers across seven different countries to get a global perspective on phishing and people’s individual click habits. Then we partnered with Dr. Prashanth Rajivan, assistant professor at the University of Washington, to gain a deeper understanding of phishing and those habits, as well as how things have shifted during COVID-19 in our new report: COVID-19 Clicks: How Phishing Capitalized on a Global Crisis.

In this blog post, we’ve summarized this comprehensive report and included tips for how to stay safe, but we strongly encourage you to check out the full writeup.

Why do people still click?

3 in 10 people worldwide clicked a phishing link in the past year. Among Americans, it’s 1 in 3.

According to Dr. Rajivan, what we need to consider is that human beings aren’t necessarily good at dealing with uncertainty, which is part of why cybercriminals capitalize on upheaval (such as a global pandemic) to launch attacks.

“People aren’t great at handling uncertainty. Even those of us who know we shouldn’t click on emails from unknown senders may feel uncertain and click anyway. That’s because we’ve likely all clicked these kinds of emails in the past and gotten a positive reward. The probability of long-term risk vs. short-term reward, coupled with uncertainty, is a recipe for poor decision-making, or, in this case, clicking what you shouldn’t.”

– Prashanth Rajivan, Ph.D.

Tip # 1

  • For businesses: Ensure workers have clear distinctions between work and personal time, devices, and obligations. This helps reduce the amount of uncertainty that can ultimately lead to phishing-related breaches.
  • For individuals: Hackers often exploit security holes in older software versions and operating systems. Update software and systems regularly to help shut the door on malware.

Has phishing increased since COVID-19 began

At least one in five people have received a phishing email related to COVID-19.

There’s no doubt that the global COVID-19 pandemic has changed a lot about how we live and work. According to our survey, 54% of workers spend more time working from home than they did before the pandemic. With more people connecting to the internet outside of corporate networks and away from the watchful eyes of IT teams, it’s to be expected that cybercriminals would take advantage.

“[We’ve seen] massive spikes […] in phishing URLs targeting COVID-related topics. For example, with more people spending time at home, use of streaming services has gone up. In March alone, we saw a 3000% increase in phishing URLs with ‘youtube’ in the name.

– Grayson Milbourne, security intelligence director, Carbonite + Webroot, OpenText Companies

Regardless, the majority of people surveyed still think they are at least the same level of prepared or more prepared to spot phishing email attempts, now that they’ve spent more time working from home

“People are taking increased physical safety measures in the pandemic, including mask wearing, social distancing, more frequent hand-washing, etc. I think this heightened level of precaution and awareness could cause people to slightly overestimate their overall safety, including their safety regarding online threats.”

– Prashanth Rajivan, Ph.D.

Tip #2

  • For businesses: Know your risk factors and over prepare. Once you’ve assessed the risks, you can create a stronger data breach response plan.
  • For individuals: Stay on your toes. By being vigilant and maintaining a healthy dose of suspicion about all links and attachments in messages, you can significantly decrease your phishing risk.

People say they know better. Do they really?

81% of people say they take steps to determine if an email message is malicious. Yet 76% open emails and click links from unknown senders.

When we asked Dr. Rajivan why these numbers don’t line up, he said the difference is between knowing what you should do and actually doing it

“There are huge differences between knowing what to do and actually operationalizing that knowledge in appropriate scenarios. I suspect many people don’t really take the actions they reported, at least not on a regular basis, when they receive suspicious emails.”

– Prashanth Rajivan, Ph.D.

Tip #3

  • For businesses: Back up data and ensure employees can access and retrieve data no matter where they are. Accidents happen; what matters most is being able to recover quickly and effectively. Don’t forget to back up collaboration tools too, such as Microsoft® Teams and the Microsoft® 365 suite.
  • For individuals: Make sure important data and files are backed up to secure cloud storage or an external hard drive. In the case of a hard drive, make sure it’s only connected while backing up, so you don’t risk backing up infected or encrypted files. If it’s a cloud back up, use the kind that lets you to restore to a specific file version or point in time.

What’s the way forward?

All over the world, workers say that in order to be better prepared to handle cyberattacks, they need more education.

According to global respondents, more knowledge and better understanding is key for stronger cyber resilience. The top three things people everywhere said would help them better prepare themselves to handle cyber threats like phishing were: knowing which tools could help prevent an attack, knowing what to do if you fall victim to an attack, and understanding the most common types of attacks.

Dr. Rajivan points out that, if businesses are asking individuals to make changes to their own behavior for the greater safety of all, then they need to make it clear they are willing to invest in their people.

“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

– Prashanth Rajivan, Ph.D.

Tip #4

  • For businesses: Invest in your people. Empower your people with regular training to help them successfully avoid scams and exercise appropriate caution online.
  • For individuals: Educate yourself. Even if your company provides training, Dr. Rajivan recommends we all subscribe to cybersecurity-related content in the form of podcasts, social media, blogs, and reputable information sources to help keep strong, cyber resilient behavior top-of-mind.

Want more details on click habits and shifting risks during COVID-19?
Read our full report, COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, to start building out your cybersecurity education today. And be sure to check back here on the Webroot blog for the latest in news in phishing prevention.          

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of curated data into their product or service. Over the years, we’ve had the good fortune to work with partners of all sizes, from global networking and security vendors to innovative and dynamic start-ups across the world.

With the end-of-life of Broadcom’s Symantec RuleSpace OEM Web Classification service, we’ve received numerous inquiries from their former customers evaluating alternative solutions. Here we’ll outline the things to consider in a replacement. For more on why Webroot is poised to fill the gap left by the Broadcom, you can read the complete whitepaper here.

Your use case: how well does it align with the vendor?

Each use case is unique. Every vendor or service provider brings its own benefit to market and has its own idea about how their service or solution adds value for customers, clients or prospects. That’s why our adaptive business model focuses on consulting with partners on technical implementation options, spending the time to understand each business and how it may benefit from a well-architected integration of classification and/or intelligence services.

Longevity and track record

A key factor influencing change on the internet is innovation. Every service provider is continuously enhancing and improving its services to keep pace with changes in the threat landscape, and with general changes to the internet itself. As well as keeping up with this change, it’s important that a vendor brings a historical perspective to the partnership. This experience will come in handy in many ways. Scalability, reliability and overall business resilience should be expected from a well-established vendor.

Industry recognition

Fair comparative evaluations of web classification and threat intelligence providers are difficult to achieve. We can offer guidance to prospective partners, but it’s often more reassuring to simply see the strong partner relationships we have today. Many of these we’ve worked with for well over a decade. When evaluating a vendor, we recommend looking closely at current partners and imagining the investments each have made in their integrated solutions. This speaks volumes about integration performance and the quality of the partnership.

Technology platform

A classification or threat dataset is only as good its sources and the analytics used to parse it. Many companies offer classification and/or threat intelligence data, but the quality of that data varies significantly.

Threat Intelligence Capabilities

Not all our partners’ use cases require threat intelligence, but for those that do it’s critical they understand where their threat data comes from. There are now a great many sources of threat data, but again these are far from equal. Worse still, comparing source is often no simple task.

Ease of integration

As mentioned, every use case is unique. So are the platforms into which web classification, malware detection and threat intelligence services are integrated. It’s therefore crucial that a vendor provide flexible integration options to accommodate any pioneering partner, service provider or systems integrator. Simply providing data via an API is useful, but will it always deliver the performance required for real-time applications?  Delivering a local database of threats or classifications may help with performance, but what about new threats? Achieving a balance of flexible delivery, performance and security is crucial, so take time to discuss with potential vendors how they plan to deliver.

Phishing detection

Phishing sites are some of the most dynamic and short-lived attack platforms on the web, so intelligence sources must be capable of detecting and tracking them in real-time. Most phishing intelligence sources depend on manual submissions of phishing sites by end users. This is far from ideal. Users are prone to error, and for every 10,000 users who click on a phishing site only one will report it to an authority or tracking service, leading to massive under-reporting of this threat vector.

Category coverage: beware category overload

There are various approaches to classifying the web and different vendors specialize in different areas. In many cases, this is determined by the data sources they have access to or the markets in which they operate. Again, it’s important to evaluate the partners to whom the vendor is delivering services and to consider how the vendor may or may not add value to the partnership. 

Efficacy and performance

Efficacy is fundamental to web classification or threat detection capabilities, so it should be a core criterion when evaluating a vendor. Depending on the use case, false positives or false negatives may be the primary concern when making determinations. Potential vendors should be evaluated for performance in these areas and asked how they approach continuous improvement.

Reliability

Building any third-party service or solution into a product, platform or service entails risk. There’s always the chance the new dependency negatively affects the performance or user experience of a service. So it’s importance to ensure a vendor can reliably deliver consistent performance. Examine each’s track record and customers base, along with the use cases they’ve previously implemented. Do the vendor’s claims match the available evidence? Can current customers be contacted about their experiences with the vendor?

Scalability

In assessing vendors, it can be difficult to determine the level of scalability possible with their platform. It helps to ask questions about how they build and operate their services and looking for examples where they’ve responded to unexpected growth events that can help demonstrate the scaling capabilities of their platform. Be wary of smaller or upstart vendors that may have difficulty when their platform is heavily loaded or when called upon to grow faster than their existing implementation allows.

Flexibility

Some solutions may look technically sound, easily accessible and well-documented while a mutually agreeable business model remains elusive. Conversely, an agreeable business model may not be backed by the efficacy or quality of service that desired from a chosen vendor.

Feedback loops: making the best better

We’re often approached by contacts asking us for a “feed” of some kind. It may be a feed of threat data, malware information or classifications. In fact, many of our competitors simply push data for customers or partners to consume as their “product.” But this approach has inherent weaknesses.

Partnership: not just a customer relationship

As mentioned, we seek to build strong partnerships with mutual long-term benefit. Look for this approach when considering a vendor, knowing you’ll likely be working with them for a long time and fewer changes to your vendor lineup mean more time optimizing your products and services. Ask yourself: Who will we be working with? Do we trust them? How easy are they to get ahold of? These are critical considerations when selecting a vendor for your business.

Summary

We hope to have provided some food for thought when it comes to selecting an integration partner. To read the full whitepaper version of this blog, please click here. We’re always standing by to discuss prospective clients’ needs and to provide any possible guidance regarding our services. We’re here to help you craft the best possible solutions and services. Please contact us to take the next step towards an even more successful