Nothing happened yesterday.
Of course that’s not true. A massive ransomware infection took over computers in 99 countries, including systems at the National Health Service in Great Britain. Lives were put at risk. Deadlines were missed. The cost of yesterday’s attack hasn’t been measured yet, but it will be in the billions.
For us, and for our customers, it was a normal day. We voted on what to order for lunch. To my chagrin, the fried chicken place won again and we will have to try again for seafood next week. That was the worst thing that happened all day. We worked through the normal volume of printer issues and forgotten passwords that would come in on a Friday, and then everyone went home.
Were we just lucky? Why are we sitting around eating poultry while the rest of the world seems to be in turmoil?
It seems like this might be an opportunity to explain why we had a boring day, and why we expect more of them in the future.
1. Patch Management – our customers have a tiny bear in their system tray. He fetches the security updates from Microsoft and other vendors, and after we approve them, he forces every system we manage to install them. People complain about this all the time, because sometimes these updates require restarting. Sometimes the connection slows when the files are transferring or installing. But here’s the thing – every time a patch is released, it’s an advertisement to criminals that there’s a way to break things. If we ignored these updates, we might have had a much more exciting day.
2. Endpoint Security – When crypto-ransomware came on the stage, making malware became a much more lucrative enterprise for criminals. We noticed that the endpoint security product we had invested in was not great at stopping it. In our view, definition based antivirus is almost worthless now, because all the attacks are zero day exploits. Some of them are built to attack a specific company on the day they are released. Paying for access to a list of “bad files” made sense when there were a few new attacks each week, but now there are thousands of new ones each day.
Our project manager wanted us to look at a product called Cylance. When I saw a Cylance engineer at Peet’s coffee wearing a sweatshirt that said “antivirus is dead”, I was intrigued. Today, we have a direct relationship with Cylance. Their software uses artificial intelligence to look at what programs want to do, not just who signed the code. This means that if Microsoft Word started attacking our customers systems, it would be locked down instantly. Since we switched all of our customers to Cylance, we’ve had exactly one exploit get by in the last two years. Everyone in the endpoint security market is trying to replicate what they’ve done. The work that Cylance is doing right here in Irvine, California has given us a very powerful weapon in the arms race against cyber-criminals. Obviously we deploy this on every endpoint we manage. In fact, we have a script that checks every system, every day to make sure Cylance is installed. If a system is found to be unprotected, the software is pushed automatically. This software is not yet available to the public, and neither is their stock, but when Stuart takes it public, you’ll want to get in early.
3. Email Security – Every message that’s sent to one of our managed customers goes through a gateway first. Messages containing known malware are dropped before they get to our customers email servers. This always surprises people: 75% of the email we process is spam. Occasionally a customer will ask us why they received one or two unwanted emails. We enjoy meeting unrealistic expectations.
4. Backup – Let’s say someone successfully executes ransomware on one of the systems we manage. Our server backup vendor, Datto, also has algorhythmic detection for encrypting ransomware, and in the event that we’re ever caught flatfooted, we can recall an earlier version of the filesystem before it was attacked. Furthermore, if someone in a hockey mask attacks the server closet with a pick axe, we can spin up virtual copies of our customers servers in the cloud and run them for weeks while we order new hardware. This would be mildly annoying. Please don’t do that.
We are fond of saying that we use technology to move information to help people. Let us know if you encounter someone who would like to work with a less exciting technology provider.