My good friends and former colleagues over at Huntress, a managed detection and response (MDR) vendor, recently made a generous donation to the DIVD Bug Bounty program, encouraging other vendors in the MSP community to follow suit, and Blumira is proud to join them in this effort with a $5,000 donation.
The Dutch Institute for Vulnerability Disclosure (DIVD) is a volunteer-led organization of security researchers who analyze and report vulnerabilities on a global level. Organizations like these are becoming increasingly crucial. Shout-out to our friend Kelvin Tegalaar, who helped connect Huntress with his friends at DIVD to help make this happen!
2021 introduced several high-profile attacks and severe, widespread vulnerabilities that sent MSPs and SMBs scrambling to remediate them. MSP software vendors are increasingly in the news for the wrong reasons. Many MSP-focused software companies flew under the hacker radar for a long time, allowing for years of tech debt to pile up.
As the MSP industry grows and matures, the software companies that serve MSPs — and the SMB clients they serve — must go through a security maturation as well. The importance of bug bounty programs, secure code reviews, and adhering to industry best practices is more important than ever. As a vendor, we believe that we have a responsibility to help our partners, customers, and peers navigate this new landscape, and we want to lead by example.
Our donation to DIVD is just one component of these efforts. Here’s what we’re doing to protect our partners and customers, and we encourage other vendors to do the same.
Provide Clarity, Not FUD, During Vulnerability Disclosures
In the immediate aftermath of a vulnerability disclosure, it can be difficult to separate the wheat from the chaff and understand what the next steps should be. When the clock is ticking and MSPs are searching for information on how to protect customers, they need reliable sources of truth, not click-bait. Navigating these vulnerabilities becomes even more challenging when vendors take the opportunity to market their products and spread FUD (fear, uncertainty and doubt) rather than provide clear guidance.
At Blumira, we’ve worked diligently to provide useful information during these incidents with clear explanations of what happened, as well as detailed remediation suggestions:
- PrintNightmare (CVE-2021-1675 & CVE 2021-34527) Explained
- Lessons Learned From REvil’s Ransomware Attack On Kaseya
- SAM Database Accessible To Non-Admins In Windows 10 (aka HiveNightmare)
- Zero-Day RCE Vulnerability CVE-2021-44228 aka Log4Shell Affects Java
As more vulnerabilities emerge, we’ll continue to respond with timely, relevant and helpful information.
Promote Low-Cost or Free Education Opportunities
Speaking of helpful information, we’re big proponents of free or pay-what-you-can courses like Antisyphon Infosec Training. In an effort to make cybersecurity education affordable, we recently sponsored The MSP Security Training Challenge led by John Strand and organized by Andrew Morgan founder of the CyberCall. Blumira security experts like Amanda Berlin frequently contribute their expertise by leading sessions.
We also frequently host webinars on a variety of topics, aimed at educating the community rather than pitching our product.
Huntress’s recent article emphasized the importance of transparency in the cybersecurity community:
“Destigmatize and celebrate vendors who are transparent about security incidents and blindspots and who share the work they’re doing behind the scenes to strengthen their platforms.”
We couldn’t agree more. As a security company, we believe it is our duty to lead by example and be transparent about our own security practices. A few days after the Log4j discovery, we realized that one of our modules was impacted, which amounted to approximately 1% of the sensors in use across our platform. The RCE did not impact the version we were running, but it could have been vulnerable to DoS and resource exhaustion within the module. Even though the impact appeared minor, we immediately updated our article and notified our customers.
In a continued effort to practice what we preach; cybersecurity should be accessible to everyone, not just Blumira customers.
It’s important to not only share knowledge, but to also make contributions to the open source community that everyone can benefit from. For example:
- In the aftermath of Log4j, our Incident Detection team published a vulnerability scanner and indicators of compromise on GitHub.
- Matt Warner, CTO and Co-Founder of Blumira, published a test and extraction tool for SeriousSAM on GitHub during the HiveNightmare vulnerability disclosure.
- Amanda Berlin, Blumira’s Lead Incident Detection Engineer, created and published an automated Kerberos detection script on GitHub, as well as Logmira, a set of pre configured GPO settings to import directly into your environment.
- Poshim – A PowerShell shim is an open source tool that can automate the process of installing and configuring NXLog and Sysmon and sending the logs to a specific IP Address.
Ultimately, it takes a village to try and keep the SMBs of the globe more secure. While we didn’t come up with this idea, (Great idea, Kyle) we’re always looking for ways to give back to the communities that we serve and love partnering with those who continually do the right thing.