I spend a lot of time working with vendors. From speaking at events with them to working with them on exploit research or development, I spend a lot of time in that ecosystem in an attempt to make the industry better for all.
Recently, a vulnerability was discovered in the ConnectWise R1Soft application. This vulnerability was present in the upstream ZK Library used by R1Soft.
When this vulnerability was made public by a security researcher who goes by Frycos on Twitter, I was busy driving back from a security conference and didn't immediately see it.
When I got back in, I saw that Huntress had started doing internal research into the disclosed vulnerability.
Once I saw this, I reached out to Patrick Beggs, CISO of ConnectWise, and informed him of the behind-the-scenes work Huntress had going on, which made the previously low severity vulnerability much more critical (With permission from Huntress, of course).
Afterward, I facilitated introductions with my connections from both teams to expedite arriving at a solution. Even though they're competitors, the teams worked together toward a common goal for all of us: keeping their partners and the community-at-large safe.
The end result was amazing. Huntress released a great writeup on the vulnerability, and John Hammond released a video. Patrick and John went on the CyberCall (A weekly security-related webinar in our space), and it appears this is the start of an improved collaborative environment.
What does that mean for Managed Service Providers and our customers?
- The increased flow of information between two partner-focused companies.
- A potential second set of eyes when someone sees something
- An increase in the speed through which vulnerabilities and the details about them are shared
All in all, it means a better, more secure experience for partners and their end users.
It requires work on both parts. At one point in the above process, I received panicked communications from both sides. The security bulletin was released without communication between the teams, which put the Huntress team on alert. Consequently, Huntress released some communications that gave ConnectWise concern a full proof-of-concept was about to drop. Communication is key here. Once the teams discussed these developments with each other, things were smoothed out, and they continued working together.
In a world where vulnerabilities are coming out constantly and the exploits are getting more complex, it will become increasingly important that open communication paths exist between vendors in the MSP Space. While we compete with other MSPs and our vendors compete amongst each other, it is important to the industry as a whole that we cooperate on security-related items. I've personally informed other local providers we compete with of security vulnerabilities in software I've noticed they run and hope they would do the same.
Here's to hoping we see a lot more communication between vendors on security issues in the future.
Special thanks to Rachel Bishop at Huntress for serving as a second set of eyes and helping me make this much better!