Vulnerability Management, Incident Response, MSP

Inside ConnectWise During the ScreenConnect Crisis

Share
Credit: Adobe Stock Images

The focus at IT Nation Secure has been around ConnectWise’s new security tools, but it’s only been a few months since the MSP tools platform company dealt with a cybersecurity crisis of its own, a vulnerability in its ScreenConnect product that was being actively exploited.

ChannelE2E caught up with ConnectWise CISO Patrick Beggs at IT Nation Secure and asked him about what went on behind the scenes at the company during this crisis.

Inside ConnectWise During the ScreenConnect Crisis

It started when a researcher reached out to ConnectWise in relation to its responsible disclosure program. Beggs said that every software company has or should have a bug bounties or vulnerability disclosure program, and ConnectWise has one that’s posted on its main website.

After first contact, Beggs said, the company simply followed its process.

“We have playbooks and we have processes and we have internal SLAs that we adhere to,” he said. “We have implemented and executed on the reporting structure for this scenario.”

Work was handed off to the product team to create a patch and test it and validate it, just as they would do for a feature upgrade, Beggs said.

“It was very smooth. I was very proud of the team because folks did not lose focus,” he said. “There was a lot of external concern, as it should be, due to the nature of the product. Obviously there was a lot of media press around it, but we implemented our communications playbook to the letter.”

The heavy lift of the whole process was in external education and awareness, Beggs said.

ConnectWise offered a free upgrade to the product, even to MSPs that were no longer under maintenance with ConnectWise and would have otherwise been ineligible for the patch.

“That’s just being responsible,” Beggs said. “There was no other motive behind it other than we’re just going to protect people. If a bad person was to compromise an unpatched version, there were larger things at stake.”

Lessons Learned, Changes Made

After any incident and response, any CISO is going to look for the gaps and how to make the processes and programs better and tighter. Beggs is no exception.

He said that the incident response team and product team and operations team came together and collaborated smoothly from a technical standpoint. But the company has since refined how it looks for unpatched instances.

“Weve discovered some really great processes for identifying unpatched instances,” he said. “We actually tested our full incident response plan a month before, so it was good timing. We had some good lessons learned already.” Gaps were filled that helped when the actual crisis hit.

Beggs said he runs full scale tabletops every year and management and technical ones on a quarterly rolling basis. This year he will run the full scale tabletop sooner rather than later to test it closer to when the event happened, he said.

The Most Difficult Part of the ScreenConnect Crisis

Making sure the right information was out there was the most difficult part of the process, Beggs said, and when you are in the midst of a crisis, you need to put that information out on a regular cadence so people know when to expect it.

“If you’re not putting out information, people make up their own,” he said. "Even if you don’t have anything substantial to say, let them know that you are thinking about it and that you are going to get something to them.”

That’s true for external communications, sure, but it’s even more important for communicating with internal stakeholders, including the CEO.

“I feed people information internally at specific times because if you don’t feed them internally, they get hungry.”

CISO Best Practices for Crisis Communications

We asked Beggs what his top best practices were for crisis communications, and here’s what he said.

  • Communicate early and often with an established cadence of when you are pushing information out.
  • Think about how long it’s going to take you to prepare that information you are going to share. You have technical teams putting together data points and talking points. You have to give yourself the time to get those and put the report together and get a final signoff. Plan for the time you need to prepare the report.
Jessica C. Davis

Jessica C. Davis is editorial director of CyberRisk Alliance’s channel brands, MSSP Alert, MSSP Alert Live, and ChannelE2E. She has spent a career as a journalist and editor covering the intersection of business and technology including chips, software, the cloud, AI, and cybersecurity. She previously served as editor in chief of Channel Insider and later of MSP Mentor where she was one of the original editors running the MSP 501.