Bekker's Blog

Blog archive

Ian Thornton-Trump's Hair Is on Fire About Threat Intelligence for the Channel

One of the most engaging voices in the IT channel security community, Ian Thornton-Trump, is on the move. RCP caught up with Thornton-Trump last month just as he was getting started in a new role at Cyjax, an 8-year-old U.K.-based cyber threat intelligence provider.

Thornton-Trump joins Cyjax as chief information security officer. The dual role includes internal cybersecurity responsibilities along with helping the company prepare for an expansion into the U.S. channel. At the same time, Thornton-Trump is piloting a cyber threat intelligence workshop for CompTIA.

We talked to Thornton-Trump about why he thinks the moment is right for managed service providers (MSPs) to get involved in security threat intelligence. Edited excerpts of the conversation are below.

Two major security issues a few years ago got Thornton-Trump thinking seriously about security intelligence and the channel.
"I go back to really WannaCry and EternalBlue. The US-CERT and Microsoft made noises prior to that malware being weaponized. At that time it was about 58 days before the first impactful attacks happened from when Microsoft announced that there is a vulnerability in [its Server Message Block protocol], and they were pushing patches even for out-of-date operating systems. Now, the threat intelligence analysis of that is kind of, 'Holy crap, if Microsoft is going to support unsupported operating systems and issue and out-of-band patch for it, it must be super bad.'

"For whatever reason, I don't think people were paying attention. When you look at some of the big dogs out there, Maersk and Merck, the pharmaceutical company, that then got hit by NotPetya, which leveraged the same attack, essentially, as WannaCry, you kind of wonder if anybody was listening out there.

"So I felt like for the small/medium business practitioners and those MSPs that service them, no one was really providing good, credible intel to small and medium-sized business [SMB] customers about this stuff."

"Historically, cybersecurity practitioners and IT practitioners may be somewhat challenged in terms of business communication."

Ian Thornton-Trump, CISO, Cyjax

In the nearly three years since those attacks, Thornton-Trump believes government agencies in the United States and the United Kingdom have greatly improved their alerting and threat communications. Yet he also contends that MSPs and SMB IT pros need much more help.
"The importance of a government tool to tell you that you're vulnerable means rather than it being the security guy who's all concerned going to the business, it's literally the government telling you that you need to patch."

Thornton-Trump said he sees an opportunity for Cyjax, which offers threat intelligence and associated dashboards, to provide some of the data that will help MSPs make the business case for action.
"Historically, cybersecurity practitioners and IT practitioners may be somewhat challenged in terms of business communication. Having data from a third-party trusted source that says, 'Listen, we have X number of assets that are vulnerable to BlueKeep. We need to disrupt the business operations for a couple of hours to patch and update our infrastructure so that we're not victimized by a cybercrime attack, which in 90 percent of the cases for business today would be a very disruptive ransomware attack requiring weeks and unanticipated financial expenses.'

"We can we can go into boardrooms with our hair on fire. But if when we're challenged by the business to provide a true statement or understanding of the risk, a lot of it falls down because what the practitioners are not doing is coming armed to the fight with the return on investment or the stark warnings from government bodies, law enforcement bodies. I want to close that gap in the channel."

As Cyjax works on a channel program to adapt its cyber threat intelligence offerings to MSP technical and business requirements, Thornton-Trump says the sector has the potential to be a high-value, low-cost revenue opportunity for MSPs and IT service pros.
"I'm excited about the opportunity to take my original message of layered security and now turn it into a true proactive threat model -- modeling and risk management by using intelligence."

At the same time, Thornton-Trump is demonstrating a workshop/course on "Cyber Threat Intelligence" at the CompTIA conference in Manchester, England next month.
"The course is designed to help an MSP or an SMB build its own threat intelligence program using publicly available tools. My idea here is to equip businesses to get in front of cyber attacks, get meaningful data and make appropriate business decisions based on their threat model and their risk profile. I'm really passionate about that. I want to create more capacity."

Both efforts, building a channel program for Cyjax and developing the independent training, are coming at a key time for MSPs, in Thornton-Trump's estimation.
"This is coming at a moment where MSPs are waking up and finding many of their customers victimized by ransomware, which is potentially putting their livelihood at risk. I'm talking about the Cloud Hopper series of attacks, which has now been adapted by cybercriminals who are specifically targeting MSPs and IT service pros. So I think the time is right to get the upper hand and to get the opportunity to get in front of these attacks, and protect customers and ultimately protect the livelihood of businesses."

Posted by Scott Bekker on February 11, 2020