In May, CISA released an advisory, “Protecting Against Cyber Threats to Managed Service Providers and their Customers,” which provided guidance in response to the increase of targeted attacks against MSPs.
This latest alert is a reminder that MSP threats are not going away or reducing in frequency. At this point it’s safe to assume that MSPs are a persistent target. MSPs should assume they are under constant threat of attack, and adopt a continuous practice of increasing and validating their security.
Interpreting CISA’s Alert
Nothing in this report should be horribly surprising. Rather, this is the latest reminder that the MSP is a centralized target, and in the wrong hands, their tools are an incredibly efficient malware distribution platform. Not only does the MSP have the juicy target of remote monitoring and management (RMM), screen share app, etc, but they also contain a wealth of information that can be leveraged for other attacks, including credential vaults, detailed user lists, backup repositories full of business and intellectual property, and so on.
Soon, MSPs can expect more formal scrutiny. At first this scrutiny will probably come from the insurance of MSP customers, but probably some regulatory attention as well. The list of countries and the alphabet soup of agencies on this alert is a clear sign that MSP risks are on the radar of international law enforcement. MSPs should be responsible for doing everything they can to both secure their own tools and operations, but also to provide the highest level of security services and advice to their customers.
How Cyber Insurance Comes Into Play
At this point, it’s surprising that insurers are not asking questions about which third-party service provider toolsets MSPs are using within their environment. The short-term questions might be “Do you use Solarwinds, Kaseya, etc?” but before too long, insurers will catch up and start to ask broader questions to identify tools regardless of brand.
Insurers will likely ask for increased controls upon renewal. If MSPs cannot prove they are implementing a variety of security controls to reduce risk, insurers will likely charge supplemental rates or decline to provide coverage.
MSPs should get in front of the changing insurance requirements. There are several common security controls that insurers either require or put high value on. By getting your customers on board with implementing these now, you can avoid expensive, low-quality, last-minute implementations when an insurance renewal is due. Usually renewals come on short notice and delivering a quality implementation of new security controls is not possible in those timelines.
A great resource for discussing what insurers are looking for would be a specialized cyber liability insurance broker that has enough exposure to applications to know what the current trends are.
It’s also worth thinking about what may happen if MSP tools become too regulated or too risky to be used effectively, and look at what a post-RMM industry might look like. What can be done with tool sets that are completely segmented for each customer — especially tool sets that are built into the platforms that customers are already using, such as Intune and Endpoint Manager?
Securing Your MSP: A Checklist
The CISA alert is a reminder that being proactive is crucial to stay ahead of future tightened regulations and scrutiny. The advisory provided some best practices for MSPs, and we’ve added some further guidance with those suggestions in mind.
Customers will start asking MSPs very pointed questions about what they are doing to protect the MSP operations, as well as the MSP’s systems and methods of access into the client networks.
MSPs should give customers periodic updates on what the MSP is doing to protect both customers and their internal environments. Not only does this establish and maintain trust with clients, but it also forces the MSP to continuously improve and challenge their own internal security posture.
- Expect clients to perform their own verification and review of MSP activity, by using logging, for example, to determine dates and times of logins. and
- Expect insurers to ask customers to disclose MSPs, MSP tools, etc. Be prepared to exhibit your standards and protections.
- Anticipate the questions that a customer’s third party vendors may be asking, specifically surrounding IT providers, as well as questions surrounding the customer’s internal security posture.
- Consider setting allowed login hours for the routine admin credentials that you are using
- Alternatively, use SIEM or other tools to automatically alert on credential use outside of business hours
Incident Communications Plan
MSP’s customers are going to see the news when high-profile vulnerabilities and breaches happen. MSPs should take a proactive approach and prepare incident communications and PR plan in advance:
- Prepare to communicate to customers on what you are doing, how they can get more answers, etc. before they come to you asking what you are going to do for them.
- Prevent the technical security team from spending excess time on doing PR work by preparing the communications/PR team ahead of time with a response plan.
- Include non-technical people in this plan and prepare them so that when an incident or high-level threat emerges (such as Log4j), your security engineers can have brief conversations with the communications/PR people, and they can get to work on preparing communications to your customers.
You probably can’t avoid MFA on admin logins for much longer. Previously, insurers had softer requirements for it, but that’s changing. With that in mind, MSPs should consider making MFA more universal with the following best practices:
- Migrate your customers towards mandatory MFA for critical or often attacked apps — especially email.
- Include mandatory MFA for high risk apps as a standard for accepting a new customer
- Adhere to a higher MFA standard for admin access for MSP, internal admins, other third-party vendors, etc.
- Ensure that every possible opportunity to enable MFA within the MSP business is used.
Internal exercises are a great way for MSPs to plan ahead and improve their cybersecurity maturity.
- When starting with internal exercises, focus on blast radius reduction, or reducing the total impact of a security incident.
- Segment systems, especially between business admin operations and MSP operations. The CISA advisory discusses least privilege, but it may not be feasible for most MSPs to segment teams and only give them access to the clients they serve. Instead, look for ways to reduce permissions and eliminate unnecessarily interconnected networks.
- Eliminate unneeded MSP toolset access for executives and other non-technical staff who are more likely to be a target for attackers. If executives need data from the MSP tools, they should work through an engineer or access the data via business intelligence tools.
- Make a plan for what happens if your RMM is not functional. Do you have at least some minimal functionality via InTune, ScreenConnect, or EDR tools that can run remote scripting in a pinch?
- When vulnerabilities come out that do not affect you, take the opportunity to study how a similar incident with the tool you do use could impact you, how you could handle it and how you would prevent it. We can imagine scenarios, but often what happens in the real world are things beyond imagination.
Customer and Internal User Account Audits
- Set up fixed schedules to audit client user accounts and communicate to customers how often they will receive reports. This helps not only to eliminate unused accounts, but helps customers reduce expenses by cutting extraneous support charges.
- Extend this to audits of end-of-life/legacy hardware and software
- Identify systems that should have been retired but remain online
How Blumira Helps
Blumira supports MSPs and their customers in their overall security maturity journey, and specifically helps MSPs meet log retention requirements.
Our free not-for-resale (NFR) licensing for MSPs is a great way to get started using a SIEM in your environment. Deploying Blumira takes a matter of hours, and using our platform is easy for teams of all sizes and experience levels. Plus, our competitive pricing is affordable for your SMB customers.
Sign up for your NFR account to try Blumira’s full product for free — no strings attached.