As the IT world develops and changes at an ever-expanding pace, it is often hard to qualify and validate systems, and the third parties supplying them. Hoping they are all equal; continuously developing, improving, testing, and securing the systems they sell to the world at large.
Unfortunately, the last few years has shown us that not all vendors are equal; not all vendors care about the basics, and that VC/Private equity comes with a heavy price to customers.
When you place the evaluation of these partnerships and systems in a high stress, cost sensitive, time dependent industry such as managed services - the scrutiny can be, and often is minimal. The consequences of ignoring the security posture of these organisations is potentially dire; and the industry is only just waking up to this...
Managed services as a model is often focused around the protection of endpoints, servers, and delivering customer service using a collection of vendor based tools which are often agent based; checking into servers or services based either on-prem / self hosted, or in a SaaS / vendor hosted model.
Managed endpoint tools and their respective administration platforms are becoming a highly prized and targeted avenue for threat actors. The underlying administration plane is now a vector to a larger paydays.
The managed services market specifically has been increasingly exploited due to their high value, and wide reaching impact into other firms. Even a small managed service provider can have 25 to 100 individual customers, often in several verticals but with one consistent model - keep the human resources to a particular tech to endpoint ratio, then install the full interconnected stack to minimise time spent such as:
- Remote Management and Monitoring - RMM
- Managed Antivirus - MAV
- DNS Filtering
- Remote Control
In recent years, the increased integration and movement to a single pane of glass has both minimised the technical overheads, and increased the risk towards a few particular entry points on the list.
When you evaluate it - these platforms often have the ability to push code at system level, with unrestricted controls and limitations. Webroot famously was used to deploy malware using their script push function built into the cloud dashboard, whilst failing to enable MFA for a number of years.
Combined with inappropriate vendor recommendations such excluding entire folders from AV scanning, the inability to put web application firewalls in front of certain solutions, and a lack of enforced MFA by certain vendors. It sharply adds up to be a mismanaged, security ambivalent, and distinct pool of potential victims.
Now the typical sales process for the firms involved usually goes along the lines of:
- MSP signs up for webinar/event/website and they are usually pushed into the sales chain to talk through their existing solution and what NEW Vendor can do for them.
- A demo is given by the vendor.
- Device / System / service types and requirements are gained from the MSP.
- Counts of agents are gained from the MSP.
- Bespoke pricing is given and a negotiation occurs.
- The MSP signs up or declines the vendor.
The MSPs sale process often goes to their customer with a sales team, a pamphlet and marketing material, and promises for a slick end to end service solving all of their IT related needs.
Typically, at no stage in the sales process is security - a BASIC need, a universal right as it were - discussed as part of their core offering. Usually it is based around support, KPI's, FCR's, customer retention and references. Security is often an add-on service with additional cost, this is not usually included as part of the basic services.
Beyond the sales process
This leads into our vendors, and the way these services are presented, then sold on as a package. The visibility of the security elements in the sales process, and associated materials is often lacking or relegated to a footnote such as "Ask this specific email address and we'll release it".
Unfortunately when these systems are in play with system level access at all their customers, the security elements really need to be at the forefront of the discussions. Not an afterthought, hidden, or only available to those who scream the loudest.
There has been numerous attempts at standards relating to the security of a vendor and its products from Cyber Essentials (and plus) through to ISO27001, then onto the likes of CMMC.
None of these validate, or assure that a product cannot be breached - although they give a good indication and commitment to the security posture. This overall security posture is the key criteria i would mark vendors against, individual measures to not negate the need for a well thought out, and balanced approach to security.
- Are they proactive vs reactive?
- What are the exclusions to the scope when going for certification?
- Do they follow, certify or are they compliant with appropriate standards for their sector? There's a massive difference between these terms, and having the external validation and review of their controls and measures.
- Are they enforcing security defaults and must have's such as MFA / IP allow lists / extensive documentation when self hosting?
- Is there a dedicated security team?
- Do they (by default) engage outside specialists via a 24/7 SOC / Monitored SIEM style service?
- Do they put multiple overlapping layers of security in?
- Are they engaging with their upstream vendors to further secure their services and improve the overall posture?
- Are there kill switches in place to limit the damage should an event happen, and are they granular?
There are many others, and this blog post would turn into an endless list of key criteria and questions. That post will follow - in collaboration with several other people from the industry.
Developing or using a known evaluation process internally, and applying it universally to all vendors is the way the industry needs to go in the very near future. There is a need to hold all vendors to account before pushing services and agents live on any system, and applying it iteratively and in a continuous process ensures fairness, and a due diligence that will stand us in good stead for years into the future.
The biggest, and most critical element to the MSP industry right now? We need to show the non-compliant, lacklustre vendors that our money follows those who value security. Not those with the sleekest presentations or most cut-throat sales team. Only our internal evaluations and vendor verification processes can tackle this and unfortunately, sometimes money talks more than someone on a blog, or from a few limited MSP's who do walk from these monolithic, and security ambivalent organisations.