MSP: Contemplating Our Security Posture

Our Technological approach.

As a managed service provider (MSP) - our life blood is built upon a stack of vendors assembled together to provide an end to end solution, covering all aspects from antivirus, to backups, to remote management and beyond.

These solutions in most cases have software agents installed on servers and endpoints with system level access across all facets of the MSP and their clients, increasing the exposure and risk with each additional layer added. Or they have an API key with potentially damaging reach and remit.

Some vendors even break best-practice and use insecure legacy methods with full global admin access to Microsoft tenants... and refuse to spend the engineering time and effort to upgrade them. Abiding by the latest and greatest industry standards isn't just a snapshot in time - it is a living, breathing process that has to be constantly evaluated and improved upon. All whilst requiring no MFA/2FA on the account. COME ON. The keys to the kingdom on an account without any basic protection? It beggars belief.

Unfortunately - during the last few years the managed services world has been rocked by a number of high profile, and high impact breaches in relation to the vendors used, and trusted to implement their recurring services model. The exposed portals, APIs, agents, plugins, and security posture of the MSP and vendors has resulted in target rich pickings for malicious threat actors. Crack one, and the pickings within are rich with targets.

• Connectwise plugin - used as a deployment method for ransomware
• Webroot - used as a deployment method for ransomware, this was limited in scope and impact thankfully due to a quick response.
• Kaseya - VSA exploited and used to deploy ransomware on a scale previously unseen, this resulted in numerous MSPs and all their customers being held to ransom. This was mitigated due to the quick response of a few good members in the MSP community getting the word out.

The security posture and the hygiene practiced by both the MSP, and the vendors they use forms a key part of a multi-layered approach to cyber security. It has a direct impact on the overall risk posed, an antithesis - if you will. The more the posture is changed and improved by regular hygiene, the more cybersecurity risk decreases.

As an industry these threats are now a constant thought in our risk management plans - We can no longer rely on marketing and sales spiel. It needs to be secure, by default, with layered defences and best practices applied, baked into very fabric of all offerings.

There are already frameworks to evaluate these vendors, but none directly aimed at MSPs, and in an easy to digest and understand format. As XKCD famously depicted, let us just create another standard/framework to be followed, and ultimately ignored.

Time and time again the people and organisations within them are jumping off the cliff edge, without due consideration on the wider impact when they purchase a tool or solution to fit a clients needs. The thoughts behind how it changes the game in terms of their exposure are never formed and realised. This needs to stop, and only a change in the culture whilst working and engaging with vendors can drive this.

If we pick on one specific element for a moment...

It is no secret that myself and several other prominent members of the CIPP project / MSP Geek have been nudging several vendors to fix and correct their faulty SPF, DKIM, and DMARC records for a few months now. It has been like pulling teeth, and without naming specific vendors and their reactions - we've had everything from them taking full ownership and comprehensive communication through all of the remediation process... all the way to not even understanding the issue when the vendor can be spoofed and the impact it could have on their customers.

It is a sad state of affairs when vendors in the technology sector are unable to be, and act as beacon of light with their approach and posture. How can clients, and any firms indirectly using them ever place faith in them?

Unfortunately, this isn't a piece that can be tackled in one go, or very easily as its a multifaceted collection of complex issues with a set of behaviours behind them.

Let's ask those uncomfortable questions on how the culture of the vendor [and the MSP] drives good practice, how they plan to tackle their technical debt, and how good security hygiene is part of their culture and practice.