The recent string of supply chain attacks and the innovative methods used by threat actors to push ransomware using an MSP(Managed Service Providers) network has definitely become a cause of concern, and rightly so. Cybersecurity, like many defense systems, is a shared responsibility, and every organization in software distribution needs to have good cybersecurity practices. Here is where MSSPs (Managed Security Services Providers) will play a role.
In case of an incident, MSPs with good and quick incident response plans can act faster to contain a malware infection and the spread of an attack.
It is important to understand that not just the software product company or a services vendor attacked. Even the smaller integrators that are part of the supply chain can be targeted or used as a pawn. It is time to question the IT vendors on the incident response plans and other security measures that can contain any impending cyberattacks. Today, let us discuss the security question you must ask an MSP. Also, understand how they differentiate themselves from Managed Security Service Providers (MSSP)—the specialists who manage IT security.
Definitions of MSP and MSSP
An MSP remotely manages the IT infrastructure, software, network, and end-user systems, for Non-IT firms under a subscription contract. As part of the services, MSPs also manage the updates of these software assets as practically all software assets require frequent installation of updates, bug fixes, and patches. These fall under the MSP’s purview.
An MSSP monitors and manages the security of devices and systems. These services include managed firewall, intrusion detection, virtual private network, vulnerability scanning, and anti-viral services. MSSPs usually have Security Operation Centers (SOCs) (either from their facilities or from other data center providers) that provide 24/7 automated services to reduce the need for manual intervention and personnel requirements to maintain a sound security posture.
Quick Recap on the role of MSPs in the recent Kaseya incident
Although Kaseya deals with larger clients directly, they primarily rely on their MSPs, who act as integrators and resellers of various software, to sell and manage the software to various end customers across geographies. The attackers exploited a previously unfixed vulnerability (Zero-day) in the Kaseya VSA software and used the MSP network to maximize the reach of the malware (ransomware). About 50-60 MSPs were infected, spreading the malware to at least 1500 end customers.
Considering that the MSPs had unrestricted access with all administrative privileges, they pushed the malware as a fake update, and then it was smooth sailing. Even the anti-malware couldn’t offer much defense.
With great privileges comes great responsibilities
The Kaseya attack was not the first incidence where MSPs were used as vectors to transmit malware. MSPs that have great power in terms of administrative privileges should realize that they have greater security responsibility.
Back in February 2019, cybercriminals exploited a vulnerable plugin in Kaseya VSA. A single compromised MSP infected about 1,500 to 2,000 end customers with the GrandCrab ransomware. In December same year, Zeppelin Ransomware was distributed by gaining access to an MSP (Wipro systems) and used Remote Monitoring and Management (RMM) software (ConnectWise) as a vector.
Qualifying questions for MSPs
Before choosing an MSP, be sure to ask these questions. Make sure you are convinced about the team’s security capabilities.
- Do they have an incident response plan in place? If yes, then get it audited by a third-party consultant or organization.
- Are the practices and frameworks compliant with industry standards and certifications?
- Do they have proactive threat detection systems in place?
- Do they have the latest and past security audit reports along with the vulnerability assessment test reports?
- What are their controls for whitelisting apps/software/websites, OS and software patching, and hardening?
- How frequently do they backup, and how secure are the backups?
- What are the application and organizational policies they use for software assets, patch/vulnerability management?
- Does their IAM (Identity and Access Management) Policy include two or multi-factor authentication and role-based privileges?
- Do they have network segmentation practice?
- Do they have security infrastructure in place? These may include incident detection, anti-virus, malware, endpoint protection, cloud security management, and anti-phishing systems.
- What are the qualification of the team and the training programs?
Additionally, you may check the software they manage and perform a review of the software. Check the frequency of security patches and the quality assurance certifications.
Why onboard an MSSP
Many MSPs have evolved to offer better security services. But, given the series of innovative cyber-attacks, it is essential to have an additional layer of security. The move will, among other things, restrict the access and user privileges to regulate software operations over critical updates. After all, you don’t visit an internal medicine doctor for a toothache. It is a specialist’s job.
Let us understand the roles of an MSP and MSSP in detail to know the advantages of hiring a specialist team or vendor for managing IT security.
|Focus on data and network administration and operations||Focus on IT security operations and access privileges|
|Ensures performance is met at any cost||Ensures security restrictions are in place to monitor and restrict unauthorized installations, downloads, and data sharing.|
|Reduce downtime or restriction to offer a seamless experience||Reduce security incidents, threats, and response time.|
|–||Place restrictions in place and take steps to limit the extent of damage in case of a breach.|
|Makes sure the data and servers are available to your stakeholders for continuous work||Avoids unnecessary privileges and access to data to reduce the attack surface and entry points|
|Address usability issues||Addresses security and incident response issues|
|Expertise in accessing requirements of software and other IT assets and installations||Expertise in aligning industry compliance and frameworks|
Get the Alliant Cybersecurity Advantage
Alliant Cybersecurity operates a Security Operations Center. We offer professional MSSP services along with 24×7 mitigation, detection, and incident response services. Reach out to our expert team for a thorough security posture audit of the end customers and MSPs to propose security recommendations. Our consultation services include SoC-as-a-Service, Virtual CISO services, drafting a proper incident response plan, and more.
We make the difficult security questions as your trusted partner to maintain a sound security posture. Please understand that security is not just responding to the incident but is a continuous process of building a proper balance.