More MSP 501ers Share Insights on Kaseya Attack as Company Works to Patch Things Up
As Kaseya works to get the issue fixed and its customers patched, our #MSP501ers continue to share their thoughts.
July 12, 2021
Getty Images
“MSPAlliance has already created a non-Kaseya specific group working on MSP resiliency and restoration against these types of attacks. We are also working with our members (like Sagiss) to build a better profile of how they remained operational throughout this attack so that it may be codified into the MSP/Cloud Verify standard.
Beyond the security aspect of this attack, MSPAlliance will be evaluating the insurance and contractual practices between our members and companies like Kaseya, to ensure appropriate risk-sharing is taking place and that MSPs are not shouldering 100% of the risk when companies like Kaseya are breached.”
Is this driving more customer engagement and business for you as a result?
“At the moment, it is not. We use VSA and both Sagiss’ and our clients’ primary concern is security and ensuring we get VSA patched and back online. From the questions we have been getting, they are primarily concerned with our internal security.”
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“Right now, no. We are waiting for more information about the vulnerability to better understand where we need to focus our efforts.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“We have always been worried about them. Things like this have never been a question of “if,” but “when.””
Are you getting more calls from security vendors to partner with them because their solutions could prevent such attacks?
“Of course – sales teams never let a good crisis go to waste.”
Are you partnering with other MSPs to solve these types of supply chain problems for your customers?
“We haven’t directly partnered with any other MSPs. We are very involved in the community and have been in communication with many other MSPs.”
Have you been able to raise your per-seat or services prices as a result of these attacks?
“We were already looking at raising prices due to the additional security we had implemented prior to this breach.”
Are you looking to hire more infosec professionals to meet demand from customers?
“Not security specialists directly. They are very hard to hire and that is not a core competency of our MSP practice. We are looking to partner with security vendors to leverage their security teams to assist our customers as part of our overall security offering.”
Is this driving more customer engagement and business for you as a result?
“Yes, this has definitely been driving more customer engagement for PCH Technologies. After the Kaseya supply chain attack, we are seeing interest from clients asking about what our internal cybersecurity practices and incident response capabilities are if an attack did occur. From an MSP perspective, over the past two years we have taken a proactive approach to continue to improve our internal cybersecurity posture, including being in the process of finalizing our SOC 2 certification to have the best practices in place. At the end of the day, it doesn’t matter where the ransomware comes from, it is up to each individual client to be able to have the proper cybersecurity protection, business continuity and incident response plans in place.”
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“As part of our ongoing risk review, we are always looking for new technology to better protect ourselves as an MSP and our clients as well.”
Are you looking to hire more infosec professionals to meet demand from customers?
“Yes, we are continuing to add to our cybersecurity staff, as it is our biggest growth area.”
“The past few weeks, due to Kaseya, JBS and Colonial, client engagement is up by 250%. We have been developing an in-depth, new security offering over the past six months and now have implemented close to 30% of our client base. We have rolled these offerings out as new add-ons with additional pricing.
“Security vendors have been reaching out more and more, also seeing many online vendors showing newer security product offerings.”
Is this driving more customer engagement and business for you as a result?
“The Kaseya event is driving engagement, but only to the extent of confirming if we do or do not use Kaseya. It is a conversation starter and a bit of a potential burden for clients who have realized that they now have to pay at least some attention to their provider’s network environments in addition to their own.
“This highlights the need for vendor due diligence; not only for third parties (MSPs), but fourth parties (partners used by third-party providers). An organization needs to review its third parties. This includes making sure the third parties have a due diligence process to review their third parties as well (fourth parties to the customer).
“Would vendor due diligence have identified what happened with this incident as an intolerable risk? Maybe not, depending on the most recent SOC report from Kaseya. However, if customers do not have a due diligence program in place, they have no understanding of the potential risks, or the controls third parties have in place.”
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“We are trying to limit the number of partners we have to limit the number we have to stay on top of. We are also looking at what we can do proactively to prevent or speed the identification of issues. As part of that, we are making adjustments to our ASCENT Portal to improve the incident response process.
“As a bare minimum, we recommend having three significant aspects of a security program in place as a result of the Kaseya incident: vendor due diligence, supply chain risk management and incident response.
“A complete security program does not stop there. Having controls in place for data backups, network segmentation, security awareness training, risk assessments, business impact analysis, secure coding requirements and information system interconnections (and many more items) are all important preventive measures that should be addressed.
“Incidents are going to happen. Not fun, but true. How an organization responds to an incident is equally important that the fact an incident has occurred.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“In a word, yes. Most of these tools were developed effectively in someone’s garage, for one MSP that needed a better way to do something. These tools have grown up to be pillars of the MSP industry but still show their mom and pop roots. Large PE groups have entered the industry, stitching individual applications together through acquisition into platforms, making investments into shoring up these tools, adding needed features, and making them more enterprise-grade. There is still a fair amount of concern that there may still be more latent development shortcuts or risks in some of these tools that may have presented an acceptable risk in a previous era that does not work in this world of state-sponsored, crypto-monetized targeted attacks.
“Collectively service providers also have a hand in the protection of client environments. Some attacks are net-new, zero-day events. Others are known vulnerabilities that already have a known fix. Service providers have to do their part and stay on top of internal updates and remediating security vulnerabilities with their tools in the same way they are primarily tasked with patching and updating their client environments.”
Are you getting more calls from security vendors to partner with them because their solutions could prevent such attacks?
“Security vendors are already responsible for a large portion of the inbound calls and emails we get. The volume is the same; it is just a new message or recycling the SolarWinds messaging from a few months ago.
“There is an increased demand for a holistic solution to manage security and compliance as is offered by our ASCENT Portal. While such security and compliance platforms cannot prevent attacks, they can prescribe the controls that should be followed to help mitigate the risk. By addressing items such as supply chain risk management, incident response and vendor due diligence, companies using a security and compliance platform are much more prepared.”
Are you partnering with other MSPs to solve these types of supply chain problems for your customers?
“No, the first step is to look in the mirror and ensure we are doing everything in our power to prevent and protect our clients and the environments in our care. We can’t control the practices or code of our respective vendors. We have a strong vendor management program complete with risk assessments to help us manage these relationships, allowing us to make adjustments when concern exceeds the value of the service or product provided. As service providers, we focus on prevention first and honing our rapid incident response capabilities through practice to respond to the threats we can’t prevent as soon as possible.”
Have you been able to raise your per-seat or services prices as a result of these attacks?
“Could we? Probably, but that is not the kind of partner we want to be for our clients. We are in this together. Identifying the risks, compliance with relevant frameworks of controls like HIPAA or ISO 27001, for example, and building good security programs that meet our client’s unique needs is the best medicine to prevent or mitigate damage from the latest hack of the day.
“We exist to build and support successful security programs that meet the needs of our customers. Our pricing is not affected; only our desire to assist and support customers is raised. This, similar to the SolarWinds incident, may have been avoided with appropriate controls in place. If not, at least organizations could have been confident they did everything appropriate to prevent or mitigate the impact.”
Are you looking to hire more infosec professionals to meet demand from customers?
“People are an essential component of building a solid security posture but are only one component of an overall security and compliance program. Building a comprehensive security program that addresses every control requirement and supports continuous compliance is equally important. Any infosec professional knows that security is not an IT-only sport. It takes cross-functional support and control ownership to maintain continual security and compliance. This includes, without limitation, HR, payroll, legal, finance, facilities, C-levels, and board support/accountability.”
Is this driving more customer engagement and business for you as a result?
“Sure is. We have had a few of our customers ask, “Does MXO use Kasaya?” It’s a fair question; after all, it’s their environment and they want to know if they are at risk.
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“Yes. We are actively reviewing our security stack inclusive of EDR, NOC, SIEM and advanced threat detection such as Huntress and Falcon Overwatch.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“Of course, as everyone should be. We have spoken to our RMM provider to ensure that they are using best-in-class protection ideologies, and perpetually innovating with new proactive countermeasures.”
Are you getting more calls from security vendors to partner with them because their solutions could prevent such attacks?
“Not just yet but I imagine the ‘wave’ is coming.”
Are you partnering with other MSPs to solve these types of supply chain problems for your customers?
“Not at this time. I imagine those who were impacted by the breach are very active in this endeavor.”
Have you been able to raise your per-seat or services prices as a result of these attacks?
“We have not introduced any price increases at this time; however, as new tools are purchased and deployed, a price increase may be considered.”
Are you looking to hire more infosec professionals to meet demand from customers?
“Security is always a focus for MSPs. We are actively favoring candidates with security training on their resume.”
Is this driving more customer engagement and business for you as a result?
“Yes, some customers have expressed worry and concern. We are also communicating with customers to let them know about the issues and how we are protecting them.”
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“We already have good security vendors, but it has me curious about additional services.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“Absolutely. I’ve been worried about this for a year. We’ve locked our tools down as much as those vendors will allow, but these companies need to step up their game on security.”
Are you partnering with other MSPs to solve these types of supply chain problems for your customers?
“Yes, we share ideas, knowledge and even scripts to help secure customer systems. For me, this is with peers both in RR/TMT and in TruMethods.”
Have you been able to raise your per-seat or services prices as a result of these attacks?
“Yes, we are using this as an opportunity to go back to older clients and get them to buy some of the newer security tools that our latest clients have in place as standard.”
“Whilst we are in the privileged position of not being an MSP that was directly impacted by this attack, the ramifications for these attacks compromises the integrity and reputation of the managed service provider industry as a whole and as such, we are committed to helping to resolve this as quickly as possible for our fellow MSPs impacted. We have received several requests for assistance from both customers of MSPs impacted as well as from MSPs themselves requiring assistance and in all cases, we have been very keen to assist in any way we could.
“Attacks such as the SolarWinds and Kaseya software exploits bring the industry closer together and it is fantastic seeing MSPs work together in what is traditionally a very competitive environment for the greater good. Although there is more work to be done in terms of MSPs trusting one another, the silver lining from events like this is that they help to forge more relationships, which we hope makes for a more collaborative approach in future.”
“We’re a Kaseya partner, and thankfully were not impacted by the breach. We are waiting on further details so we can better understand why we weren’t impacted.
“We already partner with Sophos’ MTR security team, who alerted us to the threat in real time. We are expanding the use of this MTR solution because we firmly believe that these active attacks are the future landscape and we need to prepare our clients for that.
“We had already put significant effort into securing and monitoring our RMM solutions, and we’ve redoubled our efforts even further as a result of the Kaseya breach.
“Our concern, from a broader industry perspective, is that a significant percentage of traditional managed service providers lack the education/team/will/ability to properly lock down their environments to protect their clientele. We think this is a watershed moment for the industry, and those who do not place security at the core of what they do are going to find themselves in serious trouble moving forward.”
Is this driving more customer engagement and business for you as a result?
“We are seeing more customer engagement. These discussions typically revolve around the importance of layered controls. This situation highlights how an organization that relied mainly upon the use of a trusted, reputable vendor (Kaseya) and an application that enforced multifactor authentication could still get impacted. Additional layered security controls – such as good commercial endpoint security (antivirus) software with anti-ransomware features, managed security services with 24×7 monitoring for anomalous activities and backups with ransomware protections – could significantly reduce the impact of a breach of the service provider or remote access tool.”
Are you looking for more vendors to partner with to prevent these type of attacks on your organization and customers?
“No, Sikich manages and monitors our vendors and has a number of layered security controls already in place to help protect against these types of attacks.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“A breach of a critical PRM tool has always been a threat rated to have a significant potential impact in our risk assessment activities. Sikich’s digital forensics and incident response team has investigated a number of breaches targeting service providers and their remote access tools in recent years. While the attack targeting Kaseya is high-profile due to its wide impact, it is part of a trend that Sikich had already been tracking. While Sikich does not use Kaseya, we reviewed our risk ratings, security controls and the potential exposure to ourselves and our clients in light of the new Kaseya incident. Those analysis activities did not find deficiencies in our approach or layered security controls that would cause us to make significant changes.”
Is this driving more customer engagement and business for you as a result?
“More customer engagement for sure. We’ve had to communicate what is going on and what we are doing and a few clients have shared with us their gratitude.”
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“Absolutely. ThreatLocker is one of the next ones we are looking at. We already had SentinelOne in soft launch – that we rolled out quickly and across the board.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“No, they all will be under attack, so we need to build more fallbacks and stronger processes. We can’t rely on one vendor being bulletproof. Everyone should assume a breach will happen.”
Are you getting more calls from security vendors to partner with them because their solutions could prevent such attacks?
“None more than already.”
Are you partnering with other MSPs to solve these types of supply chain problems for your customers?
“For 12 years I’ve been a part of TruMethods and my direct peer group of nine MSPs has been chatting up what’s next. Maybe running a different RMM on your remote backup devices (BDRs) was another idea.”
Have you been able to raise your per-seat or services prices as a result of these attacks?
“We aim to put a $25/user package that has the basics of cybersec services included.”
Are you looking to hire more infosec professionals to meet demand from customers?
“It’s more about the process for us. We will look to partner with someone for incident response, SIEM and SOC. But that’s already been on the road map for us for a while now.”
Is this driving more customer engagement and business for you as a result?
“Yes, it has added significantly increased client engagement and more awareness with prospects.”
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“Yes, we are currently embarking on a project to significantly expand our all-new Managed Security Services Ecosystem (MSSE) with effective security vendors.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“Absolutely. With two successful attacks that have captured major headlines, vendor management has the spotlight for us in our business as well as for our clients.”
Are you getting more calls from security vendors to partner with them because their solutions could prevent such attacks?
“Yes, too many calls.”
Are you partnering with other MSPs to solve these types of supply chain problems for your customers?
“That is standard for us in our channel-only business model.”
Have you been able to raise your per-seat or services prices as a result of these attacks?
“We are launching a specific awareness campaign and bundles specific to ransomware readiness. Yes, it allows for price increases and larger opportunities due to bundling multiple products and services together.”
Are you looking to hire more infosec professionals to meet demand from customers?
“Yes, We are currently expanding the team and adding additional technical resources to keep up the demand and complexity of these emerging threats.”
Is this driving more customer engagement and business for you as a result?
“Yes, it has added significantly increased client engagement and more awareness with prospects.”
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“Yes, we are currently embarking on a project to significantly expand our all-new Managed Security Services Ecosystem (MSSE) with effective security vendors.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“Absolutely. With two successful attacks that have captured major headlines, vendor management has the spotlight for us in our business as well as for our clients.”
Are you getting more calls from security vendors to partner with them because their solutions could prevent such attacks?
“Yes, too many calls.”
Are you partnering with other MSPs to solve these types of supply chain problems for your customers?
“That is standard for us in our channel-only business model.”
Have you been able to raise your per-seat or services prices as a result of these attacks?
“We are launching a specific awareness campaign and bundles specific to ransomware readiness. Yes, it allows for price increases and larger opportunities due to bundling multiple products and services together.”
Are you looking to hire more infosec professionals to meet demand from customers?
“Yes, We are currently expanding the team and adding additional technical resources to keep up the demand and complexity of these emerging threats.”
We asked our 2021 MSP 501ers to weigh in on the Kaseya VSA supply chain ransomware attack last week. And boy, did they ever. With more timely responses and sage advice pouring in over the weekend, we decided to share more of their thoughts.
Meantime, Kaseya has been doing some serious damage control.
On Sunday, Kaseya released its patch to VSA on-premises customers and completed restoration of services. All of its SaaS customers are now live. In addition, support teams are continuing to work with VSA on-premises customers who have asked for help with the patch (VSA is Kaseya’s remote monitoring and management (RMM) service). All of the attacked MSPs were using the VSA on-premises product.
Our 2021 501ers had quite a bit to say on this issue in terms of the impact the Kaseya and other breaches have had on MSP businesses. We’ve included more of their responses in the slideshow above.
About the Author(s)
You May Also Like