Top MSPs on Avoiding the Next SolarWinds Hack, Best Preparing Security Clients
Building on our MSPs’ ongoing cybersecurity flags, we checked back in to get a deeper sense of their concerns.
April 7, 2021
![SMB cybersecurity SMB cybersecurity](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blteb81482114f3b3a7/65245489d03b4f9596908d1e/smb-cybersecurity.jpg?width=700&auto=webp&quality=80&disable=upscale)
Getty Images
“Active management of the security stack you are providing and not ever being complacent or lax about security is top of mind. I feel like a lot of MSPs either want or act as if security is ‘set it and forget it,’ and it’s not.
“We will be seeing more things like Cisco’s SecureX, which is like Zapier for your security stack (it’s also a pretty revolutionary offer) that will let not just your Cisco security platforms talk to one another but also you can ‘wire up’ your other vendors’ products to it. Cisco is living up to the mantra – building bridges.
“If you haven’t been hit, you will. Be prepared and have resources lined up to help you with IR, insurance and – dirty secret here – being able to pay Bitcoin ransoms if you absolutely have to.
“The bad guys are not just encrypting your stuff, but threatening disclosure of the breach and exfiltrated data, so it’s now the threat of disclosing your client data (PHI or PCI or just client lists) that seems to be the Damocles Sword for MSPs’ clients. (Fines, bad PR, etc.)
“This is really about all of us versus them. They are very organized and are actively scheming to attack us and our clients. We all need to fight back and be prepared. Active partnering is becoming the norm in IR and remediation.”
“We keep hearing about all the new services like Rocket Cyber and now our NOC partner Mission Control has teamed up with SKOUT. This is definitely important for the future. Currently we provide services such as firewalls, AV, etc., but we do add Huntress Labs Breach Protection to our stack.
“On top of that, we tell our clients there is not 100% protection from cybercrime, and for that reason, having quality (we recommend BCDR) backups that are audited regularly is vital. As a smaller MSP, we don’t have the luxury of just buying into another tool stack solution that is going to overlap here and there with our other tools.
“I do believe in the next year or so we will need to look into switching up our stack if our MAV and Huntress combination leaves a hole. I am also always thinking about SEIM technologies, but they again are for larger companies. But it’s good to see MSP-centric tools that are starting to incorporate SEIM technologies to offer these as a service.”
“Cybersecurity will continue to be a driving force in the maturation of the MSP marketplace. This is not only from a client regulatory (and potential MSP regulatory) burden, but from a general business risk management point of view.
“There is a great opportunity right now for MSPs to evolve and not just have a conversation about firewalls and infrastructure, but to have risk management and incident preparedness conversations with their clients. If MSPs are regularly contributing to these types of conversations with their clients, they are part of the cybersecurity solution. If they are simply selling a security stack, they are still part of the problem.”
“The evolving industry of cybersecurity and its products is far superior now to even as recent as three years ago. The ongoing challenges of cybersecurity include calmly reacting to incidents as they occur as well as proactively looking for threats, vulnerabilities or potential incidents. The ability to properly identify, detect and respond to at-risk areas of your business is more crucial than ever.
“A lack of personnel, partnership and preparedness inhibits cybersecurity against threat actors. Strong cybersecurity requires expert monitoring of critical systems and components; proactively establishing a partnership with a local FBI office or external provider to assist with incident response; and implementing proper procedures to effectively communicate internally and/or externally and address the incident should one occur. Diligently working through your prepared incident response plan can directly result in better business continuity.”
“ASSUME BREACH. This means that yes, all of the processes to prevent are super important, but the discovery and response and recovery systems are becoming even more so. In other words, maintain the ship, but also have a super big pump on board to get the water out quickly should it spring a leak.”
“The ongoing security issue is that everything is connected and available online at all times. This was driven by technology innovation that broke down so many barriers.
“However, now those same items that are online all the time need protection … all the time.
“You can’t build a huge shiny structure in the middle of a neighborhood, where all types of people live looking for opportunities, and keep it secure. There will certainly be unwanted visitors. Everything needs to be built with security in mind. Keep eyes on who comes in and out, who has access, who those people are interacting with, and make sure they don’t open backdoors to the unwanted visitors.
“It might sound funny, but seriously, we need security experts watching over the digital word, similar to how we have police officers in the world to protect and serve.
“At Unique, we are focusing on getting all with computers to implement the security stack but to go even further and adopt and implement a framework to support cybersecurity strategy, and develop a mindset of resiliency.
“Reaching resilience will allow one to accept the reality of a breach and builds “solutions” to rapidly detect, respond to, eradicate and recover from a compromise.
“Containment is key. Detection is the linchpin.”
“Static security tools, including firewalls and antivirus, are no longer enough. As threats continue to evolve, our security toolset needs to also. MSPs and cybersecurity service providers need to continually assess both client environments and their own.
“We need to perform risk assessments on a regular basis, including for overlooked threat vectors such as websites, and regularly train users on security awareness. It is also essential to implement tools like endpoint detection and response that provide real-time monitoring and threat detection through automation.
“However, as automation increases, professional security analysts need to be in the loop. A trained security professional will know how to interpret and react to an alert, recognizing whether the issue is truly a threat or part of a benign process. The pace of the threats is increasing at speeds we’ve never seen before. We need to be ready.”
“When you look at security top to bottom, stack to stack, app to app, etc., you really need to focus on the entire landscape and ecosystem. That’s where companies fail. The recent security failures across networks, hardware, databases, applications and enterprise-based applications should really be concerning to everyone.
“We’re really seeing an uptick in security vulnerabilities in some of the largest applications on the planet. Not to mention in minor applications that are being run through the Apple store. Everything is hackable; everything is open. People really need to take the security of every component and make sure that their entire landscape network and organization is secure.”
“Cybersecurity is by far the No. 1 issue for both MSPs and our clients. A ransom attack on an MSP that pivots to its clients is a business-ending event, and the MSP would never recover in my opinion. Internal security must be enhanced to protect our own network, and that of our clients.
“On the business opportunity side, we’ve sold several top to bottom network refreshes due to our cyber security offering. With the right approach, price becomes much less important and MSPs can have much higher margins in these engagements.”
“There are a few key items that come to mind on this subject, specifically to having a road map that allows execution as well the desired outcomes.
Map the security road map to a framework (e.g., NIST CSF). Having a validated direction for your program and assessing how your controls and process align is important to understand your gaps and where your biggest risk and threats exist.
Visibility and coverage. Having a clear picture of the enterprise infrastructure is essential. How does your business work, what’s in the cloud, what’s in the network, etc., and do you have visibility into all of the necessary infrastructure, applications and systems, then ensuring that you have the right security tools and automation to apply coverage and appropriate controls and alerts to mitigate bad actors.
With digital transformation, the digital workspace and the new norm of a distributed workforce, moving in the direction of a zero-trust network (ZTN) approach is critical to protecting your assets in an environment that has increased the variables and attack points with the diminished perimeter due to this transformation.
Last, have a plan. Running tabletop exercises against various Indication of a Compromise (IOS) scenarios helps prepare a company to defend and protect in the event of a real compromise. It is essential to know who does what, what are the critical systems, what happens if you have to shut down a critical application or take a server offline, etc. And knowing who makes the calls. This extends to having PR teams ready, incident response teams enabled and ready to deploy, and legal teams that can start helping through the situation.”
“Cyberattacks are increasing, and SMBs are unprepared. We know that small business owners often struggle with security; it’s not their day job and their attention is focused on operations and growth. SMBs need help evaluating their security risk in depth for defense from endpoint to endpoint. And the pandemic has increased the threat surface exponentially.
Since COVID-19, the FBI reported a 300% increase in reported cybercrimes.
Forty-three percent of cyberattacks target small business.
Small organizations – those with fewer than 500 employees –spend an average of $7.68 million per incident.
Sixty percent of SMBs go out of business within six months after a cyberattack.
“Even with the increased threat, many small businesses don’t have the internal IT resources to handle the challenge, leaving many not knowing where to start.
“Once SMBs have a security solution in place, they often don’t have the resources to maintain it over time, making them more vulnerable.
“As a result, SMBs are opting to do nothing – thus increasing their security risk when they should be mitigating their exposure.
“However, considering SMB security budgets are limited, it is important to apply those funds to the areas that will best mitigate cyber risk. We are increasingly providing advisory services to our customers to help SMBs understand how secure they are and to identify biggest risks to the security of their organizations. By providing upfront analysis and delivering recommendations, we enable SMBs to allocate funds to the most pressing security challenges they face now while preparing for the future with more robust solutions.”
“Even before the pandemic, cybercrime was a huge issue for all businesses, regardless of size or industry. With the shift to remote work and the decline of the traditional security perimeter, many companies must now address new points of vulnerability and figure out how to ensure their employees can securely access vital apps and data from anywhere – all while fending off increasingly sophisticated cyberattacks. Staying on top of the threat landscape will only become more difficult as cybercriminals get more advanced.
“Overall, hackers keep getting craftier, and even the latest next-gen tools can only do so much. That’s why managed security service providers (MSSPs) that offer not only products like MFA, firewalls, antivirus and so on, but also strategic guidance and incident response services are so vital these days and will only become more so moving forward. You need a team of cybersecurity experts to monitor and interpret the output from your programs and tools and respond ASAP to any issues to prevent extensive damage.
We recommend that our clients implement a multilayered approach that includes security operations center (SOC) and incident response triage services from our security team. Products, even the best ones, can only do so much when you’re faced with a ceaseless barrage of new hacking tactics and malware variants. Having the right people on your side who know how to manage and strategically leverage your security tools is a must.”
“The threat landscape of businesses from post-COVID-19 lockdowns has catapulted the industry into reliance on work-from-home solutions, which consequently has blurred what we define the ‘edge’ of our networks to be.
“Firewall-wise, instead of focusing in on the perimeter security of the traditional office networks, we now need to appreciate and account for all the remote workers, that when connected from home, are bridging their home networks into the corporate networks. And too often firewalls are left in a “half-baked” state in which security provisions are not fully or accurately implemented, which then exponentially creates higher risks for businesses focused on accessibility rather than security.”
“The recent security events are an eye-opener for any third-party vendor. MSPs and MSSPs are challenged by supporting dynamic environments, and with the amount of activity around breaches, it is every important to secure the home front.
“For us at 360 SOC, we go by the saying, ‘practice what you preach or sell,’ and use the tools you sell to your customers with some transparency. This is important. The last thing you want as a vendor is to be the cause of someone else’s breach or chaos.”
“Having firewalls, antivirus, domain name service (DNS) gateways, spam filtering, security awareness training, multifactor authentication (MFA), etc., are all table stakes. You need to now have a SEIM, SOC and advanced monitoring options in place to help you identify, detect and respond quickly.
“You also need to have a firm relationship with an MSSP to help you if you do not have the skills and/or talents on your staff to help you in this journey.”
“The elephant in the room with security is just authenticating who someone is, even if they’re contacting you from a known source. People focus on secure locks, deep machine learning antivirus solutions, advanced network filtering and security, alerting, etc., but miss the fact that it doesn’t matter how secure your environment is if your user opens the door for an intruder. If someone calls to get a password reset and they identify themselves, know a few security questions, etc., are you sure they are who they say they are and not a deep-faked voice with a little bit of social engineering and research?
“We live in a post-security world. It’s not enough to try and just prevent a breach, you need to know what to do when one happens. No matter how much security you apply, technology is too complicated and the technological arms race too high paced to remain impenetrable. Even air-gapped machines have been infected by the right strategy. It’s not a matter of if you’re breached, but when. Your preparations and your response makes the difference between being down long enough to go bankrupt, and it just being a moderately stressful day.
“Detection of a security breach impacts the damage done to your environment. If a computer gets infected and your setup quarantines it and alerts you as soon as something out of the ordinary happens, you’re going to fare better than a backdoor sitting on a network for weeks with a threat actor doing whatever they want. Having the technical setup to roll back affected systems and square away all the security issues (credentials, infection, backdoors, etc.) is one thing, but one machine is easier to fix than 100. The sooner you know, the less work you need to do.”
“There are lots of security stack items that are really just IT (firewalls, antivirus, etc.). If you’re serious about security today as an MSP, you need to start internally by having all of the right controls in place and maybe a SOC2 certification.
“The last thing that you want to be is a conduit breach that affects your clients. Beyond having the right service organizational controls, someone needs to be watching your environments and your client’s environments 24×7, alerting about anomalies, configuration changes or other IOCs. If you don’t have those capabilities in-house, there are numerous service providers beating on MSP doors to provide them.
“Alternatively, you could partner with an MSP-friendly security company – you don’t always have to pretend that you can do everything (white label). Sometimes there is value in letting your clients know that you are partnered with a security company and you’re focusing on what you do best.“
“Back in 2017 we partnered with an MSSP Infosec – Ingalls Information Security – to help a few companies recover from ransomware attacks. Ingalls helped us understand the importance of adding next-generation artificial intelligence with best-of-breed tools and their security operations center (SOC with eyes on screens) to add more layers of advanced cybersecurity controls not just for our clients, but for us internally. This is important because Ingalls predicted that MSPs would be targeted for future cyberattacks, and we didn’t want that to happen to us.
“Cyber attackers know that we as MSPs have full access to companies who could be exploited to pay a hefty ransom if they could gain access to our remote management tools to deploy their ransomware. We didn’t think much about this back in early 2017, but we are glad that we were forward-thinking as we began layering in these tools and services that they recommended before the end of that year. The tools and services that we added is called a managed detection and response (MDR) plan, and this is the future of managed IT services. As we all know, the cyberattackers have already exploited several MSPs over the past few years as we have seen in the headlines, and those who are not layering in additional cybersecurity could become their next victim.
“There are typically four common pillars to an MSP practice, and while those four pillars are important, they are no longer enough to keep the attackers out. Pillar 1 – patching (operating system updates). It is very important to patch or update operating systems, but patches alone are not enough. Pillar 2 – signature-based antivirus. The common antivirus products that we as MSPs have been sold are all definition-based, and they will not protect against a threat for which there is no signature or definition. We call those zero-day threats, and antivirus is as good as dead if we do not incorporate an artificial intelligence (AI)-based product that detects bad behavior rather than relying on a known signature. Pillar 3 – firewalls. Many users are working from any device, anywhere, and they are not even behind a corporate firewall. Even if they are, we are once again relying on unified threat management subscriptions and firewall rules to help stop the attackers. Pillar 4 – backups. Many backup solutions are attached to a server or cloud environment that could also get infected with ransomware and encrypt all of the backups. Unfortunately, we have worked several breach recovery engagements where the backups were encrypted and the ransoms had to be paid.
“So are the four pillars of managed services going away? No, these are still best practices and good computer hygiene that all of us as MSPs should be doing, but if we are not doing more than that, then can we really tell our clients they are paying us to keep their business protected? Now that cybersecurity incidents are happening daily, many MSPs are more concerned and they are scrambling to find the right layers of security to add into their stack. There are so many different a la carte products to choose from. For example, there is AI-based threat detection, antivirus and anti-phishing tools that MSPs can layer in to help stop phishing emails, but that only covers one or two threat vectors. What do you do about logging (SIEM)? And who has time to sort through all of the logs (SOC)? If you leave that part out, you are relying on your techs to fine-tune these tools and they are probably not going to have time to review the logs. Your techs are supposed to be optimizing the performance of your clients’ networks and adding value by helping clients solve business problems with technology. Asking your techs to take on these additional responsibilities is like asking them to focus on being a mechanic while being a security guard at the gate at the same time. Sure, you could build your own SOC, but this could easily cost over $1 million to build out.
“As MSPs, our clients are trusting us to keep up with the changing threat landscape, and most of our clients don’t know that signature-based antivirus, firewalls and backups alone are no longer protecting them, but they are learning about MSP breaches. It is our job to figure out how to include these more advanced cybersecurity solutions into our stack.
“One day your clients will be asking you more questions about what you are doing internally to keep them from becoming part of your own breach. My prediction is that becoming an MSSP, either by partnering or building your own stack to include a SIEM and a SOC, is going to be imperative within three years in order to be a credible MSP. These cybersecurity layers that we are adding on will just become part of our stack, just as common as bundling in our remote management and monitoring tools and backups is part of our per-user or per-device charges. I believe the best thing that any MSP can do today is to reach out to an MSSP who can partner to provide a managed detection and response plan. Most MSSPs are not trying to cannibalize the four pillars of our managed service business. They just want to partner with us to provide an important part of our solution. As an MSP, I feel great about knowing that our MSSP partner is responsible for selecting the right tools so that my internal staff can focus more on solving business problems with technology, and we can bundle everything together to provide a total IT solution for our clients.
“My short-term prediction is that things will continue to get worse for the SMB space for about two or three more years. The SMBs that we serve will eventually catch up to more enterprise-grade protection that we as MSPs can offer, and things will eventually get better. We have an amazing opportunity to turn this trend around, but we have to stop fighting tomorrow’s attacks with yesterday’s tools.”
“This past year the umbrella of security has experienced increasingly more complex cyberattacks, while the shortage of qualified cybersecurity professionals continues to grow. It’s no longer the traditional spam filtering, DNS gateways, and MFA – but security professionals now need to account for work from home and the new post-pandemic norm where more workloads are moving to the cloud. The rise in demand for cloud-based services, and hybrid and multicloud solutions, has created more complexity and endpoints in the IT ecosystem. But also, they are being accessed by users that are no longer at the centralized office but from a plethora of devices in a range of work from home situations.
“As more workloads move to the cloud, compliance standards to ensure the mission-critical workloads have the necessary security and compliance all the way through the supply chain is important. We’ve seen increased security events happening at every level this past year – from increased phishing and ransomware attacks, nation-state attacks on monitoring and mail, and fire- and natural disaster-caused outages. Security has grown to include components at each of those levels. The people you hire and contract with. The security and compliance of cloud environments you choose … and vendors they choose. The network. The facilities that house your infrastructure. The regions where you select facilities. Additionally, for those that are migrating to cloud-based applications, ensuring the selected vendors incorporate DevSecOps around planning, design, development, QA is also key.
“The industry is rightfully headed to a space where customer references for vendor selection are a nice to have, but compliance and certifications become the requirement. Awareness and increased demand for third-party tested and verified solutions will likely be the way of the future.”
“Security is a constant effort that must be paid forward each and every day. The more diverse the threat landscape becomes, it is not enough to set up security solutions and rely on their presence alone. The simple truth is that “fully secure” is a myth. SolarWinds and other breaches of it’s caliber have shown us that. Securing our networks and computing systems is not a reachable plateau but a constant uphill climb.
As MSPs, we can choose to climb alone, internally sourcing our security monitoring, or with the help of a trusted partner we can make that uphill climb easier. Make no mistake, that security is deeply integrated into all that we do. End-user training, patching, hardware and software solutions all are a large part of improving our posture. But in this day and age having dedicated, trained professionals available to offer insights in monitoring, skilled in response, and knowledgeable in mitigation and preventative measures, makes all the difference.“
“At Teamlogic IT we believe there is no finish line for the war against cyber crime. The threat level has, and will, continue to increase the stakes. There was a time where we could rely on protecting the application, data, endpoints and firewall with backup as a way to recover if all else failed. We are always on the defense, so taking a layered approach to security is the best strategy.
“The pandemic caused many employees to work from home outside the security perimeter. Bad actors caught on and used social engineering to gain access through unsuspecting remote workers. As a result, employee awareness training and Windows Virtual Desktop were all the rage. That was last year.
“The SolarWinds attack shocked many in the trade with a pandemic of its own. Because of this, SOC services have become an essential part of the MSP toolkit. Exploited machines need to be quarantined immediately to minimize the damage. SOC is around-the-clock work and rapid response has never been more important.
“The good news? This all drives additional margin for the MSP. As we know, there has never been a better time to be a managed IT service provider.”
“Today’s environment is further blurring the lines between MSPs and MSSPs. Meaning, you can sit around and wait for something to happen to you, or you can take proactive measures ensuring the networks being managed or created are secure. Venture Pointe, as others, are now running their own network security scans, and vulnerability testing – specifically running the same processes on themselves and their networks as outside security professionals. Additionally, we are really having to provide additional security training and consulting to our clients. The need for improved education against phishing attacks has driven new revenue opportunities for MSPs to provide the training, testing and oversight of these forms of attacks to each client.
“Venture Pointe, as a result of mobile device management requirements significantly increasing over the past months, has taken a much increased role in client new-hire onboarding and training ahead of these employees hitting the work floor. Additionally, we have had to develop standard work from home (WFH) environmental assessments not just for general workspace performance, but to also ensure secure and compliant work spaces. We have seen roughly a tripling of the number of clients employing MDMs in the last six months alone.
Honestly, the security conversation probably occupies 80% of the initial client conversation and then continues throughout the relationship to ensure there is a consistent development and maturation of all environmental/data environments.”
“Two things really stand out in the new landscape of IT security in the time of “work from anywhere” mobility. The first is the demise of traditional networking boundaries; what does “the perimeter” mean today?
“The second is the concept of treating Azure (and M365) as the new “endpoints,” as that is the focus of so many attacks today and into the future.”
“I would agree that security software and equipment are not good enough anymore. The malicious actors are compromising systems and networks without security devices, showing that they are compromising your infrastructure. Threat hunting needs to be performed to find evidence of compromise.
“With threat hunting, you must go on the hypothesis that your network has already been compromised. Then you start hunting to prove the network has either been compromised or has not been compromised. If you have found evidence that it is compromised, then you invoke your incident response process.”
“The security landscape continues to evolve. It is no longer just about tools and layers anymore. The modern comprehensive security strategy now must contain the following elements:
Layers of tools.
Active human and AI monitoring.
Consistent strategic reviews of the total technology stack.
Established policies.
“Security holes are everywhere and need to be addressed from all angles.”
“The security landscape continues to evolve. It is no longer just about tools and layers anymore. The modern comprehensive security strategy now must contain the following elements:
Layers of tools.
Active human and AI monitoring.
Consistent strategic reviews of the total technology stack.
Established policies.
“Security holes are everywhere and need to be addressed from all angles.”
We recently asked partners to give us their take on the current hottest happenings in the industry, and man – oh man – did cybersecurity and the threat landscape make the top of the list. Shocker.
Cybersecurity continues to be top of mind for MSPs. It used to be that supplying your security stack of products and best practices was good enough to keep customers safe. These are items like firewalls, antivirus, domain name service (DNS) gateways, spam filtering, security awareness training, multifactor authentication (MFA), etc. But now, above and beyond the product stack, you need eyes watching your environments.
That’s just one aspect of it. We wanted to know what the ongoing challenges are regarding security and the threat landscape, plus where folks think things are headed — and should head.
The answers we received were varied, even heated at times, but one theme was clear: The “set it and forget it” mindset is not cutting it anymore. It hasn’t for awhile.
Click through the slideshow above to see what our partners had to say about one of the hottest button issues in the industry right now.
Read more about:
MSPsAbout the Author(s)
You May Also Like