Is it worth evolving to become a Managed Security and Service Provider (MSSP)?
The business case seems clear for MSP cybersecurity mastery, but how do you tell when an idea’s time has come? Well, if the volume of stories about Managed Service Providers (MSPs) facing increasingly advanced security threats is any indication, then the time MSPs to evolve is now. October 2018 saw significant news of MSPs being systematically targeted by advanced persistent threat (APT) actors. One hack was even linked to the work of the well-known group APT10.
There are other examples that are also thought to be traceable to state-level actors, or at least connected to them. And while APT groups certainly leveraged good tech and considerable experience in running malicious campaigns, they also had “help.”
Consequences of integration – a threat of our own making
This “help” is a consequence of the constant, well intentioned streamlining of processes, the integration of IT features and functionality, and the nominal good practices of administrators that are in large part the primary goals of applied information technology in business.
These practices are “nominal” because poor security practices may not have been the issue at the MSPs in these cases. Instead, the processes used to create business efficiencies by the MSP model may have attracted trouble in the first place – leading to those organizations being targeted. The value proposition for APT10 – and likely others – is that everything has already been organized, formatted and collocated under one digital roof ahead of time … for their accidental benefit.
Even among the various IT service(s) providers, the MSP business model may stand out since those providers act as gatekeepers to a huge cache of business and personal data, intellectual property, access credentials and other types of capacity-enhancing toolsets. Similar attacks and cyber-espionage campaigns have begun targeting cloud service providers as well.
Keys to the kingdom – a tasty target
More specifically, MSPs have privileged access to both data and systems within a large number of client networks. This is in fact access (for example via remote desktop protocol) that clients have authorized so that the MSPs can provision and manage IT needs on their behalf. Unfortunately, the MSP business model can actually enable sector-specific targeting by bad actors.
While MSPs work daily to support clients’ IT needs across multiple business verticals, building familiarity with and competency in business areas like health-IT, finance, mechanical and civil engineering, etc., they are likely to attract the interests of cybercriminals who see a one-stop shop.
Thus, infiltration of MSP networks and subsequent exfiltration of their client data, logins and other business-critical data means nearly unrivaled access to pursue multiple types of criminal campaigns.
Supply chain attacks, ransomware, DDoS, corporate espionage, cryptolocking, etc. could result from an infiltration and affect any or all clients, as well as the business verticals they belong to. Logically, to A. protect their businesses and B. protect the entire fabric of the business ecosystems their clients belong to (industry vertical/supply chain), MSPs will have to put cybersecurity at the center of their business case.
With so much to lose, is there a choice?
The sentiment and even the business case are not new; there have always been threats to the MSP model. Logically, then, MSPs that have most actively addressed the threat to their own businesses (and thus their clients) have evolved toward becoming MSSPs. MSSPs may also be likely to feature a deeper cybersecurity talent pool and increased understanding of both the market and revenue opportunities.
However, with the clear and present danger highlighted by APT10’s interest – at least in this case – we can say that those MSPs not deriving business ROI in parallel with the necessity and complexity involved with advanced self-protection would be inflicting a form of self-harm.
With multiple clients relying on MSPs for efficient processes delivered via IT services – and for many more, their security – MSPs and MSSPs (to a lesser extent) must both inevitably adopt a strengthened cybersecurity posture. Bottom line: The threat landscape has shifted, and MSPs have been identified as high-value targets, including by APT groups. So MSPs should pursue protection levels akin to those of high-value enterprise targets.
Many will still ask whether deploying an advanced suite of enterprise tools for an MSP is proportional to the risk. (If you are unsure about the efficacy of employing enterprise tools for your MSP operation, you might consider pursuing a security audit internally as well looking at your client-facing security offer.)
For motivation to answer the abovementioned question, imagine your top 10 clients suffering a breach or other security incident. Now imagine if that breach were traceable to your service via some basic tools of the trade – for example, via a hacked remote desktop protocol or poor implementation of 2FA.
A recent article by ESET Senior Researcher Stephen Cobb, “Criminal hacking hits Managed Service Providers: Reasons and responses,” discusses how MSPs have “raised the standard of due care” in light of recent attacks. “If you suffer a data breach – either as an MSP or the client of an MSP – you cannot reasonably defend legal challenges to your security posture on the grounds that you were unaware serious criminals were active in this space.”
In that article, Cobb offers a rationale for implementing the following eight measures: application whitelisting, application patching, application hardening, restricting administrative privileges, multi-factor authentication, OS patching, daily backups and adjusting Microsoft Office macro settings.
These measures are widely seen as critical and were even promoted by the Australian government, in a warning and advisory in January 2019 titled “Implementing the Essential Eight for MSPs.”
The other guidance offered by Stephen Cobb was deployment of Endpoint Detection and Response (EDR). EDR platforms allow security desks to help with the identification of irregular/anomalous behavior and breaches. They also aid in risk assessment, incident response, investigations and remediation. At ESET, while interest in deploying ESET Enterprise Inspector has grown since its launch in 2018, it must be said that there hasn’t been a stampede to grab EDR.
While EDR solutions do represent additional costs and demand additional skills beyond standard endpoint protection platforms, MSP/MSSP operators should consider their cybersecurity maturity as a key selling point and a core necessity for their sustained business operations. Case in point: Engaging with threat data at this level means that the MSP can not only protect itself, but it can demonstrate its security prowess to clients.
Beyond that, it is likely that deployment of EDR solutions and other advanced security capabilities for endpoint protection (for example: SIEM and Threat Intelligence) will become near-standard practice in the face of increasingly aggressive bad actors that are targeting both business models and technologies that help simplify processes and add business efficiencies.
Among MSSPs, some have commercialized their internal EDR practices, providing Managed Detection and Response (MDR) to clients 24/7, which includes threat detection, response, and remediation. Provided along the lines of a typical MSP arrangement, the services work to support companies without the internal capacity to deal with threat and incident management.
With this trend strengthening, it seems clear that the security environment is posing new challenges for MSPs and their clients, but also yielding new business opportunities.