Weigh the risk of remote monitoring and management after Kaseya attack
The Channel Angle is a monthly CRN guest column written by an executive that focuses on the triumphs and challenges that solution providers face. If you are a solution provider executive interested in contributing, please contact managing editor David Harris.]
By Ryan Heidorn
If you work in an MSP and haven’t woken up with a cold sweat worrying about your clients being raped, you may have missed the repeated warnings in recent years. A series of reports, including those from US government agencies like CISA, the FBI, and the Secret Service, as well as security providers like CrowdStrike and Perch, have warned that MSPs are being targeted by attackers as an entry point. unique and convenient to violate multiple organizations at once.
On July 2, the threat became clear when the REvil ransomware gang exploited an unpatched vulnerability in Kaseya VSA, a popular platform used by MSPs to remotely manage their customers’ networks, in order to infect simultaneously these networks with the Sodinokibi ransomware. The total number of businesses affected is unknown, but already estimated at thousands, including a Swedish grocery chain that was forced to close 800 stores after the attack took its payment systems offline.
Cybersecurity is a table issue for any business today, but MSPs, which provide IT and security services to many businesses at the same time, are essential leverage to manage or amplify risk. An effective MSP is a vital asset for companies that cannot staff and manage IT or cybersecurity capabilities in-house. But the Kaseya hack underscores the need for MSPs, as an industry, to take a serious look at their own internal cybersecurity maturity, as well as the tools and methods used to manage customer networks.
[Read A Previous Channel Angle Column: COVID-19 Is A Reminder That Disaster Recovery Tech Is Here To Stay]
As a Hippocratic Oath for IT service providers, MSPs must first ensure that their own tools do not put their customers at risk.
The MSP Security-First
Prioritizing security should be a business priority for MSPs – not only because putting customers at risk is unacceptable, but also because the market for managed security services is expected to reach nearly $ 19 billion by 2024. , up from $ 12 billion in 2020. Planning MSPs To participate in the action, you need to be inspired by aircraft safety protocols: please secure your own mask before trying to help others.
Examining the risks inherent in using a centralized remote administration tool, such as the remote monitoring and management (RMM) platforms that are ubiquitous among MSPs, can be a good point to consider. departure.
Cyber ââsecurity firm Huntress provided threat analysis and assistance to MSPs following the Kaseya hack, and has seen other RMM vulnerabilities exploited in the past. John Hammond, senior security researcher at Huntress, says PSMs need to be vigilant more than ever.
âMSPs and MSSPs are the mothership of hundreds, if not thousands, of small and medium-sized businesses, making them a treasure trove for hackers,â Hammond said.
âWith a compromised RMM solution, an unsuspecting MSP can distribute ransomware or other malware to any customer who trusted them for security. While we depend on software and technology to help us do our jobs, it is absolutely necessary that security and defenses are built in by design. “
Outsourcing of potential problems
Companies are outsourcing IT and security to MSPs because, among other reasons, this is more cost effective than developing in-house skills and capacity maintenance. âBy serving large numbers of clients,â notes a recently updated CISA alert, âMSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.
A well-established ecosystem of vendors, platforms, and integrations exists to support MSP operations. The debate over which RMM tool to use is a common discussion among MSP practitioners, such as those in the Reddit / r / msp community, which has over 100,000 members. Reddit user Coriron, a moderator of the popular subreddit, said, âOne of the first things new members ask in our community is which RMM or PSA [Professional Services Automation] the tool is the best. It is generally assumed that if you are an MSP you will need an RMM.
However, security concerns can be built into many of these commonly used platforms. We have identified three main areas of concern in the conventional wisdom surrounding how PSMs adopt ecosystem tools:
1. Ecosystem security (or lack thereof)
The major vendors of the MSP tooling space are not known to be security-focused organizations with a mature approach to security engineering. More likely, private equity firms have grown through acquisitions, integrating functionality with a legacy codebase for RMM platforms and similar tools.
Security documentation for RMM platforms is notoriously inadequate. For MSPs looking to control their own RMM server (as opposed to using a vendor-hosted solution), tightening the security of self-hosted implementations can be difficult, if not impossible. In the case of a major supplier, the self-hosting of its RMM solution requires the deployment of a âblack boxâ virtual appliance without access or visibility to the underlying operating system and a permanent remote connection to the vendor to make license changes.
Normal operation of RMM services typically requires exempting the software from basic security features (eg, anti-virus, GPO, SSL inspection). And, in some cases, the development of core security features such as multi-factor authentication and single sign-on on RMM platforms has been delayed for years beyond when it was reasonable to do so. . It is therefore not surprising that contemporary security concepts like Conditional Access and other zero trust architecture principles, which could go a long way to prevent MSP platform breaches, have not caught on. path in RMM platforms.
2. Platform based decision making
There is a philosophical debate among PSMs (and IT professionals in general) between âintegratedâ and âbest in classâ. In other words, is it better to choose âall-in-oneâ solutions that offer high interoperability between components, or to choose the most efficient solution available and risk poor interoperability with other technologies in the environment?
The integrated approach, by prioritizing operational efficiency (ease of deployment, management and invoicing), can help MSPs scale and meet industry goals for gross margins of up to 75%. But letting integration drive decision-making can have industry-wide security implications: MSPs are incentivized to use and sell solutions that integrate best or are white-labeled with their PSA and RMM platform, as opposed to the most effective security solution.
There are many legitimate and useful arguments in favor of the integrated approach – on the one hand, it is seen as fundamental to providing affordable services on a large scale. Certainly, a savvy and knowledgeable MSP can adopt ecosystem tools and deliver effective security to their customers. Nonetheless, recognize that ecosystem vendors have become de facto gatekeepers is the key to risk analysis in an MSP’s tool set.
3. The Risky Business of Unattended Remote Access
The basic functionality of an RMM platform is functionally indistinguishable from that of a remote access Trojan: an agent, running on a computer as “root” or “SYSTEM” and capable of ‘execute arbitrary remote code, communicate back and forth with a command and -server control. On the other hand, a robust user interface allows an operator to remotely view and control the screen, transfer files, execute code and probe the network.
Consolidating this administrative capability in customer environments enables MSPs to effectively manage and support customer networks. It is also a single point of compromise allowing attackers to gain privileged access to all clients of an MSP at once. In the wake of the Kaseya and SolarWinds hacks, as the world turns its attention to supply chain attacks, the question is whether maintaining a centralized repository of unattended access to all customers of an MSP is an acceptable risk.
Understanding and managing risk is the first step in an MSP that takes a âsafety firstâ approach. This requires an ongoing assessment of practices and assumptions within the context of today’s threat landscape, and an openness to letting security come before operational efficiency or even short-term profitability. Given the risks inherent in today’s RMM implementations, security-conscious MSPs will need to decide whether conventional tools are up to the task of protecting their business and customers.
Ryan Heidorn is the co-founder and CEO of Steel Root, an IT services provider based in Salem, Mass., Where he leads the company’s cybersecurity practice. Heidorn’s expertise includes helping companies in the US defense industrial base to implement and operationalize cybersecurity requirements within the framework of DFARS and CMMC. He also serves on the board of directors of the New England chapter of the National Defense Industrial Association (NDIA).