Exchange Breach: MSPs That Did Not Move On-Premise Exchange To The Cloud ‘Blew It’
In the wake of the disclosure that Chinese hackers had exploited several Microsoft Exchange on-prem vulnerabilities, solution providers said it’s more evidence that cloud-based email offers major security advantages.
When Five Nines IT Solutions CEO Douglas Grosfield learned of the latest blockbuster security breach impacting tens of thousands of companies, he couldn’t help but think that his MSP colleagues that did not move their Microsoft Exchange on-premises servers to a cloud-based email offering like Office 365 had flat out failed their customers.
“If you are an MSP going to your existing customers to see if they have this Exchange on-premise vulnerability, then you already blew it and should close up shop and find something else to do for a living,” said Grosfield, who has moved tens of thousands of Exchange on premise seats to Office 365 since founding Five Nines six years ago as a next generation strategic service provider. “If you’re running towards the barn saying ‘Ohh we have to close the doors!’ and the horses are long gone then it’s too late. A day late and a dollar short concept doesn’t fly in technology. You have to be a day early and money in the bank. You have to be strategic.”
[Related: Hackers Steal Email From 30K US Orgs Via Microsoft Flaw: Report]
Grosfield says cloud-based Office 365 is simply more secure than the on-premise Exchange server model. “More than 90 percent of all breaches come from business email compromises and it’s so much easier for the bad actors to penetrate an insecure, inadequately maintained and inadequately monitored on premise Exchange environment,” he said. “It’s not to say cloud services don’t have their issues now and again, but ultimately you are sharing a massively more secure architecture when you migrate that email workload to the cloud.”
Microsoft said as much in its post mortem on the massive SolarWinds breach reminding customers of the importance of cloud technology over on premises software with a clarion call for customers to “embrace the cloud.”
“Cloud technologies like Microsoft 365, Azure, and the additional premium layers of services available as part of these solutions, improve a defender’s ability to protect their own environment,” said Microsoft Corporate Vice President, Security, Compliance and Identity Vasu Jakkal in a blog post.
Microsoft also recommended “advanced layers of protection that can detect, alert, prevent and respond to attacks across identities, email, cloud apps, and endpoints, you may be locking a door while leaving the window open.”
That advanced layers of protection approach is part and parcel of every Five Nines IT Solutions engagement. In fact, Grosfield brings customers a full suite of advanced protection including cloud distributor Sherweb’s Office Protect 365 Security solution, Sophos’ secure email gateway, cloud firewall and managed threat response.
“We have a security architecture offering that layers on top of Office 365 with Office Protect,” said Grosfield. “Sherweb has done a fantastic job with Office Protect product. It is a single pane of glass, one button press security for every piece of your Office 365 architecture in the cloud.”
One key service that has served Five Nines customers well is the Sophos managed threat response service. “That as a service model has Sophos actively threat hunting for our customers, whether your architecture is purely cloud, hybrid or on premise or any combination therein, Sophos works as your security operations center to actively hunt for threats in your environment,” he said. “If you had a service like that even if you were running a a vulnerable version of SolarWinds Orion it would have through enhanced detection and response platform alerted you to the vulnerabilities and mitigated those risks. The wider open your eyes are the more you see.”
Grosfield is not alone in his contention that cloud-based email offers major security advantages.
Ric Opal, principal and national GTM and strategic partnerships leader at BDO Digital, a Microsoft Gold Partner, said his company firmly believes that the “cloud is more secure than on-prem” for a variety of reasons.
“The majority of investment, innovation, artificial intelligence and creation of intellectual property is landing in cloud technology,” said Opal. “Therefore, as evidenced in this particular hack, there is no effect with Exchange Online. It’s not part of the problem.”
For one thing, the availability of real-time security data and analysis for cloud applications enables “much more rapid” patching than with on-prem deployments, he said.
“When you start looking at a security breach that’s occurring from a cloud perspective, you can see where it’s emanating from, you can see which geography it’s coming from, you can see what the variants are. You can see where it’s spreading and you can understand how it’s spreading,” Opal said. “You have the benefit of data, artificial intelligence and massive compute power to deal with it there that you simply don’t have in an on-prem world.”
During the recent Exchange breach, it’s likely that Office 365 customers were not impacted “due to Microsoft’s proactive defenses and active monitoring already in place,” said Caleb Freitas, cyber security team lead at Atlanta-based solution provider ProArch.
“With on-premises, the organization is owning the full burden of security and solution management,” Freitas said in an email to CRN. “On-premises systems and servers require extra due care and due diligence around that infrastructure to prevent compromise and to respond adequately when a compromise occurs.”
Ultimately, “a core advantage of cloud technology is the transfer of various areas of security and solution management to the cloud provider,” Freitas said.
The Exchange incident should be yet another driver for customers to move to cloud-hosted email, said Ryan Loughran, reactive service manager at Valiant Technology, a New York-based MSP.
Valiant moved its last remaining on-prem customer to Office 365 a year ago, Loughran said. The Exchange incident “is really showing people that the days of on-prem [email] are gone,” he said.
The MSP has in fact received several inquiries from customers about moving to cloud email in the wake of the Exchange hack, Loughran said.
“It’s opening people’s eyes,” he said. “Companies are now realizing, ‘Maybe I should modernize.’ And they’re on the lookout for service providers that can provide that for them.”
Huntress, the managed threat detection and response vendor that works closely with MSPs, said that roughly 800 of the 3,000 Exchange servers the company has checked are still susceptible to the zero-day vulnerabilities being exploited by adversaries including Chinese hacking group Hafnium, Senior Security Researcher John Hammond said in a Friday update to his blog post. In addition, Huntress said Friday that more than 300 of its partners’ servers have received malicious web shell payloads.
KrebsOnSecurity has estimated that 30,000 U.S. organizations have had emails stolen as a result of the breach of the four Exchange server vulnerabilities. A senior U.S. official with knowledge of the Chinese hacking investigation said the breach has impacted 60,000 organizations globally, according to Bloomberg.
Grosfield –- who started Five Nines with the premise of making IT a utility service for his customers -- said MSPs that are hanging on to legacy remote management and monitoring are missing the cloud boat. “If an MSP is holding on to an on-premise Exchange architecture then it is because of some combination of lack of awareness, education and fear,” he said. “As a result, you have this stagnating pool of aging technology that are brightly lit targets of opportunity for the bad guys.”
Grosfield’s call to action for MSPs is to do your due diligence and migrate the Exchange on-premise servers to Office 365 to avoid another security breach.
“When you see this kind of breach, in my experience with decades in this industry, it is typically the tip of the iceberg,” he said. “The scope and magnitude of the issue is typically larger than first few big stories that are breaking. My suspicion is this problem is larger than many smaller regional MSPs realize.”
Any MSPs that are holding back on Office 365 are simply ignoring the realities of the cloud market, said Grosfield. “If you do it right and take the necessary steps and migrate that workload to the cloud, deploy the right secure technologies with a layered approach then there is no question that doing so will place your customers in a position of greater security,” he said.