Fighting Back: MSP Customers Get More Security-Savvy

“Third-party risk management is going to become one of the basics businesses have to succeed at,” said Mathew Newfield, chief information security officer at Unisys.

Following last year’s indictment of two Chinese nationals for allegedly targeting and compromising managed service providers and other IT firms, all businesses have become more serious about actively investigating the risk management policies and procedures of their suppliers.

Any doubt that the risk to the channel is real was put to bed Tuesday when Indian IT service provider and outsourcer Wipro confirmed a report that it had been breached by an advanced phishing attack. “Third-party risk management is going to become one of the basics businesses have to succeed at,” said Mathew Newfield, chief information security officer at Unisys, No. 21 on the 2018 CRN Solution Provider 500.

Nowadays, Newfield said virtually all enterprise customers expect documentation of Unisys’ security postures and programs as well as briefings on the solution provider’s technical implementation guides. But more and more, customers also want an on-site review of Unisys’ security procedures to ensure the solution provider is living up to its security promises, he said.

[Related: The Wipro Breach: Why Managed Service Providers Are At Risk]

Meanwhile, managed detection and response provider eSentire often receives due diligence checklists from customers to ensure it is conducting frequent security awareness training sessions and vetting the criminal and financial history of employees, said Mark Sangster, vice president and industry security strategist.

Sangster recommends that customers ensure their agreements with an outsourced IT provider contractually guarantee breach notification within a specific period of time.

MSPs should expect to receive questions around who has access to customer data, what countries those people are sitting in, if the data is encrypted and, if so, who has access to the keys, said Joshua Douglas, vice president of threat intelligence for email security vendor Mimecast.

Enterprise customers are also asking pointed questions about how MSPs catch more sophisticated attackers that attempt to hide in the network for a long period of time, said Jack Danahy, senior vice president of security for threat management vendor Alert Logic. Danahy said customers are most interested to see how an initial incursion into their systems or endpoint can be spotted, as well as lateral network movement or the gathering, storing or exfiltration of data.

Service-level agreements between firms and their IT outsourcer typically provide accountability in areas such as uptime, said Charles Carmakal, vice president for FireEye’s Mandiant Consulting unit. However, he said there tends to be ambiguity around who’s responsible for post-breach investigation and the ensuing remediation costs in cases where the MSP manages the physical infrastructure but the customer owns the data.

Businesses also should evaluate the security riders on their insurance policies to ensure it’s clear who’s paying for post-breach remediation efforts, including related professional services efforts as well as the costs of credit checks or applications for any impacted consumers, said eSentire’s Sangster.

Third-party risk management also needs to account for shorter-term engagements such as a consultant with a two- to four-month engagement to help design a company's R&D, engineering or IT ecosystem, said Andrew Morrison, cyber risk services principal at Deloitte, No. 15 on the 2018 CRN Solution Provider 500. In these scenarios, Morrison said it becomes more difficult to determine who’s supposed to have access when.

“The identity management challenge of that is harder for those shorter-term relationships,”" Morrison said. “The adversary knows it’s a less-scrutinized world, and it’s easier to operate at times with impunity than in the more monitored space of IT security."

Using Technology To Combat Nation-States

Well-defined segmentation can help MSPs prevent, minimize the scope of, or recover more quickly from nation-state attacks, said Fortinet Chief Information Security Officer Philip Quade. Companies must balance the desire to maximize protection by segmenting off everything with the operational challenges excessive segmentation introduces into the IT ecosystem, Quade said.

Effective segmentation policies generate alerts or altogether prevent devices that have no reason for communicating with one another from doing so—such as a company’s computers and a smart refrigerator or thermostat, said Craig Williams, director of outreach for Cisco's Talos threat intelligence unit. Segmentation ensures that defenses are in place should the worse-case scenario ever happen to an MSP, he said.

Williams specifically recommended that MSPs focus their segmentation around the customer’s crown jewels like their source code, engineering documents, design documents or law firm records.

Large enterprises often have dozens or even hundreds of employees using easily guessable passwords or the same password as they used for another site or account, said FireEye's Carmakal. This increases the total surface area nation-state groups have to carry out credential stuffing attacks, which can test already-breached passwords from a target’s social media pages against their corporate accounts.

Multifactor authentication can be an effective technical tool to mitigate the risk associated with credential stuffing attacks, Carmakal said. Effective multifactor authentication deployments reduce excessive privileges available to users while not impeding their ability to get work done, said Chris Betz, chief security officer for telecom powerhouse CenturyLink.

Implementing multifactor authentication and single sign-on should help MSPs minimize disruption and speed up the user experience while still strengthening security across the company, Betz said.

When nation-state threat actors go after IT service providers, they’re typically searching for the most target-rich environments, said William Tsing, Malwarebytes’s head of threat operations. For this reason, Tsing said MSPs and other service providers in the Washington, D.C., area are at greater risk since they’re more likely to have customers in possession of technical intelligence that’s of interest to nation-state groups.

Geofencing can help organizations filter out noise from targets of interests, Tsing said. Specifically, Tsing mentioned that limiting attacks to a certain geographic scope increases the odds of finding a target-rich environment.

Using Intelligence To Combat Nation-States

Customers need to carefully evaluate an MSP’s operational procedures in order to protect themselves, said Steve Grobman, chief technology officer for platform security provider McAfee. Those operational procedures include in what context human intervention is incorporated rather than just relying on a “scripted playbook” response.

MSPs are most successful at protecting themselves and their customers from nation-state threats when they have adequate visibility across all their entire IT environment, said Adam Meyers, vice president of intelligence for CrowdStrike. In addition, Meyers said MSPs should be proactively hunting for threat activity and conducting adversary-based penetration testing.

“At this stage of the game, you have to better understand the adversary to protect yourself,” Meyers said.