Let’s say you partner with a managed services provider (MSP) to help improve the performance of your risk management. Things are going well, and together you’re taking steps to better understand and manage your enterprise risk model, sketch out your risk appetite, and monitor potential threat indicators in real-time—all activities that you would have had limited capacity to accomplish with outside help. To make things easier, your partner has access to some of your web infrastructure, and can make some changes to your system in addition to monitoring.
Now, let’s say that MSP gets hit with a ransomware attack. What are the odds that this breach is going to impact your operations? Well, that depends: How widespread are their permissions within your system? How much of your corporate data can they actually access? How well segmented are the various elements of your existing IT? Best case scenario, you might find that they have limited access to data—meaning that hackers won’t be able to gain too much information. Worst case: this could be a hacker’s inroad to your entire system.
This may seem like a somewhat dour hypothetical, but this kind of incident is unfortunately far too common. In the past few years, there have been a number of high profile cases of MSPs and MCSPs (managed cyber security providers) getting hit with ransomware and other cyber attacks that ultimately imperil their clients’ systems as well as their own. In fact, it’s increasingly common for attackers targeting a particular company to specifically aim their intrusions at vendors in order to gain access to sensitive systems.
Does this mean that businesses should automatically be wary of MSPs and MCSPs and avoid using them? Absolutely not! On the contrary: the right MCSP can actually be your most valuable asset in managing your IT and applications in a safe way that mitigates risk from vendors.
How is that possible? Read on to find out...
The Enterprise Threat Model
First things first, you need to understand your managed service provider within the context of your existing threat mode. Right now, depending on your industry, there might be a handful of ways in which hackers could target your company. There might be vulnerabilities on your website or web applications that allow for intrusions into databases that contain sensitive information about your company or your customers. Conversely, attackers might use email phishing as a way to steal the your employees’ credentials and either leak data or wreak havoc in other ways. Or, they might use email as an attack vector to install malware (e.g. ransomware, keyloggers, etc.) onto your system.
Defending against these sorts of attacks is a multi-faceted process. It requires you to examine both access and privileges within your system as well as the internal development processes that potentially produce web application vulnerabilities in the first place. To build a more secure enterprise environment, you’ll need a few things:
- A comprehensive threat model: Based on what we sketched out above, you can start to get a sense of where the potential points of entry are in your system. From there, you’ll want to expand your understanding of potential risks based on your industry, your IT infrastructure, and your organizational structure.
- Up-to-date IT: Software providers are always providing updates in order to patch bugs that result in vulnerabilities—as a result, strong security depends on keeping your technology up-to-date. For legacy applications that might not be getting new security patches, you’ll need to find another way of mitigating risk.
- Perimeter protection: Many companies use web application firewalls (WAFs) to set limits on potentially malicious HTTPS traffic—but application shields are often a better bet if you care about keeping website performance metrics high.
- Access control and permissions limits: Most companies these days try to work towards “least privilege,” giving users only the amount of functionality that they absolutely need—just in case a malicious actor is able to access a user account. But with complicated IT environments this can be a difficult thing to operationalize.
These kinds of assessments and plans help to protect you from risk, but they can be daunting—especially when you throw MSPs into the mix. If you’re already in a position where you’re reaching out to managed cyber security services providers to help manage security, it’s possible that you won’t actually have the in-house capacity or capability to check off every box on the list above effectively.
Why MSPs and MCSPs Present a Risk
The importance of robust access controls should be more than a little suggestive of how exactly a managed services provider could become an unnecessary risk to your systems. In the same way that an employee account that gets comprised poses a threat to everything that employee has permission to touch, an MSP that gets compromised can impact everything that its permissions grant access to. Thus, if your marketing partner has access to your financial information because of a misconfiguration in how your CRM integrates with the rest of your ecosystems, a security flaw or vulnerability in their IT essentially a flaw in yours as well.
Again, this isn’t meant to be taken as a discouragement from using MSPs or MCSPs—quite the opposite! For shops looking to gain flexibility and make the most of their existing capacity—especially when it comes to something like cyber security that requires a high baseline of skill and industry knowledge—they can be a great way to improve your operational efficiency and branch out into new competencies. It’s just a matter of understanding the cyber security implications and working with your MSP to address them proactively.
Tactics for Mitigating Risk
At a relatively high level, there are a handful of strategies that help to shrink the surface area of this particular vulnerability.
- Secure remote access via a VPN or similar. Especially now, when so many people are working from home, this is often a best practice anyway .
- Enforce “least privilege” policies with regard to digital (and, if applicable, physical) access—this ensures that a compromised vendor account can’t cause trouble up and down your value chain.
- Monitor and address vulnerabilities within your own IT. The safer your own system is, the harder it will be for a compromised vendor to pose an issue. This means performing timely updates and staying on top of the latest best practices
- Include security-related guidelines in your SLAs in order to make sure that you’re on the same page with whoever you might be working with.
By taking these proactive steps, you can create an environment where a vendor that gets hit with a ransomware attack doesn’t have wide enough access to your IT to actually put your data in danger. If an attacker is actively trying to use the vendor to access your systems, these best practices can make that much more difficult.
This is all well and good—but, especially cases where you’re working with a managed cyber security services provider, there’s also a decent chance that these best practices are going to be hard to follow. After all, they require a strong cyber security posture a lot of ongoing effort, which is exactly what you’re paying your MCSP for in the first place. In other words, you’re potentially using up capacity and resources on cyber security nitty-gritty—the very same resources you’re trying to preserve by outsourcing in the first place.
How Can You Operationalize Those Tactics?
The situation described above presents something of a conundrum for CIOs, CISOs, and other decisionmakers: How do you operationalize best practices that you don’t have the in-house resources or knowledge to handle? Ultimately, you have to fall back on the vendor selection process to choose a cyber security services provider who displays competencies in these areas and can help you to defend your applications from any potential vendor-related vectors.
This might sound paradoxical, but in reality it’s not that strange. To entrust your security to an outside vendor to begin with, you need to have a high degree of trust both in their business and in their expertise. In other words, you need to find an MCSP who already knows how to perform micro-segmentation, set up firewalls, and keep applications properly configured and up-to-date. If you’re considering working with someone, these capabilities should already be at the top of your wish list—indeed, the ability to manage the more mundane side of things (e.g. software updates and best practices, managing permissions, staying current on new guidelines and attack vectors) is just as important as sexier activities like conducting pen tests and doing incident response.
To put it bluntly, if you’re working with an MSP or MCSP, you already know that it’s not always in your best interest to go it alone. When it comes to something as complex as managing the cyber threats that arise as a result of vendor integration, this is especially true.
MCSPs as a Strategic Advantage
Okay, let’s say you decide that the right MCSP is the best way to address digital threats like the ones that come from partner organizations—are you only paying for protection and nothing else? Not necessarily. In some sense, a partnership like the one we’ve been describing above stands to help integrate a more holistic view of security into your larger operations. An MSCP that can cover web application vulnerabilities with an application shield, for instance, can help you avoid the ongoing cycle of panicked code remediation and rushed software releases to take a more proactive and less reactive stance when it comes to security. This is, of course, a topic that we’ve expanded on at length elsewhere—but it bears mentioning that the very same tactics that enable to you keep your MSPs from becoming a threat can help you to evolve your development life cycles.