Kaseya attack highlights potential gaps in managed service provider model

A man walks through a server farm in Switzerland. Between 50 and 60 of Kaseya’s on-site remote monitoring and management customers, according to the company’s tally, have been raped by an affiliate of the REvil ransomware. (Amy Sacka for Microsoft)

The specific tactics of the ransomware gang that targeted Kaseya customers illustrated an unresolved flaw in many models of managed service provider software distribution: Relationships rooted in mutual trust, by definition, introduce risk.

And this risk can often be overlooked.

“They have a problem here because MSPs are responsible for their customers. And Kaseya provides this service that MSPs pay for, ”said Dede Haas, channel strategist at DHL Services and expert in MSP strategies. “There is a chain of trust that has now been broken.”

So where are the gaps in the relationship between vendors and MSPs that could introduce risk, and what tactics could help fill the gaps? SC Media spoke to supply chain experts to examine the complexities.

A shared responsibility

Between 50 and 60 of Kaseya’s on-site remote monitoring and management customers, according to the company’s tally, were violated by a REvil ransomware affiliate on Friday. Over a thousand managed service provider customers using Kaseya VSA have been infected with ransomware.

“When I saw that, I thought, ‘Oh. That’s not good,” Haas added. “When Kaseya gets hacked, it’s not MSP information; it’s their information too. clients and clients.

All of these factors led Kaseya to tell on-premise VSA customers to shut down and take servers supporting Software as a Service offerings offline as a precaution.

Company CEO Fred Voccola announced in an online video statement on Thursday that Kaseya will provide help to customers who need it after the attack, in an offer modeled after a financial aid package the company has launched after the COVID-19 hit. This would take the form of direct financial assistance to PSMs “who have been crippled by the REvil people and the new adversaries we are facing,” he said.

The company will also spend millions of dollars, working with third-party consulting firms and its own professional services team, to provide licensed late payments.

“It’s very different from the type of relationship we have with our clients, where we are mission-critical,” he said.

But whether or not Kaseya falls on her sword, as the company appears to do, doesn’t necessarily alleviate the challenges MSPs face from their own customers. They’ll want reassurance that their own data hasn’t been compromised, and even with those assurances received, MSPs could find themselves – just like Kaseya does now – dealing with potential damage to relationships and reputation.

“It was strategic to attack MSPs, but opportunistic in terms of capture,” said Joshua Marpet, executive director of Guardedrisk. “If you want to find juicy morsels, are you heading to a company? Perhaps. But if they’re involved in mergers and acquisitions, it’s easier to lash out at the law firm, which typically has worse security. The most successful MSP I have heard of had a 36% profit margin; it’s nothing in the software world. How much time and effort do they have to hard-configure all of these vendor tools and offerings? I can’t blame the MSPs.

The MSP model is distinguished by the fact that a successful attack typically has several components: Identify a vulnerability in the software, then target the vendor who, in theory, did not overlap the additional security checks of the vendor’s technology stack. to make operation more difficult.

In the case of the Kaseya attack, MSPs who were using two-factor authentication “I guess they’re in a slightly better position,” said JC Herz, co-founder and COO at Ion Channel, a data platform and service that enables organizations to manage risks in their software supply chain. But before an attack even occurs, she added, “vendors need to know if the corporate policy of an MSP is two-factor authentication. It is not about ensuring that your PSMs comply with [the Federal Risk and Authorization Management Program]. These are basic standards that you should know and demand. The question with PSMs is whether it is possible to achieve some verifiable and continuous level of assurance regarding their controls. “

“What should happen now is that every customer assumes that all of their MSPs have been compromised and that they are implementing compensating controls within their own companies to properly segment the data exchange,” a- she continued.

“Intelligent communication”

That said, while MSPs have an important responsibility in securing their own infrastructure, most experts tell SC Media that it is the vendor’s responsibility to not only ensure product security, but also establish policies. and procedures for clients in terms of security standards and also what to do when a vulnerability is identified. This should include details of communications and expectations from the vendor, MSP, and even end customers.

“It’s so important to have these mitigation processes and procedures,” Haas added. “PSMs are more aware than anyone. And that’s their frustration. Sellers think the partners should be there to take care of the seller, but no, seller – your responsibility is to take care of the partner. Help them to be protected.

“The MSP is the one who fucked the most,” she continued. “We need transparency. And they have to simplify things.

To achieve this transparency, many experts refer to different versions of what you might call “smart” contracts that clearly define requirements, expectations and procedures. Chris Blask, strategic advisor to Cybeats and former executive director of Unisys, said this is an important part of a digital nomenclature – a concept he has coined over the past two years to refer to the list of each component of any type of product. as everyone moves from one pair of hands to another.

“Everyone should be able to [do this], at some point in the foreseeable future, not only because there will be regulation but because a) attackers will evolve to the point where you won’t be able to run your thing for five minutes, and b) if you don’t. don’t your competitors will and you will then take all of your business, ”continued Blask, who specifically advocated the application of“ oracles, ”where contract language is established and chained into repositories, with specific responses that follow. occur when special conditions are met.

With the approach of real-time communication with automation, “you usually don’t get to see these issues creep in as people talk to each other,” he said. “A lot of it comes down to having an organization mature enough to ask the right questions. “

Source link

About Marion Browning

Check Also

What can hotel companies do to mitigate the effects of PSD2?

In September 2019, despite calls from many players in the hospitality and travel (H&T) sectors …

Leave a Reply

Your email address will not be published. Required fields are marked *