August 01, 2019
Datto’s Perspective and Plans Regarding Recent Attacks Using RMM Platforms
I am Ryan Weeks, a sometimes blogger, and full-time Chief Information Security Officer (CISO) at Datto. An important facet of my role is to lead Datto’s security strategy across our global product portfolio. I want to share some thoughts on the security position most Remote Monitoring and Management (RMM) platforms are in and introduce both recently deployed and planned new functionality to protect your Datto RMM platform from malicious use.
It’s been a wild year so far for MSPs and RMMs. There have been numerous widely publicized incidents of MSPs being attacked and their RMM platforms becoming weaponized to deploy malicious ransomware packages. Due to the publicity associated with these incidents, awareness of how vulnerable MSPs can become has increased across the entire MSP ecosystem. MSPs are re-evaluating their security posture, refactoring operational practices, and reducing their attack surface.
An irrefutable trend we have to recognize is that MSPs are being targeted by threat actors who seek to leverage their RMM platforms (and other management systems). RMM platforms are a ready command and control system that can do anything an attacker wants, so it makes sense they would target RMMs as a primary tactic. However, we have to recognize that MSPs can be vulnerable to rogue techs and disgruntled employees who can be just as destructive to an MSP and their SMB/SME customers if left unchecked. RMM platforms have thus become a bittersweet solution to enable scalable growth and efficient automation but have the potential to become weaponized for nefarious intentions.
At Datto, we do more than speak to how important security is, we work every day to put it into practice. We have a team of experts who focus exclusively on the security of our platforms, systems, and partners. This team is constantly monitoring and tracking cyber events in the MSP space and beyond. Armed with the knowledge of current and emergent threats and defenses, we are having frequent conversations about how to keep our partners and platforms safe.
We are honest about existing platform capabilities and make hard choices on how to improve Datto RMM to better protect MSPs. These thoughtful looks at the RMM product through an attacker’s perspective allow us to rapidly adjust our platform capabilities to active threats as they emerge, and before they become disruptive. You’ve seen this process manifest in the recent email validation workflow, and soon you will see this take form with required MFA for all Datto RMM user accounts.
We take pride in what we do to protect MSPs and their end-customers with the solutions we develop and the systems they operate on. I’m not alone in this crusade. I’ve asked Ian van Reenan and Michael Bienvenue of Datto to co-blog with me today to give different perspectives on these risks and show how we’re addressing them.
I am Ian van Reenan, VP of Engineering - Endpoint Products for Datto and I’m responsible for leading the world-class team of engineers who build this amazing technology. Many MSPs do not inspect the elegance of how Datto RMM runs under the hood because their evaluation is usually spent on tangible functions that have a more direct application to their business. But the platform’s architecture allows us to proactively monitor every facet of the system and keep an eye on any unusual activities that may occur.
We constantly work with Ryan’s team who helps to keep us abreast of emerging threats and defensive best practices. His team are the security experts, our team are the platform experts. Together we bring the combined expertise to deliver an RMM solution that is designed and built with security in mind.
Recently, our partners received a new layer of security in Datto RMM to protect those who have chosen not to implement multi-factor authentication (MFA). We needed to deliver a layer of protection to those users who relied on user password credentials as the only factor of authentication. These users were introduced to an email-based validation process that triggers when a single factor Datto RMM user account is logged in from an unknown IP address. It’s considered ‘unknown’ if we have not seen logging in the recent past or it has been seen but only been given temporary approval in the past. This simple validation brings awareness to suspicious activity and creates a higher barrier of entry for a malicious actor.
This email validation method buys MSPs and Datto time against the imminent threat they face, but it is not a full replacement for the security provided by an out of band MFA solution like time-based, one-time passwords (TOPTs) for each login. For example, if an attacker has access to MSP SaaS platforms, like O365, then email may be insufficient to prevent inappropriate use of the RMM platform. Only an out of band MFA solution can provide that level of security. We believe everyone needs to protect their RMM platform login accounts with MFA. We also recognize that MFA adoption is a shift that requires preparation for MSPs and their end-users.
We are informing MSPs to start that prep work. In the near future, Datto RMM will start to require MFA for account logins. We’re gathering MSP feedback and then will be aggressively pursuing widespread enablement.
We were able to deploy these updates easily across our entire partner base as part of our ongoing and frequent release cadence that occurs every month. Because of our ambitious roadmap strategy and the pace of development, we are finding it easier to get new capabilities into the hands of partners and then iterate from there. Partnering with Ryan’s security team allows us to confidently ensure a more secure computing environment for all of our partners. The unknown IP address email validation and required MFA are good examples. There are more coming, some may be visible, others may not, but they are all with the intention of securing MSPs and the environments they are responsible for protecting.
The Market & Partners
I’m Michael Bienvenue, and I am the Product Marketing Manager for Datto RMM. I work closely with the RMM product team and our partners to help communicate the exciting things that we are doing with this incredible system.
We’re seeing a shift by MSPs towards putting a higher priority on vendors who exhibit more proactive security postures. It validates the significance of current events because there is more at risk mandating that shift. The end customer now expects the MSP to share in the responsibility of keeping their data safe and to take financial responsibility if something goes wrong. The MSP now expects their vendors to be doing the right things to keep them safe.
Change can be difficult for some especially when it’s exchanged for convenience. The pain of change, however in due time, does find an equilibrium where users become accustomed to the new normal. When looking back it becomes clear the additional security layers are worth any short-lived discomfort, because it’s not just convenience that is surrendered, it is exposure to vulnerability. It’s not security being gained, it’s the stability and continuity of the business being assured.
As your trusted partner. Datto will keep making hard choices that balance these outcomes in order to keep us all safe.
Ryan Weeks - Chief Information Security Officer for Datto
Ian Van Reenan - VP of Engineering - Endpoint Products for Datto
Michael Bienvenue - Product Marketing Manager for Datto RMM