August 01, 2019
Datto’s Perspective and Plans Regarding Recent Attacks Using RMM Platforms
I'm Ryan Weeks, a sometimes blogger, and full-time Chief Information Security Officer (CISO) at Datto. An important facet of my role is to lead Datto’s security strategy across our global product portfolio. I want to share some thoughts on the security position most Remote Monitoring and Management (RMM) platforms are in and introduce both recently deployed and planned new functionality to protect your Datto RMM platform from malicious use.
It’s been a wild year so far for MSPs and RMMs. There have been numerous widely publicized incidents of MSPs being attacked and their RMM platforms becoming weaponized to deploy malicious ransomware packages. Due to the publicity associated with these incidents, awareness of how vulnerable MSPs can become has increased across the entire MSP ecosystem. MSPs are re-evaluating their security posture, refactoring operational practices, and reducing their attack surface.
An irrefutable trend we have to recognize is that MSPs are being targeted by threat actors who seek to leverage their RMM platforms (and other management systems). RMM platforms are a ready command and control system that can do anything an attacker wants, so it makes sense they would target RMMs as a primary tactic. However, we have to recognize that MSPs can be vulnerable to rogue techs and disgruntled employees who can be just as destructive to an MSP and their SMB/SME customers if left unchecked. RMM platforms have thus become a bittersweet solution to enable scalable growth and efficient automation but have the potential to become weaponized for nefarious intentions.
At Datto, we do more than speak to how important security is, we work every day to put it into practice. We have a team of experts who focus exclusively on the security of our platforms, systems, and partners. This team is constantly monitoring and tracking cyber events in the MSP space and beyond. Armed with the knowledge of current and emergent threats and defenses, we are having frequent conversations about how to keep our partners and platforms safe.
We are honest about existing platform capabilities and make hard choices on how to improve Datto RMM to better protect MSPs. These thoughtful looks at the RMM product through an attacker’s perspective allow us to rapidly adjust our platform capabilities to active threats as they emerge, and before they become disruptive. You’ve seen this process manifest in the recent email validation workflow, and soon you will see this take form with required 2FA for all Datto RMM user accounts.
We take pride in what we do to protect MSPs and their end-customers with the solutions we develop and the systems they operate on. I’m not alone in this crusade. I’ve asked Ian van Reenan and Michael Bienvenue of Datto to co-blog with me today to give different perspectives on these risks and show how we’re addressing them.
I'm Ian van Reenen, VP of Engineering - Endpoint Products for Datto and I’m responsible for leading the world-class team of engineers who build this amazing technology. Many MSPs do not inspect the elegance of how Datto RMM runs under the hood because their evaluation is usually spent on tangible functions that have a more direct application to their business. But the platform’s architecture allows us to proactively monitor every facet of the system and keep an eye on any unusual activities that may occur.
We constantly work with Ryan’s team who helps to keep us abreast of emerging threats and defensive best practices. His team are the security experts, our team are the platform experts. Together we bring the combined expertise to deliver an RMM solution that is designed and built with security in mind.
Recently, our partners received a new layer of security in Datto RMM to protect those who have chosen not to implement two-factor authentication (2FA). We needed to deliver a layer of protection to those users who relied on user password credentials as the only factor of authentication. These users were introduced to an email-based validation process that triggers when a single factor Datto RMM user account is logged in from an unknown IP address. It’s considered ‘unknown’ if we have not seen logging in the recent past or it has been seen but only been given temporary approval in the past. This simple validation brings awareness to suspicious activity and creates a higher barrier of entry for a malicious actor.
This email validation method buys MSPs and Datto time against the imminent threat they face, but it is not a full replacement for the security provided by an out of band 2FA solution like time-based, one-time passwords (TOPTs) for each login. For example, if an attacker has access to MSP SaaS platforms, like O365, then email may be insufficient to prevent inappropriate use of the RMM platform. Only an out of band 2FA solution can provide that level of security. We believe everyone needs to protect their RMM platform login accounts with 2FA. We also recognize that 2FA adoption is a shift that requires preparation for MSPs and their end-users.
We are informing MSPs to start that prep work. In the near future, Datto RMM will start to require 2FA for account logins. We’re gathering MSP feedback and then will be aggressively pursuing widespread enablement.
We were able to deploy these updates easily across our entire partner base as part of our ongoing and frequent release cadence that occurs every month. Because of our ambitious roadmap strategy and the pace of development, we are finding it easier to get new capabilities into the hands of partners and then iterate from there. Partnering with Ryan’s security team allows us to confidently ensure a more secure computing environment for all of our partners. The unknown IP address email validation and required 2FA are good examples. There are more coming, some may be visible, others may not, but they are all with the intention of securing MSPs and the environments they are responsible for protecting.
The Market & Partners
I’m Michael Bienvenue, and I am the Product Marketing Manager for Datto RMM. I work closely with the RMM product team to help communicate the exciting things that we are doing with this incredible system. The greatest part of my job is when I have conversations with our partners around the world and see trends happening in the MSP and technology landscapes.
One trend we're seeing is a shift by MSPs towards putting a higher priority on all types of vendors who exhibit more proactive security postures. This type of shift validates the significance of the current events we’re all observing. We’re also seeing end-customers, who are also looking to protect their interests, now expecting MSPs to share in the responsibility of keeping their data safe and to stake financial accountability if any systems become compromised. This change in customer expectations will increase pressure on insurance companies who underwrite the Error and Omission (E&O) policies that MSPs typically carry on the business. This, of course, flows upstream and transfers similar MSP expectations of responsibility to software vendors.
The world is changing rapidly and it can be difficult when people need to surrender convenience in exchange for increased security. These principles are inversely proportional. They're at the opposite ends of a usability spectrum and system changes, like the ones we are seeing in Datto RMM, are weighed for being “too relaxed and vulnerable” or “too strict and inconvenient”. The growing consensus across the MSP channel is both MSPs and RMMs are currently too relaxed and vulnerable and must move towards being more strict and inconvenient.
There will be some discomfort as everyone adopts the necessary steps to protect their environments. But the pain of change will dissipate as users become accustomed to the new normal. There was a time when software didn’t even have user credentials, but now everyone is comfortable with logging in to every application. We'll all review our security postures and recognize the additional security layers are worth any short-lived discomfort because of what is at risk. It's not just convenience that is surrendered, it is exposure to vulnerability. It’s not security being gained, it’s the stability and continuity of the business being assured.
As your trusted partner. Datto will keep making hard choices that balance these outcomes in order to keep us all safe.
Ryan Weeks - Chief Information Security Officer for Datto
Ian van Reenen - VP of Engineering - Endpoint Products for Datto
Michael Bienvenue - Product Marketing Manager for Datto RMM