July 10, 2020
Research Shows MSPs Need to Bolster Internal Security Practices
Managed service providers (MSPs) are expected to be trusted advisors to their small business clients in all-things technology, cybersecurity, cloud - the list goes on. So not surprisingly, this is where many MSPs devote their time and energy. While it’s incredibly important to spend time keeping clients’ security measures intact, it’s also critical for MSPs themselves to make sure their own house is in order. What about the security of their own environments?
In the beginning of 2019, Datto sought to learn more about how MSPs protect themselves so that we can best build secure mechanisms into our products and be in a better position to understand the challenges of our community. Ryan Weeks, Datto’s Chief Information Security Officer, and myself (Dan Garcia here, Datto’s Sr. Manager of Cyber Risk and Architecture) hit the road conducting on-site security assessments with a number of MSPs. We developed a lightweight methodology that allowed us to make the most of the one to two days spent with each partner, having both a structured approach using the NIST Cybersecurity Framework (CSF) in a benchmarking exercise and a freeform whiteboard session as part of our threat modeling exercise. In parallel, a grey box penetration test was conducted which was tightly scoped given the time available. Our initial hypothesis was that there would be a direct correlation between the size of the MSP and the maturity of their security posture.
In the end, our analysis highlighted a number of uncomfortable truths about the maturity of security practices within an MSP’s own environment. It is only from honesty that real improvement occurs and we provide the anonymized findings in our full case study. Here are some key findings:
- The MSPs we analyzed had a false sense of security of their own environments. MSPs indicated high confidence in the subcategories of NIST’s CSF Protect Function, but a number of unknown gaps surfaced during the threat modeling exercise.
- Basic security measures were overlooked. Insecure exposure of Remote Desktop Protocol to the internet, single-factor authentication for VPN, and reuse of a single credential for all client environments were identified.
- There’s a direct correlation between the size of an MSP and its vulnerable attack surface. Misconfigurations, data and access sprawl, and systems leveraging insecure defaults were more frequent in larger MSPs with larger technology portfolios.
Releasing the case study as a security practitioner offers the MSP community a strong list of improvements, but we also wanted to give MSPs an opportunity to take action and perform their own security analyses. To do that, we have also shared the Excel-based workbook used during the assessments as a companion to the case study. MSPs can perform the exercise outlined in the workbook, which applies the same methodologies our team used with annotated instructions for each phase of the assessment process.
- Discovery - Capture business details important for understanding decision making context
- Asset Inventory - Capture datastores, software, devices, and service with the aid of dropdowns
- NIST CSF Benchmark Exercise - Understand the rating system and conduct an analysis
- Benchmark Summary - Auto-generate the heat map shown above with your calculated score
- ATT&CK TTPs - Review the MITRE Tactics that were the focus of the case study or add your own
- Threat Modeling - Walk through the whiteboard process to surface findings
- Findings Register - Enumerate the areas of improvement surfaced across the assessment
The workbook and methodologies have their limitations, but for MSPs looking for an assessment approach that can be conducted over the course of one to two days, this framework is lightweight and actionable. Based on our conversations with participants, it’s strongly recommended that MSPs consider working with a managed security service provider (MSSP) or security consultant to walk through the framework and to secure their own environments. Having the Datto team on-site added a level of accountability to the exercise and also provided the experience of security practitioners in the process. Having a trusted party that MSPs can work with for the continuous improvement of their environment will lead to better secure outcomes, and MSPs can then return those benefits to their clients environments.
As a community, helping each other only makes the value proposition of managed services stronger. We are thankful for the anonymous participants taking part in the assessments and for allowing us to share the knowledge gained.
We are stronger, together.
Dan Garcia, Sr. Manager, Cyber Risk and Architecture