Val King, CEO, Whitehat Virtual
Is this driving more customer engagement and business for you as a result?
“The Kaseya event is driving engagement, but only to the extent of confirming if we do or do not use Kaseya. It is a conversation starter and a bit of a potential burden for clients who have realized that they now have to pay at least some attention to their provider’s network environments in addition to their own.
“This highlights the need for vendor due diligence; not only for third parties (MSPs), but fourth parties (partners used by third-party providers). An organization needs to review its third parties. This includes making sure the third parties have a due diligence process to review their third parties as well (fourth parties to the customer).
“Would vendor due diligence have identified what happened with this incident as an intolerable risk? Maybe not, depending on the most recent SOC report from Kaseya. However, if customers do not have a due diligence program in place, they have no understanding of the potential risks, or the controls third parties have in place.”
Are you looking for more vendors to partner with to prevent these types of attacks on your organization and customers?
“We are trying to limit the number of partners we have to limit the number we have to stay on top of. We are also looking at what we can do proactively to prevent or speed the identification of issues. As part of that, we are making adjustments to our ASCENT Portal to improve the incident response process.
“As a bare minimum, we recommend having three significant aspects of a security program in place as a result of the Kaseya incident: vendor due diligence, supply chain risk management and incident response.
“A complete security program does not stop there. Having controls in place for data backups, network segmentation, security awareness training, risk assessments, business impact analysis, secure coding requirements and information system interconnections (and many more items) are all important preventive measures that should be addressed.
“Incidents are going to happen. Not fun, but true. How an organization responds to an incident is equally important that the fact an incident has occurred.”
Are you worried about your PRM providers such as Kaseya and ConnectWise in terms of the security of their network and vulnerabilities?
“In a word, yes. Most of these tools were developed effectively in someone’s garage, for one MSP that needed a better way to do something. These tools have grown up to be pillars of the MSP industry but still show their mom and pop roots. Large PE groups have entered the industry, stitching individual applications together through acquisition into platforms, making investments into shoring up these tools, adding needed features, and making them more enterprise-grade. There is still a fair amount of concern that there may still be more latent development shortcuts or risks in some of these tools that may have presented an acceptable risk in a previous era that does not work in this world of state-sponsored, crypto-monetized targeted attacks.
“Collectively service providers also have a hand in the protection of client environments. Some attacks are net-new, zero-day events. Others are known vulnerabilities that already have a known fix. Service providers have to do their part and stay on top of internal updates and remediating security vulnerabilities with their tools in the same way they are primarily tasked with patching and updating their client environments.”
Are you getting more calls from security vendors to partner with them because their solutions could prevent such attacks?
“Security vendors are already responsible for a large portion of the inbound calls and emails we get. The volume is the same; it is just a new message or recycling the SolarWinds messaging from a few months ago.
“There is an increased demand for a holistic solution to manage security and compliance as is offered by our ASCENT Portal. While such security and compliance platforms cannot prevent attacks, they can prescribe the controls that should be followed to help mitigate the risk. By addressing items such as supply chain risk management, incident response and vendor due diligence, companies using a security and compliance platform are much more prepared.”
Are you partnering with other MSPs to solve these types of supply chain problems for your customers?
“No, the first step is to look in the mirror and ensure we are doing everything in our power to prevent and protect our clients and the environments in our care. We can’t control the practices or code of our respective vendors. We have a strong vendor management program complete with risk assessments to help us manage these relationships, allowing us to make adjustments when concern exceeds the value of the service or product provided. As service providers, we focus on prevention first and honing our rapid incident response capabilities through practice to respond to the threats we can’t prevent as soon as possible.”
Have you been able to raise your per-seat or services prices as a result of these attacks?
“Could we? Probably, but that is not the kind of partner we want to be for our clients. We are in this together. Identifying the risks, compliance with relevant frameworks of controls like HIPAA or ISO 27001, for example, and building good security programs that meet our client’s unique needs is the best medicine to prevent or mitigate damage from the latest hack of the day.
“We exist to build and support successful security programs that meet the needs of our customers. Our pricing is not affected; only our desire to assist and support customers is raised. This, similar to the SolarWinds incident, may have been avoided with appropriate controls in place. If not, at least organizations could have been confident they did everything appropriate to prevent or mitigate the impact.”
Are you looking to hire more infosec professionals to meet demand from customers?
“People are an essential component of building a solid security posture but are only one component of an overall security and compliance program. Building a comprehensive security program that addresses every control requirement and supports continuous compliance is equally important. Any infosec professional knows that security is not an IT-only sport. It takes cross-functional support and control ownership to maintain continual security and compliance. This includes, without limitation, HR, payroll, legal, finance, facilities, C-levels, and board support/accountability.”