The ransomware gang's specific tactics targeting Kaseya customers highlighted an unresolved flaw in many managed service provider software distribution models: relationships built on mutual trust inherently carry risk.
And this risk often goes unnoticed.
“They have a problem here because MSPs are responsible for their customers. And Kaseya provides that service that MSPs pay for,” said Dede Haas, channel strategist at DHL Services and an expert on MSP models. "There is a chain of trust that has now been broken."
So where are the flaws in vendor-MSP relationships that could introduce risk, and what tactics might help to bridge the gaps? SC Media spoke to supply chain experts to examine the complexity.
A shared responsibility
Between 50 and 60 of Kaseya's on-premises remote monitoring and management customers were hacked by a REvil ransomware partner on Friday, according to the company. Well over a thousand managed service provider customers using Kaseya VSA have been infected with the virus ransomware.
"When I saw that, I was like, 'Oh. That's not good," Haas said. “If Kaseya is hacked, it's not the MSP's information; it is also the information of their clients and customers.”
All of these factors prompted Kaseya to instruct on-premises VSA customers to shut down and take servers supporting software-as-a-service offerings offline as a precaution.
On Thursday, company boss Fred Voccola announced in an online video Statement that Kaseya would help customers who needed her after the attack in an offering modeled on a financial assistance program the company launched following the COVID-19 outbreak. That would take the form of direct financial support for MSPs "that have been crippled by the REvil folks and the new adversaries we're facing," he said.
The company will also spend millions of dollars, working with outside consulting firms and its own professional services team to provide licensed delayed payments.
"It's very different from the type of relationship we have with our customers, where we're mission-critical," he said.
But whether Kaseya falls on its sword or not, as the company appears to be doing, it doesn't necessarily lessen the challenges MSPs face from their own customers. These customers want reassurances that their own data hasn't been compromised, and even if those reassurances come in, MSPs could—much like Kaseya is doing now—manage potential damage to relationships and reputation.
"Tracking MSPs was strategic, but opportunistic in terms of what they got," said Joshua Marpet, Executive Director at Guardedrisk. "If you want to find juicy pieces, do you go to a company? Maybe. But when involved in mergers and acquisitions, it's easier to turn to the law firm, which usually has poorer safeguards. The most successful MSP I've ever heard of had a 36% profit margin; that's nothing in the software world. So how much time and effort do they have to spend hard-wiring all of these tools and vendor offerings? I can't blame the MSPs.”
The distinctive feature of the MSP model is that a successful attack is usually multi-pronged: identify a vulnerability in the software and then target the vendor, which in theory hasn't placed any additional security controls on the vendor's tech stack, to make exploitation more difficult.
In the case of the Kaseya attack, MSPs using two-factor authentication are "in a slightly better position, I suspect," said JC Herz, co-founder and chief operating officer at Ion Channel, a data platform and service that enables organizations to manage the risk of their software supply chain. But even before an attack takes place, she added, “vendors should know if an MSP's corporate policy is two-factor authentication. It's not about making sure your MSPs are compliant [the Federal Risk and Authorization Management Program]. These are basic standards that you should know and need. The question for MSPs is whether it is possible to achieve an auditable, ongoing level of assurance about their controls.”
"What should happen now is that each customer assumes that all of their MSPs have been compromised and implements compensating controls in their own organizations to properly segment data exchanges," she continued.
"Intelligent" communication
While MSPs have a significant responsibility for securing their own infrastructure, most experts tell SC Media that the onus is on the provider to ensure not only the security of the product, but also policies and procedures for customers regarding security standards and as well what to do if a vulnerability is identified. This should include details about the communication and the expectations of the provider, the MSP and even the end customer.
"It's just so important to have these mitigation processes and procedures in place," added Haas. “The MSPs are more aware than anyone else. And that's their frustration. Providers think there should be partners out there who take care of the provider, but no, providers - you are responsible for taking care of the partner. Help them be protected.”
"The MSP is the one who gets screwed the most," she continued. "It needs transparency. And they just have to do it.”
To achieve this transparency, many experts point to different versions of so-called "smart" contracts that clearly define requirements, expectations and procedures. Chris Blask, a strategic advisor at Cybeats and a former Unisys executive, said it's an important part of a digital bill of materials — a concept he's coined in recent years to denote the list of every component in any type of product throughout everyone moves from one set of hands to the other.
“Everyone has to be able to do that [do this]sometime in the foreseeable future, not just because there will be a rule, but because a) attackers are evolving to the point where you can't keep your thing going for five minutes, and b) if you don't your competitors will and then take all your business away from you,” continued Blask, who specifically advocated the use of “oracles,” where contract language is set and chained into repositories, with specific automated responses that occur when certain conditions are met.
With this real-time communication approach, which includes process automation, "you don't typically have an opportunity for these problems to creep in because people are talking to each other," he said. "A lot of this depends on whether an organization is mature enough to ask the right questions."
Senior Reporter Joe Uchill's reporting contributed to this report.
Source link
#Kaseya #attack #reveals #potential #gaps #managed #service #provider #model https://vmvirtualmachine.com/kaseya-attack-reveals-potential-gaps-in-managed-service-provider-model/?feed_id=65477&_unique_id=62e10a458acfe
No comments:
Post a Comment