The specific tactic used by the ransomware gang targeting Kaseya customers illustrated an unsolved flaw in many managed service provider software distribution models: relationships based on mutual trust are inherently risky.
And this risk can often go unnoticed.
“You have a problem here because MSPs are responsible for their customers. And Kaseya offers this service that MSPs pay for, ”said Dede Haas, DHL Services Channel Strategist and MSP Strategy Expert. “There is a chain of trust that has now been broken.”
So what are the flaws in vendor-MSP relationships that could pose risks, and what tactics could help fill the gaps? SC Media spoke to supply chain experts to examine the complexity.
A shared responsibility
According to the company, between 50 and 60 of Kaseya’s local remote monitoring and management customers were attacked by a REvil ransomware subsidiary on Friday. Well over a thousand managed service provider customers who use Kaseya VSA have signed up with. infected Ransomware.
“When I saw that, I thought, ‘Oh. That’s not a good thing, ”added Haas. “If Kaseya is hacked, it’s not MSP’s information; it is also the information of your customers and your customers. “
All of these factors led Kaseya to prompt local VSA customers to shut down and take servers that support software-as-a-service offerings offline as a precaution.
On Thursday, CEO Fred Voccola announced in an online video Statement that Kaseya would provide assistance to customers who needed it after the attack, in an offering modeled after a financial aid program the company launched after the Covid-19 hit. This would take the form of direct financial support to MSPs “who have been crippled by the REvil people and the new adversaries we face,” he said.
The company will also spend millions of dollars to work with outside consulting firms and its own professional service team to enable licensed payment delays.
“It’s very different from the type of relationship we have with our customers, which is where we are business-critical,” he said.
But whether or not Kaseya falls on its sword, as the company seems to do, it doesn’t necessarily mitigate the challenges MSPs face from their own customers. They will want the reassurance that their own data has not been compromised, and even if that reassurance comes, MSPs – much like Kaseya is now doing – could be managing potential damage to relationships and reputations.
“It was strategic to pursue MSPs, but opportunistic about what they got,” said Joshua Marpet, executive director at Guardedrisk. “If you want to find juicy pieces, do you go after a company? May be. But when they are involved in M&A it is easier to keep track of the law firm that usually offers poorer security. The most successful MSP I’ve ever heard of had a profit margin of 36%; this is nothing in the software world. So how much time and effort do you have to hardwire all of these tools and vendor offerings? I cannot blame the MSPs. “
The special thing about the MSP model is that a successful attack is usually multi-pronged: Identify a weak point in the software and then attack the provider who, in theory, has not placed any additional security controls on the provider’s tech stack to protect the To make exploitation difficult.
In the case of the Kaseya attack, MSPs using two-factor authentication are “in a slightly better position,” said JC Herz, co-founder and chief operating officer of Ion Channel, a data platform and service that enables companies to to manage their software supply chain at risk. But before an attack could break out, she added, “Vendors should know if an MSP’s corporate policy allows for two-factor authentication. It’s not about making sure your MSPs are compliant [the Federal Risk and Authorization Management Program]. These are basic standards that you should know and need. The question with the MSPs is whether it is possible to achieve a verifiable, continuous level of security with regard to their controls. “
“What should happen now is that every customer is assuming that all of their MSPs have been compromised and are implementing compensatory controls in their own companies to properly segment the data exchange,” she continued.
Although MSPs have significant responsibility for securing their own infrastructure, most experts tell SC Media that the burden of not only ensuring the safety of the product, but also setting policies and procedures for customers regarding safety standards, rests with the provider also what to do if a vulnerability is identified. This should include details of the communication and expectations of the vendor, the MSP, and even the end customer.
“It’s just so important to have these mitigation processes and practices,” added Haas. “The MSPs are more aware of this than anyone. And that is their frustration. Vendors think there should be partners out there taking care of the vendor, but no, vendors – you are responsible for taking care of the partner. Help them to be protected. “
“The MSP is the one who gets the most pissed off,” she continued. “There has to be transparency. And they just have to do it. “
To achieve this transparency, many experts refer to different versions of so-called “intelligent” contracts that clearly define requirements, expectations and procedures. Chris Blask, Cybeats Strategic Advisor and former Executive Director at Unisys, said it was an important part of a digital bill of materials – a concept he has coined over the past few years to denote the list of all components in any type of product while each moving from one set of hands to the other.
“Everyone must be able to” [do this]At some point in the foreseeable future, not just because there will be regulation, but because a) attackers will evolve to the point where you can no longer keep your thing going for five minutes and b) if you don’t your competitors will and then take your entire business away from you, ”continued Blask, who specifically advocated the use of“ oracles ”where contract language is established and chained in repositories, with specific reactions that occur when certain conditions are met.
With the real-time communication with automation approach, “you are less likely to have these issues creeping in because people are talking to each other,” he said. “A lot depends on an organization being mature enough to ask the right questions.”
#Kaseya #attack #reveals #potential #loopholes #managed #service #provider #model