Managed Service Providers

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Podcast: Can we fix IoT security?

For many U.S. workers the switch to remote work is a permanent one. That means more high-stakes work is being conducted on self-configured home networks. For others, home networks are simply hosting more devices as smart doorbells, thermostats and refrigerators now connect to the internet.

Security experts warn that while the internet of things (IoT) isn’t inherently a bad thing, it does present concerns that must be considered. Many devices come pre-configured with inherently poor security. They often have weak or non-existent passwords set as the default.

As our guest and host Joe Panettieri discuss, these are issues that would be addressed on corporate networks by a professional IT administrator. The conversation covers the issues of IoT and home network security both from the perspective of the average family household and what the age of remote work means for employees working on their own networks.

Security intelligence director Grayson Milbourne brings a unique perspective to the podcast. Having held senior roles in both threat intelligence and product management, Milbourne is acutely aware of what the threats security products come up against. He knows both the cyber threat landscape and the consumer internet security market, so he’s able to provide insightful advice for how tech-loving homeowners can keep personal networks powerful and protected. 

Milbourne suggests problems of IoT and home network security could be addressed with a cybersecurity version of ENERGY STAR ratings. A program could formalize current IoT security best practices and incorporate them into a standard consumers recognize.  

During this informative podcast, Panettieri and Milbourne discuss that idea and more cybersecurity topics related to IoT devices. They cover:

  • The difference between device security and the security of the app used to control it
  • How to leverage user reviews while researching IoT devices and what security concerns to check on before buying
  • Privacy and data collection issues, including why one of the most common IoT devices may be among the most intrusive
  • Configuring IoT devices to prevent them from joining rogue IoT zombie networks

Whether you’re an IT administrator trying to secure remote workers or just own a smart TV, there’s something in this conversation for you. Be sure to give it a listen.

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction

It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed to prepare and respond to cyber threats or attacks against your organization.

It may be as simple as the deployment of antivirus plus backup and recovery applications for your end users, or a more complex approach with security operations center (SOC) tools or managed response solutions coupled with network security tools such as DNS and Web filtering, network and endpoint firewalls, VPNs, backup and recovery and others.

It’s also essential to ensure end-users are trained on ransomware threats as a part of a good security awareness training program. The bottom line is, if prevention tools and training fail and your organization is compromised, you need to have a protection plan that gets your company assets and resources back to work quickly and securely.

What preparation is needed

When contemplating an in-depth plan, specific questions come to mind—the whats, the hows, the whys, and most importantly, the whos must be defined in the plan. When asking these questions, we need to be prepared to identify the resources, people and applications inlcuded. We must determine how to react to the situation and execute the logical steps and processes required to reduce damage as quickly as possible. 

Below are some questions to get us started.

Key questions

  1. Who will be involved in recovery and communication when your DR plan is in action?
  2. How much downtime can your organization withstand?
  3. What service level agreement (SLA) do we need to provide to the business and users?
  4. What users do we need to recover first?
  5. What tools do we have to reduce risk and downtime within the environment?
  6. How are user networks separated from operational or business networks?
  7. How quickly can data protection tools get us up and running again?
  8. Can users get their data back if an endpoint device is compromised?
  9. Can we determine when the ransomware first hit the network or endpoint devices?
  10. Are we able to stop the proliferation of ransomware or malware throughout the network?
  11. Can we recover quickly to a specific point in time?
  12. Can our users access their data from the cloud before it has been restored?

Application Needs

The solutions below, coupled with an exercised BC/DR plan, will help reduce your organizational risk exposure and allow for quick remediation.

  • An endpoint security solution capable of determining what events took place and when
  • A DNS security solution capable of turning away security threats at the network level
  • A solution for endpoint backup and recovery that can safeguard data should these other solutions be compromised

Lines of Communication

Equally important as the technology are the people who manage and maintain the systems that support the different business units within an organization. For example, your security team and your endpoint support team need to be in regular discussions about how the teams will communicate when under attack. You need to determine who is responsible, what systems, and when they should be brought into the process when under attack.

System Response Ratings

A system response rating system can assist in determining which systems or employees require a higher degree or speed of response. To do this, organizations must specify the value of the system or resource and where that resource sits regarding protection or remediation priority. This is often determined by the value of the resource in monetary terms. For example, suppose the loss of a specific system would incur a massive loss of incoming revenue. In that case, it might be necessary to place a higher priority in terms of protection and remediation for it over, say, a standard file server. 

The same can be said for specific individuals. Often C-level resources and mid-tier executives need to be out in front of a situation, which highlights the importance of making sure their resources like laptops and portable devices are protected and uncompromised. They are often as important as critical servers. It is necessary to classify systems, users and customers regarding their criticality to the business and place priorities based on the rating of those resources.

Now that we know a bit of the who, what, and how, let’s look at how to recover from a single system to an entire enterprise.

Recovery and Remediation

Recovery is an integral part of any BC/DR plan. It gives organizations a playbook of what to do and when. But it’s not enough to recover your data. Admins also need to understand the remediation process that should be followed to prevent further infection of systems or proliferation of malware within an organization.

Scenario

Ransomware hits user’s laptops, encrypting all of the data. The laptops have antivirus protection, but no DNS protection. All network security is in as firewalls and VPNs, with some network segmentation. There is also a security team in addition to the end-user support team. The ransomware that hit is polymorphic, meaning that it changes to prevent detection even if the first iteration of the ransomware is isolated.

Solution

The first step is consulting the endpoint security console to learn when and where the malware was first seen. If backups are still running, they should be suspended at this point to prevent infected data from being being backed up with malware. This can be done either from the dashboard or from an automated script to suspend all devices or devices that have been compromised.

A dashboard should provide the ability to do single systems easily, while scripts can help with thousands of devices at a time. APIs can help to automate processes like bulk suspend and bulk restore of devices. At this time it may be prodent to block traffic from the infected areas if network segmentation is enabled to prevent the spread of malware. 

Now it’s time to review the protection platform to determine the date the file was noticed, the dwell time and when the encryption/ransomware started executing. Once these facts have been determined, it’s possible track down how the organization was breached. Understanding how malware entered the network is critical to prevent future infections. Since, in our example, ransomware infected devices, a tested and reliable recovery process is also necessary.

Understanding the timeline of events is critical to the recovery process. It is essential to know the timing for the first step in the restore process to set your time to restore. Once an admin can zero in on date and time to restore, affected devices can be compiled into a CSV file and marked with a device ID number to reactivate any backups that were halted once the breach was discovered..

Once the data, source, target device IDs, date, and time to restore from are combined with a bulk restore script, a bulk restore can be pushed to the same laptops or new laptops. As heppen, solutions offering web portals can return to work quickly.

Summary

Thre right tools, planning, importance hierarchy and communication channels across a business are essential for establishing cyber resilience. Once a timeline of a breach has been determined, these elements make restoring to a pre-infection state a process that can be planned and perfected with practice.  

Oh no! A client failed a pen test. Now what?

In a previous post, we talked a bit about what pen testing is and how to use the organizations that provide them to your benefit. But, what about when one of them hands a client a failing grade?

Consider this, you’re an MSP and you get a letter or email from one of your customers that reads:

“Dear ACME MSP,

We regret to inform you that you’ve had a Penetration Test Failure produced by: “FreindlyHacker-Pentesting Inc” and we’d like to discuss the details further to determine if you have what it takes to continue to handle our security needs.

Regards,

Largest MSP Customer.”

A customer may not pass along this exact wording, but the implications are clear. The results can be embarrassing or at worst devastating. When a customer reaches out after failing penetration testing, it can put an MSP on its heels and create unnecessary angst. Should the MSP have been more involved in the testing? Did my tools cause the failure Has the MSP soured its relationship with its client? Will the business be lost?

So, how should an MSP respond when a customer fails a pen test?

Some MSPs turn to self-doubt and start wondering if the layers of protection they’ve put in place are worth the costs. Others will immediately start pointing fingers at the tools that were identified in the pen test report. When a report comes through with a failure, it’s usually unexpected and can take time away from more important activities.

To save time and effort if this should happen to you, here are a few key elements of a good response to a pen test failure.

Immediately start asking questions.

  • What kind of penetration testing was involved?
  • Who performed the testing and what are their credentials?
  • How was the penetration testing organization positioned to start taking action?
  • Where the testers acting as “Red Team” or “Blue Team” actors?
  • When did the testing take place?
  • May I examine the data and reporting?

Review your tools configurations.

Rather than immediately assume bad tech, it’s best to step back and evaluate each tool identified in the pen test report and the associated configurations, policies and control points. Often, a security tool is designed to identify, evaluate and/or stop bad actors along the threat chain. If it failed, it could be that a setting was disabled or miss-configured. Review all tools’ “best practice” guides, documents and suggestions before making assumptions.

Ask for partnership with the customer during their next review.

If the customer did not provide a heads up or pretesting communication, request that you be more involved during their next review. If pen testing is important enough for them to do once, it’s probably that they’ll do it bi-annually or annually, depending on the industry and regulatory concerns. It’s always good to be involved in advanced than after the fact.

Blue Teams vs. Red Teams: Which type of test was conducted?

The difference between a Blue Team and Red Team is how much previous access they have to a target’s networks and devices. This can make a huge difference in how the results of a pen test are interpreted. When a Blue Team—with some previous knowledge of an organization and its IT systems—is able to breach a business, it may not be representative of real-world circumstance. It could be an internal IT admin who was able to find a vulnerability after poking around in a system she previously had access to.

When a Red Team compromises a client, on the other hand, it’s time to examine the reporting closely. Starting with zero knowledge of an organization’s systems, this type of breach could point to serious flaws in the defenses an MSP has set up for a client. Likely there are real holes here which need to be patched.

Evaluate the pen testing organizations

While there are many levels of testing capability, keep in mind that pen testers come from many IT walks of life. Former sysadmins, hackers and network administrators make the most common tester. They come with their own experiences, specialties and biases.

One question to always ask is, what are the testing organizations credentials? What is their background and how did they come to the business? How long have they been testing?

The goal is to guage whether the individuals who’ve conducted the test are knowledgeable enough to make judgments about your organization’s defenses? Did they actually breach the defenses or are they simply reporting on a “potential” for a breach?

Not all testers are alike, not all testing organizations are alike.  Each has to successfully make the case of its own expertise in coming to the conclusion that it has.

As I say, trust but verify. And be prepared to ask LOTS of questions if a client ever fails a pen test.

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic. For MSPs, that makes up a good portion of their clientele.

Remote workers were abruptly pulled out from behind the corporate firewall, immediately becoming more susceptible to the targeted attacks of cybercriminals. Acceptable use policies could no longer be easily enforced, home devices became work devices, and employees distracted by life around them became more likely to click carelessly.

What’s worse, because the pandemic was affecting more or less all of us at the same time, cybercriminals had a virtually limitless pool of targets on which to test out new scams. Phishing scams imitating eBay skyrocketed during the first months of product shortages brought on by COVID-19. Scam emails claiming to be from Netflix rose by more than 600% in 2020.

We were fish in cybercriminals’ collective barrel. Now, even with vaccinations rising in the U.S., many companies are rethinking the way they work. It’s up to MSPs to have a strategy for security remote workers, because they’ll likely need to serve more than ever before.

Find out how to ensure your clients’ remote workers are resilient against attacks across networks in this informative conversation between ChannelE2E and MSSP Alert editor Joe Panettieri and his guest Jonathan Barnett. In addition to being a network security expert and senior product manager for Webroot’s DNS solution, Barnett brings 20 years of experience as the head of his own MSP business to the podcast.

Here’s what he has to say about ensuring a cyber resilient remote workforce.

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous term; everyone wants it to be better, but what exactly does that mean? And how do you properly measure it? After all, if a security product is effective, then that means few or no cyberattacks should be getting through the lines of defense to the actual infrastructure. Yet, faced with modern cyber threats, that seems like a pretty impossible goal, particularly as many attacks are designed to operate under the radar, evading detection for weeks or months at a time.

As a result, many businesses and managed service providers may try to account for their efficacy needs in the tools that they choose, vetting the solutions with the highest reviews and the best third party testing scores. But the tools aren’t everything. What else can you do?

Here are our top 5 tips for getting the best possible efficacy out of your IT security stack.

  1. Partner with solution vendors who can guide you to the right setup.
    Most small to medium-sized businesses and many MSPs just don’t have the resources to keep dedicated security experts on staff. That’s not a problem, per se, but it does mean you might have to do some extra legwork when selecting your vendor partners. For example, it’s important to take a hard look at the true value of a solution; if it requires costly or time-consuming training to attain a skill level high enough to get maximum value from the product, then the cost-benefit ratio is much different than it initially appears. Be sure to choose vendors who provide the type of guidance, support, and enablement resources you need; who can and will advise you on how best to configure your cybersecurity and backup and disaster recovery systems; and who are invested in helping you ensure maximum return on the investment you and your customers are making in these solutions.

  2. Trust your tools, but make sure you’re using them wisely.
    According to George Anderson, director of product marketing for Carbonite + Webroot, OpenText companies, many of the tools IT admins already use are extremely effective, “as long as they’re being used properly,” he cautions. “For example, Webroot® Business Endpoint Protection includes powerful shielding capabilities, like the Foreign Code Shield and the Evasion Shield, but these are off by default, so they don’t accidentally block a legitimate custom script an admin has written. You have to turn these shields on and configure them for your environment to see the benefits; many people may not realize that. But that’d be one simple way admins could majorly improve efficacy; just check out all your tools and make sure you’re using them to their fullest capacity.”
  • Consider whether EDR/MDR/ADR is right for you.
    If you’re not already using one of the solutions these acronyms stand for, you’ve likely heard of them. Endpoint detection and response has a lot of hype around it, but that’s no reason to discount it out of hand as just another industry buzzword. It’s just important to demystify it a little so you can decide what kind of solution is right for your needs. Read more about the key differences here. Keep in mind, there’s often a high level of involvement required to get the most out of the additional information EDR provides. “It’s really more of a stepping stone to MDR for most MSPs,” per George Anderson. “Webroot Business Endpoint Protection actually provides all the EDR telemetry data an MDR solution needs, so I don’t recommend EDR alone; it should be used with an MDR or SIM/SIEM solution.”
  • Lock down common security gaps.
    Some of the easiest ways to infiltrate an organization’s network are also the easiest security gaps to close. Disable remote desktop protocol (RDP.) If you really need these kinds of capabilities, change the necessary credentials regularly and/or use a broker for remote desktop or terminal services. Use hardened internal and external DNS servers by applying Domain Name System Security Extensions (DNSSEC), along with registry locking domains; looking at certificate validation; and implementing email authentication like DMARC, SPF and DKIM. Be sure to disable macros and local admin privileges, as well as any applications that are not in use. And, of course, run regular patches and updates so malicious actors can’t just saunter into your network through an old plugin. These are all basic items that are often overlooked, but by taking these steps, you can drastically reduce your attack surfaces.

  • Train your end users to avoid security risks.
    Phishing and business email compromise are still top security concerns, but they’re surprisingly preventable at the end user level. According to the 2021 Webroot BrightCloud® Threat Report, regular phishing simulations and security awareness training can reduce phishing click-through by as much as 72%. Such a significant reduction will absolutely improve the overall efficacy of your security program, and it doesn’t impose much in the way of administrative burden. The secret to successful cyber-awareness training for end users is consistency; using relevant, high-quality micro-learning courses (max of 10 minutes) and regular phishing simulations can help you improve your security posture, as well as measure and report the results of your efforts. 

All in all, these tips are simple, but they can make all the difference, especially if you have big efficacy goals to meet on a lean budget.

For more industry tips and tricks and product-related news, follow @webroot and @carbonite on Twitter and LinkedIn.

How MSPs can use Webroot Cyber Resilience Solutions to Get their Time Back

Although they didn’t always call themselves a managed service provider, that’s exactly what T-Consulting has been since its inception. According to Vera Tucci, founder and CEO of the Italy-based MSP, it was her mission to give her clients more than a basic hardware/software bundle with a few hours of IT consultation. She knew her clients needed a greater level of service, especially those whose businesses had grown from small family operations into larger companies, and that’s what she built her own business to provide.  

When one of her oldest clients began having issues with the previous security program T-Consulting offered — issues that prevented the client from being able to access business critical systems and required hours upon hours of her team’s time to diagnose and resolve — Tucci immediately started working to identify a better solution. As far as she was concerned, the tools her team used should solve problems, not cause them. That’s when she came across the Webroot® portfolio of cyber resilience products for endpoint protection, DNS protection, and end user training.


“I actually remember the change in mood within my company. Within days of making the decision [to switch to Webroot], my employees were happy again. They weren’t waking up worried about what would go wrong. […] We saw immediate results in terms of the time our team suddenly had on its hands. We were not wasting time trying to solve problems we shouldn’t have had in the first place.” – Vera Tucci, Founder and CEO, T-Consulting

Hear how T-Consulting integrated Webroot® Business Endpoint Protection, DNS Protection, and Security Awareness into its RMM, enabling its team members to take back their time and refocus their efforts on business priorities and revenue-generating tasks in CEO Vera Tucci’s video testimonial.

Watch the video on YouTube.

Human-centered Design in the New Webroot Management Console

At Webroot, we could go on and on about user experience (UX) design. The study of the way we interact with the tools we use has spawned entire industries, university programs and professions. A Google Scholar search of the term returns over 300 thousand results. Feng Shui, Leonardo Davinci and Walt Disney are all described as important precedents for modern UX.

Just to say: it’s something software companies spend a fair amount of time thinking about, even cybersecurity companies.

April 27 marks the release of the re-designed Webroot business console, and our team of UX designers had plenty to think about in terms of inspiration for our first major business management console re-design in more than 10 years. Ultimately, it was decided that console’s facelift would be guided by the principal of “human-centered design,” or HCD.

The International Standards Organization describes HCD as “an approach to interactive systems development that aims to make systems usable and useful by focusing on the users, their needs and requirements, and by applying human factors/ergonomics, and usability knowledge and techniques.”

Ultimately, human-centered design entails giving people the tools they need to accomplish what they set out to. It can refer to designing products to help individuals overcome their disabilities or making sure a driver feels like he’s behind the wheel of an Indy Car every time the engine turns over. As CIO puts it, “human-centered design focuses on the human first.”

HCD and the new Webroot management console

The humans we put first are our users. More specifically, in terms of our business products, managed service providers (MSPs) and small to medium-sized businesses (SMBs). These groups have varying pain points they need addressed by our software. MSPs tend to need multi-site, multi-tenant capabilities for managing many clients, whereas SMBs typically require a simplified console that’s easy to use. So, in accordance with HCD, we’ll be releasing a separate console for each.

That’s not the only way we considered the user in refreshing our console though. Our UX and product management teams directly discussed desired improvements with more than 50 top users and incorporated feedback from hundreds of users through the Community, wire frames, usability tests and conversations. Enhancements were made based on this customer research.

All this led to a cleaner, more intuitively designed management console that we hope puts the needs of the user first. It’s our hope that HCD will make the lives of our business customers easier, removing some of the barriers they encounter with the software they use to make their clients and businesses more secure.

For more release details, specific improvements made and screenshots of the new console, download the full product bulletin here.

What is Pen Testing and Should You Have a Company that Performs them on Retainer?

Pen testing is the art of attempting to breach an organization’s network, computers and systems to identify possible means of bypassing their defenses. It’s an “art” because there is no one-size-fits-all method or process. Testers need a variety of skills, knowledge and tools to make the attempt.

Most testers are hackers trying to use their skills legitimately, technical administrators, network administrators or just computer enthusiasts who enjoy trying to undermine IT security stacks. Many testers are jacks-of-all trades (and masters of them all). Their primary goal is to succeed in getting past defenses and report on their findings. An MSPs intention is to NOT allow this to happen by putting up the right security posture through layered defenses.

So it’s easy to see how the relationship can quickly become adversarial. But there are ways pen testing organizations can help MSPs. Before we get to that, more details on types of pen tests.

Types of testing

An issue with pen testing is a lack of standard operating procedures. No one company performs the tests the same way. Testers are fallible actors with certain skills they apply to circumvent defenses. While testers and testing organizations are usually highly skilled, they are not all knowing. Trust, but verify.

So, what types of testing methods are there? While standardization is scarce and pen testing is pretty much a Wild West environment, there are some common methods and approaches. These can be broken down into two categories: Blue Teams and Red Teams.

(Tools are varied and not important until the tester discovers or knows what type, brand or systems are present. In other words, tools are specific to the environment.)

Blue Teams

With Blue Teams, “tester” has some information about the network, computers and organization that they’re pitted against. They know how things are set up and are there as more of an audit/report type tester rather than a malicious hacker.

Blue Teams can be anyone inside or outside the organization. However, in the MSP community, the Blue Teams are usually the technicians responsible for establishing the layered security defenses and then verifying their effectiveness. They’re the internal folks that are standing up various tools to block bad actors from encroaching or breaching their network, computers and systems.

Here’s where it can get murky and why you should always insist on more information about ay client’s pen test. Pen testing can be an outside organization performing a Blue Team activity and their report can be communicated as a Pen Test Failure. Trust, but verify.

Red Teams

Red Team testers have no idea about the organization they’re testing against and must figure out the technology, network, computers and systems before doing anything. These are true hackers starting from nothing. They may use social engineering to conduct reconnaissance, they may google employees, use LinkedIn or any other publicly available information to gain a foothold with the organization before they write one line of code.

This is real penetration testing, as they make the attempt to access networks, computes and systems of the identified organization they’re testing against. When a Red Team reports its findings on why and how they were able to breach a client, it’s time to pay attention.

Should you put a Penetration Testing company on retainer?

So, now that we’ve established some high-level perimeters, how should MSPs engage with pen testers?

First, it’s important to learn everything you can about your tools. The mantra of a strong security posture is ‘know your tools inside and out.’

But don’t stop there. Rather than stand up the layers of the latest cool tools and cross your fingers no pen tester hits a client with a failing report, be proactive. Learn about the penetration testing market, find a good pen testing company with strong credentials and engage with them. With security concerns exploding over the past few years, pen testing should be considered an essential tool for validating your effort and spend on the security stack. So get to know the good ones.

Again, many MSP view third-party pen testing organizations as the enemy. Instead, engage with pen testing organizations to test your own defenses before issues affect your customers.

Here are a few tips for improving your business’s relationships with pen testers:

  • Pen test your own network, computers and systems. If you want to know how good your “Blue Team” is, put their feet to the fire and have a solid, reputable third-party pen testing organization attempt to breach your own defenses. Learn all you can about their methods and findings, then review and adjust.
  • Work with the pen test organization as a potential revenue opportunity. Work out an agreement that lets you as the MSP provide work and opportunity through your own customer network. You act as the lead generator and offer their services as an adjunct to your own.
  • When customers come along with a report that you were not involved, ask questions about how the test was conducted and then offer your own services to proactively verify their report.

Now that you know the basics of pen testing and how they can be used constructively, here’s a question: what happens when a customer fails a pen test? We’ll answer that question in an upcoming post.

What Real Security and Compliance Look like when Managing 5000+ Endpoints

In the United States, there are approximately 350,000 companies contracting for the Department of Defense. Each of these companies have to meet varying degrees of compliance and are now subject to the Cybersecurity Maturity Model Certification (CMMC). Effectively, CMMC means that before a DoD contractor can execute on their contract, they have to receive an independent, third-party verification certifying whether they meet the correct security and compliance criteria. The process is expensive and it’s pass/fail.

F1 Solutions, an MSP based in Huntsville, Alabama, has been working to align their security stack to the CMMC guidelines to help ensure that all of their customers, whether DoD contractors or otherwise, benefit from the comprehensive level of security the regulation requires. DNS protection, in particular, is a must-have under these rules. With over 5,000 endpoints under management, F1 has set itself quite a task. But with cyber resilience solutions from Webroot in their security stack, they’re up to the challenge.

“Of all our clients on our full stack (about 140), we’ve never had a client fall victim to cryptojacking or any significant virus, for that matter, unless the system was not using part or all of our stack or being managed by us. That’s pushing 5,000 endpoints, including all servers, terminal servers, Macs and PCs.” – James VanderWier, CEO, F1 Solutions

Hear how F1’s overall security and compliance offering changed for the better since they made the switch to Webroot endpoint security solutions in F1 CEO James VanderWier’s video testimonial.

Watch the video: https://vimeo.com/487018201

A Defense-in-Depth Approach Could Stop the Next Big Hack in its Tracks

Last year’s SolarWinds attack and its aftermath have provided numerous lessons concerning the dangers of IT supply chain attacks. Not all apply to every small and medium-sized business—most are unlikely to be targeted by highly trained state-backed hackers with virtually limitless funding—but some will be.

We learned, for instance, that even IT pros could use a refresher on basic password hygiene through security awareness training. A more substantive lesson is the importance of defense in depth, an approach that prioritizes mutually reinforcing layers of security.

In the case of SolarWinds, the Trojanized Orion update was able to elude endpoint security because it was issued by such a trusted source. As we’ve discussed, however, the damage from the compromise could have been limited significantly by using a defense in depth approach backed by leading threat intelligence.

A firewall with the right threat intelligence embedded could have blocked communications with the command-and-control server thus preventing a Trojanized Orion install from connecting back to the attackers and stopping them from furthering the attack. An endpoint DNS solution could have stopped the Trojanized Orion version by refusing to resolve the domain names of the command-and-control servers, again disrupting the infection to the point that no real damage could be done.

This is what we mean when we stress the importance of a layered defense. Take a hypothetical scenario in which the opposite happens, for example. A zero-day threat with no known connection to malicious IPs, files, or other data objects may not be known to the threat intelligence feed informing a network security solution. Once it has made its way to the endpoint, however, it begins to engage in behaviors known to be malicious. Examples include elevating privileges, moving laterally, or trying to establish outbound communications to name a few.

In this case, it is the endpoint security solution’s turn to save the day. If equipped with a rollback or remediation feature, endpoint solutions can not only stop the activity but also remediate the damage already done. These two layers work in concert to pick up the slack left by the other, helping organizations remain resilient against different types of attacks.

Remote work threatens defense in depth

Most larger organizations and a growing number of smaller ones have caught on to the need for layering endpoint and network protection. Firewalls embed threat intelligence and DNS security solutions are used to both block malware and control internet use. But recent events have worked to undermine this growing understanding.

Remote work exploded in 2020 with the advent of COVID-19, rapidly ushering in a new way of working before all of the security details could really be worked out. This presents a new set of stubborn challenges for IT security admins that’s not likely to fade soon. Outside of the corporate firewall, it is the Wild West. Every employee’s home network has a different set of security protocols and internet use is unregulated.

Webroot’s report on COVID-19 work habits found that three out of four people (76%) worldwide admit they use personal devices for work tasks, use work devices for personal tasks, or both. The 2020 Webroot Threat Report also found that personal devices were about twice as likely to encounter a malware infection as business devices. Together these numbers suggest a significant security threat for companies with remote workers.

DNS security solutions are one way of addressing this risk. Installed as an agent on each corporate endpoint, they route traffic through protected DNS servers that can identify, stop and disrupt communications threats. Of course, personal device use still represents a problem for companies not enforcing strict policies against their use. Nevertheless, DNS security remains a way to protect business-issued devices beyond the company network.   

The “next one” will look different

Focusing solely on how the SolarWinds attack is not the key to preventing future breaches. The next large supply chain attack will likely look very different than the SolarWinds attack. In fact, other than the infamous CC Cleaner hack of 2017, in which more than 2.3 million users of the computer cleanup software were duped into downloading malware onto their own machines, these types of attacks leveraging trusted but Trojanized updates are relatively rare.

But this fact makes defense in depth more critical, not less. Zero days will continue to be encountered. There is no telling which techniques the next one will employ, so it is important to make use of multiple tools to limit potential damage.

Cybercriminals will continue to undermine individual defenses. Smart organizations will hedge their cybersecurity bets so they are not all overcome at one time.

Why MSPs Need to Shift from Cybersecurity to Cyber Resilience

If your critical systems, website or customer data were suddenly inaccessible due to a cyberattack, how soon would you be able to get back up and running? That’s a question that should be on every business leader’s mind. We’ve written before about cyber resilience and why it’s so important, but in today’s increasingly disruptive threat landscape, it’s more important than ever for managed service providers (MSPs) and small to medium-sized businesses (SMBs) to embrace cyber resilience so they can mitigate disruption.

Threats such as hacking, phishing, ransomware and distributed denial-of-service (DDoS) attacks are only the tip of the iceberg and have the potential to interrupt critical business operations and cause reputational damage to organizations of all sizes. With attacks such as the SolarWinds security breach making headlines, as well as increasing threats targeting remote workers and taking advantage of COVID-19, MSPs and SMBs must concern themselves with threats that were once only a concern for much larger organizations. To stay resilient, it’s essential that leaders understand how to protect their businesses using a multi-layered approach.

Learn how your business can stay a step ahead of cybercriminals.
Download our Lockdown Lessons e-book today.

What’s driving the need for cyber resilience?

Cyberattacks are, unfortunately, a matter of “if,” not “when.” Being cyber resilient means that a company has both the ability to prevent attacks and also to mitigate damage and maintain business continuity when systems or data have been compromised. Where cybersecurity focuses more on protecting an organization before an attack has occurred, cyber resilience encompasses an end-to-end approach that keeps the business operating even in the midst and aftermath of an attack.

Without a holistic approach to security and recovery, catastrophic failures can occur. For example, many SMBs rely only on free cybersecurity solutions or eschew security all together. Our data shows only 26% of SMBs deploy enough layers of security to cover their users, networks and devices.

Complicating matters further is the digital disruption that stems from the rapid shift to remote work. The challenge for both MSPs and SMBs is in securing a remote workforce and new, unsecured perimeters, especially across home networks and personal devices, which are already at increased risk for an attack.

SMBs will look to MSPs to achieve cyber resilience

Business leaders have a significant opportunity to bolster confidence in the business through cyber resilience, especially as employees look to management to protect them against increasingly sophisticated threats. According to data from a recent report, only 60% of office workers worldwide believe their company is resilient against cyberattacks. Nearly one in four (23%) admit to not knowing whether their company is resilient, while nearly one in five (18%) flat-out think it isn’t. What’s more, only 14% of office workers worldwide consider cyber resilience to be a responsibility all employees share, meaning that the burden of championing resilience starts with leadership. These statistics indicate a clear gap, and it’s safe to say that many SMBs are grappling with how to keep their businesses safe from cyberattacks.

As prominent attacks and the flow of threats continue, SMBs will look to MSPs to protect their businesses and help them achieve cyber resilience. This creates a unique opportunity for MSPs to guide customers through the maze of cybersecurity and data protection solutions and ensure they are receiving relevant education on protecting the business. MSPs can ensure that customers have defense in depth by offering ongoing security awareness training as well as endpoint protection. Those looking to transition to managed security can lean on Webroot’s training modules and phishing simulations to provide world-class training and monitoring.

It can take a village to prevent cyber threats

While getting support from MSPs is a great stride towards keeping businesses safe, a big piece of the cyber resilience puzzle is teamwork. There’s no single solution or approach that can protect a business, and it really does take a village to protect against today’s cyberattacks. Just as SMBs look to MSPs to become cyber resilient, MSPs can rely on security expertise to fill in the remaining gaps.

Cyber resilience solutions can be custom built for MSPs and their SMB customers, and further tailored to each individual business. By partnering with Webroot and Carbonite, you can offer a customizable set of solutions including endpoint protection, ongoing end user training, threat intelligence, and backup and recovery.

To learn more about cyber resilience and stay up to date on security tips and industry topics, follow our Hacker Files and Lockdown Lessons podcast series.

Does a SIEM make sense for my MSP?

Every device on an MSP’s managed network provides insight into what’s happening on that network. This includes network routers, switches, printers, wireless devices to servers, endpoints, IoT devices and everything else connected to the network. Each creates a log in its own format, or syntax, that a technician can review for troubleshooting, configuration confirmation, the creation of specific alerts based on a device’s activity or a host of other reasons. These records of each devices’ activities are known as syslogs.

Syslogs present information in a variety of ways, including custom formatting, industry-standard formatting, even raw data lacking a consistent format. The good news is that any activity requiring a security review is buried somewhere in these syslogs. The bad news is that data can buried in these syslogs.

Whole mountain ranges of information are regularly processed by these systems. Millions upon millions of data points may be present, making the set overwhelmingly confusing. At best, sorting meaningful information from noise is a daunting task, even for well-staffed IT departments.

Fortunately for security professionals—and more specifically for MSPs and MSSPs focused on providing insight into their managed networks—there is a mature product category that can be incorporated into their technology stack to help. Security information event management (SIEM) solutions have existed for years, but they’ve recently been gaining traction among MSPs and MSSPs. For good reason: knowledge of a network’s activity is essential to protecting it.

Is setting up a SIEM worth the cost and effort for an MSP?

The short answer is: YES. If you want to synthesize information from various sources to determine if a security event has or is taking place on a customer network, then yes, a SIEM is the natural evolution of the MSP security stack.

The longer answer is, well, longer. Let’s break out a couple of options for those interested in establishing a more sophisticated security information and event management solution.

SIM, SEM or SIEM? That’s the question to begin with. While security information management (SIM) and security event management (SEM) solutions have been in place for some time, they’re now commonly combined into the offering referred to as a SIEM.

So, where does an MSP get started? There are three common choices for getting a SIEM stood up and configured:

  • On-premise – Stand up a server, add some software (a bunch, actually), point all the syslogs to the device and get started. Easy, right? In reality, on-premise solutions have a higher cost and can be daunting to get started. Software costs range based upon the solution provider’s model. But if control and compliance are important, on-premise solutions may be a great option.
  • Cloud-based – Any one of a number of existing solutions that cater to MSPs are simpler to get started. The challenge with cloud-based solutions entails pulling data from many sources and pushing it through firewalls and networks to a public cloud solution.
  • Hybrid – As its name implies, some options blend cloud-based solutions with a local collection server to gather information and push a single source, securely, to the cloud for analysis and processing.

Feeding your SIEM a healthy diet of data

Before deciding on a SIEM component, a log collection or data collection solution must be set up to feed it. Syslog collection refers to a number of different activities, but in a SIEM or security-specific sense it usually comes down to what makes the most sense for the application: purpose-built or generic.

  • A syslog aggregator or log collector – These are devices that take in all syslog information from all devices. They range from sophisticated solutions with alerting and performance reviews to feeds that simply “normalize” the data, distilling the most relevant input and then reworking the details into a consistent standard and reporting on the highlights.
  • Syslog bridges – These are more generic solutions that act mostly as log collectors. Simply point devices to this collector and it maps the data.
  • Syslog collector – These are generic log collectors much like a bridges, but they usually provide a little more intelligence, cost more, and often serve multiple purposes like performance, device status and security event reporting.

Log gathering is the most misunderstood aspect of a SIEM and is often overlooked. The key is finding the most appropriate strategy for your needs.

For most MSPs, a basic bridge with a specific security purpose for feeding a SIEM may be the most efficient and cost-effective option. For additional needs like performance or status determinations, a more sophisticated syslog may be good. But most performance and status information is already provided by RMM solutions, so why reinvent the wheel?

What to expect from your SIEM

After deciding on a syslog collector and SIEM setup, it’s time to put the SIEM to work parsing data and making sense of the output. This is the intel that allow technicians to make sound decisions regarding security events.

Which SIEM to incorporate into a given MSPs operations depends on the level of services offered. MSPs building out a SOC or offering managed detection and response (MDR) services may require more sophisticated output from their SIEM. MSPs simply looking to distill information for their respective technical teams to analyze and make security decisions can usually rely on tailored, cloud-based solutions.

Regardless of the provider, a SIEMs should at least do the following:

  • Perform log gathering – If log gathering is not directly accounted for by a SIEM, another solution will be necessary for feeding data to it.
  • Correlate security events – To spot security threats that may be spread across a network, not only native to a single device’s syslog, a SIEM must be able to track data across multiple devices.
  • Connect to threat intelligence feeds – To keep up with a rapidly shifting threat landscape (and therefore useful to preventing attacks) it must be informed by strong threat intelligence feeds, preferably those using machine learning to recognize even zero-day threats.
  • Issue security alerts – A key SIEM benefit is the ability to provide timely alerts regarding security events based on large amounts of data to assist with decision making, making it possible to stop attacks before they develop
  • Present reports – Many SIEMs can produce reports in a cadence that makes sense for an MSP or MSSP depending on their needs and the needs of their clients.
  • Enhance compliance – Because SIEMs aggregate information on a network, it can produce compliance reports for clients based on industry-specific needs.

A good SIEM solution can minimize technician workload and minimize manual data interpretation. It also benefits clients by beefing up your own security capabilities. A SIEM is a natural step for any growing MSP’s looking to provide the best security solution for customers with workable margins.

With a little focus, it shouldn’t take months or an act of congress to setup and use a SIEM. The above guidance should enable any MSP, regardless of size, to devise a viable plan for putting one in place.