Day 2, Empower MSP Scottsdale, General Session—Tim Brown, VP Security at SolarWinds MSP. Empower MSP Scottsdale took place at JW Marriott Camelback Inn Resort & Spa, on September 18th and 19th 2018.
Tim started his presentation with a look at 10 of the top cybersecurity statistics:
“What this clearly shows,” he said, “is that the threat landscape continues to evolve and our adversaries keep moving forward in terms of both methods and models. For example, while ransomware is settling a bit, cryptojacking has exploding by 8,500%1.”
One of the key stats he was keen to get across to the audience was that 58% of attacks are targeting SMBs. “The companies that think they aren’t under attack, really are,” said Tim. “Usually not as direct targets, but as targets of opportunity.”
To further highlight the speed at which adversaries are adapting and taking advantage of things, Tim went on to look at the exploit timeline from the Vault 7 leak in March of last year to the subsequent WannaCry and Petya breaches of May and June.
He then moved on to look at risk. “When you’re looking at a customer’s security, one of the most important things is to assess is risk,” he said. “This needs to be done not just from the company perspective but also from the individual perspective.”
He asked the question: When you look at a customer, who do you see as being at most risk? People often think it’s the CEO, because they assume the higher up you are the more interesting you are to a cyberattacker. The reality, Tim stressed, is that adversaries really want access to systems, so it’s the techs and system admins that are the guys who end up being more of a target.
“From a managed service provider’s [MSP’s] perspective you need to understand that the technologists have access to customer environments and systems,” he said. “They are much more of a target than the people at the top. Technologists have access to the stuff that can be sold. So you need to put special protections around those people, such as ensuring that they only have access to what they need and that you have multi-factor authentication in place. Basically you need to look at internal security through a different lens.”
Tim continued: “When you’re looking at risk at the company level, there are a lot of very complex models you can use, but I prefer to use a high-level model that just breaks risk down into three categories and looks at three profiles: high, medium, and low risk.”
What is low risk? “This is where the company doesn’t really have data or access that people want,” he explained. “It would not be a great target as it would be difficult to monetize or utilize the data if it was compromised. In a low risk company you still have threats because everyone is under threat of attack through target of circumstances or drive-by. What we need to do is put appropriate security in place for them… that is where a good cyberhygiene approach comes in.”
For medium risk, Tim defined these as companies that have access to a certain level of data that might be interesting to attackers. For example: a retailer with credit card data, a medical institution with access to health care data, or a school with student records. “All this data has multiple uses for criminals—from fraud to ID theft—making it very attractive and sellable on the black market,” he said. “I would also include regulated environments here because they have to meet regulations to run their business.”
With high risk, Tim explained that you’re looking at things like critical infrastructure—such as power, water, and electric, and financial institutions. “At this level, you’re very likely to come into contact with nation-state actors,” he added. “The problem here is that these are very targeted attacks, which are difficult to predict and protect against. It’s important to remember that size also affects risk; for example, if a company has a large number of sites and people they present more risk.”
Whatever risk profile your customers are, you need to apply appropriate security to each one—not too much or too little—enough to ensure they have an acceptable level of risk.
Tim then went on to look at the arrival of Threat Monitor™ in the SolarWinds MSP roster of products. “Threat Monitor brings something new to our portfolio,” he explained, “helping MSPs be more proactive in managing company risk, helping them monitor company networks and catch threats quickly and early in the cycle. The quicker you catch a threat as it enters environment, the less costly it is to remediate, the less possible it is for damage to happen, and the less costly it is for the customer in general. Managing and monitoring for threats is important, as you don’t want customer calling you saying, ‘Hey, we just noticed XYZ happened.’ You want to be the one telling them that something came through on one of their machines and that it has been quarantined.”
Is monitoring necessary for everyone? “For low risk companies, maybe not,” he said. “It depends on what they are doing and how critical their infrastructure is. For medium and high risk, I would say always, because that’s how you’re going to proactively find things.”
Tim closed out his presentation looking at why MSPs considering partnering to provide security skills.
“One of things we talk a lot about is partnering,” said Tim. “Is partnering giving up control or giving your customer better services? I believe that when it comes to security there is a separation of duties. This works really well for a number of reasons—separation of duties allows both parties to focus on what they do best. For example, security teams don’t want to be implementing all the changes; it’s a different skill set, and a skill set you want separated in many ways.”
If you’re an MSP, does a Managed Security Services Provider (MSSP)want your customers? “The MSSP wants to focus on security 100%,” said Tim. “So, no they don’t want your customers. They just want to do their job and their component of the job, and that doesn’t involve implementing changes. I would be shocked by an MSP losing a customer to an MSSP. I wouldn’t, however, be shocked by customer going to an MSP that has MSSP services—either through themselves or via a partner.”
Tim wrapped up his session by saying that, if you’re planning go the MSSP route, then you’re going to need to have a security team and a change team and you’re going to need to be able to block off the two. “If you’re at that size and that complexity then fantastic, but do this with caution. Don’t go into lightly,” he concluded. “If you have questions or reservations, then partner. It’s a very effective model.”