Recently I was asked by a magazine to comment on Supply Chain Threat and Buffalo Jumps. As is common, I was given 230 words to express my views. In this article, I can take a little more time to explore the issues.
According to this report from insurance specialists, Beazley, ransomware attacks via vendors or MSPs in 24% of cases.
At Osirium, we work with some outstanding MSPs and MSSPs (Managed Service Providers and Managed Security Service Providers). From these contacts, I found it hard to believe the assertion that 24% of ransomware attacks arrive via vendors and MSPs.
So, off to Google to do the research, and what I found, I found quite shocking.
A new report from Perch Security is relevant and introduces the issue of “Buffalo Jumps”: if an MSP becomes victim to malware, it can quickly propagate out to all their clients.
Digging behind the reports I found that US figures for 2019 show 1543 reportable breaches, of which 19 were at MSPs. I thought I'd work out if MSPs were more or less likely to have breaches. To get a feel for this we looked at American figures where we can find around 20,000 MSPs versus 10.75 million companies (7.6 million with employees and recorded turnover). This means that we should see about 0.26% of all incidents happening at MSPs. This means that if MSPs had the same breach rate as all organisations we should see about 1 in 380 incidents involving MSPs.
However, 19/1543 is 1.2%, which is 4.5 times higher than the expected 0.26%. This means that MSPs are just over 4.5 times more likely to experience a breach.
Why is this? Are MSPs inherently bad?
There are many factors that contribute to the statistics:
On an average day, I find myself discussing all sorts of prospect requirements and the various differences between us and competitors. Most often these are completely insignificant risks and time windows. This morning's reading from the ICO and US breach reports has made it absolutely clear: It’s the Simple Things that Count.
Looking through the security breaches, they are remarkably common: administrator credentials are stolen, used to compromise systems then lock out the MSP. Of much more concern is the common practice of all customer systems having the SAME credentials - so break in once and the attack has access to all.
I'm staggered that administrator credential theft is never reported as the root cause of an attack !!!!!!!!!!!!
If you’re interested, here's my google search: https://www.google.com/search?q=admin+credential+stolen&oq=admin+credential+stolen
Each report I read goes through all the bat fish complex routes that the attackers used before they obtained the credentials. It is these complex routes that are attributed as the root cause - FFS let’s get real here!
It doesn't have to be this way.
We are well aware that the best MSPs use Privileged Access Management. This means that the MSP's administrators never have access to the operational administrator credentials. This stops the external access and is much better at tracking the actions of internal malpractice. Simple password vaults are not enough in these environments.
Gartner have made it very clear in their assessment of critical capabilities for MSPs that planning, and security posture are key.
We are also very aware of the common assumption that CISOs often believe that MSPs know more about security than their own IT departments. A key problem with this is you'll need to understand cybersecurity well enough to question your MSPs! Of course, you could start by asking the simple question "Do you use playbooks, a vault or PAM?"
This is the concept that if an MSP is compromised, all of its customers are compromised at the same time. Now, the attacker can demand a ransomware from MSP and all its customers at the same time.
It's based on the native American idea of directing buffalo to an area with a big drop to kill multiple buffalo with minimal effort.
As far as I can see, this is just a concept at the moment. It is painfully apparent that crypto-currency has given attackers a clean method of monetizing their work. However, I cannot imagine that cyber criminals will want to go through all the effort of administering multiple organisations to pay parts of a ransom. For the US, it's probably a matter for insurance, but it will also be an issue across Europe.
It's clear to everyone in Osirium that secure automation is fastest and most secure way of getting recurring and repetitive IT processes done. Upfront you need good insight into the processes and some effort to define them, but after this, it is speedy ease all the way. See Osirium Automation for how this is possible.
If you'd like to discuss how MSP can and should be protecting their systems with PAM and Automation, please get in touch.