30 Jul MSPs Under Attack – Is It Time to Ditch Your RMM Tool?
As a managed service provider (MSP) or managed security service provider (MSSP), keeping the companies you’re working with safe from cyber threats is your absolute bread and butter. It’s at the core of what you do.
It’s your responsibility to keep up to speed with the latest threats, to wade through the sea of stats, opinions, materials and demos for new tech that the vendors (and distributors like us!) send your way, and to make the important decisions on behalf of your clients.
You’ve no doubt been doing this for years, but recently there’s been a concerning plot twist.
Hackers have started to pivot and focus their attention on you as the MSP, and the software vendors you use, because it enables them to ‘pop’ dozens, perhaps hundreds of victims in one go…
A new precedent is set
Before the dust was even able to settle, the industry was again in the mainstream news headlines with hit number two, when the Russia-linked REvil ransomware hacking group exploited a zero-day vulnerability in Kaseya’s VSA tool to encrypt approximately 60 MSPs and 1500 businesses.
These have been among the biggest incidents involving ransomware yet.
Kaseya eventually acquired a decryption key, so they’ve been able to limit the misery for many of the small companies affected, but the important lesson here for you and I is that these incidents have set a precedent.
The role of Remote Monitoring and Management
A prerequisite for almost any MSP to compete in this space is the ability to offer proactive management and monitoring remotely.
But it’s the very nature of these solutions that makes them targets.
Enabling quick and easy connection from a single access point to customer sites, often with numerous integrations to apps like antivirus, document management, and more, these systems can spell a world of pain if compromised.
Is switching RMM vendor the answer?
Despite the temptation, competitors in vendor land will not be quick to point the finger at either SolarWinds or Kaseya.
These attacks were not aimed at a couple of tinpot companies trying to make a quick buck using software with more holes than Swiss cheese. Both were well-established brands, with tried and tested products, arguably making best efforts to do the right thing for their customers.
Of course, they’re not perfect, no vendor is – albeit in the case of Kaseya VSA, there have been exploits reported in the past.
But the point is, we’re not going to reach a point any time soon where the systems we’re working with will become impenetrable.
Whether it’s in the code, as a result of an inside ‘threat actor‘, through social engineering, or the endless other possibilities – this could happen to any vendor.
The vast majority of MSPs think very carefully before adopting an RMM – canvassing opinions from peers, from forums, reading reviews, and conducting thorough POC’s.
In general, most reputable MSPs will go through a solid due diligence process.
When you’ve performed that due diligence and have a product that fits your needs, is there really much to gain by switching to an alternative vendor?
I’m not convinced it’s the answer.
Should you ditch your RMM completely?
The obvious question is (spoiler alert – only you can answer this one!), if your RMM tool could potentially facilitate an attack that leads to your customers losing data, losing their trust in you, and most likely taking their business elsewhere, surely it needs kicking to curb?
If you only have a handful of clients, perhaps you could manage? How much additional work would it entail, and at what cost would it be to do it without RMM? Could you do it all with InTune, VPN, group policy etc.?
In the vast majority of cases I’d argue that once you scale beyond a few clients, and certainly if you have growth aspirations, it’s a tough ask to go down the manual management route and do it properly without letting something slip through the cracks. Or of course just burning yourself out with the extra workload.
Why bother with RMM?: –
- The competition has it. If you’re not offering that level of proactive service, you can bet the company next in the door to pitch their services will be.
- As soon as you scale, looking after tens of customers on an individual basis without any centralised control is almost impossible. It’s certainly less efficient and therefore less profitable.
Another important point to consider, are these types of attacks really likely to be limited only to RMM?
What happens if it’s your documentation platform that’s compromised next? Isn’t that effectively handing over the keys to the front door?
Again, I don’t believe this is the answer for most MSPs.
How can you keep your existing RMM but mitigate your risk?
So you’re not ditching it altogether, and you’re probably going to stick with the vendor you know. What can you do to make sure you’re prepared?
If you’re from a technical background, your first thought when it comes to ‘fighting back’ might be the shiny new products you can bring in to bolster your security offering.
New tools may well be a part of your response plan, but this goes beyond the tech.
This is by no means an exhaustive list but here are a handful of suggestions for consideration.
- Plan for the worst to happen – Look at every tool in your stack and talk to your team about what you’d do if it suddenly wasn’t available. What if you couldn’t access backups, client systems, control endpoints, take calls and emails!? Put a DR plan together for every system and make sure everyone knows about it.
- Document weekly checks on 2FA – Multi-factor authentication remains a powerful tool and without it your and your client’s security is weakened. Put a standard operating process in place to make sure it’s adopted everywhere it can be.
- Dedicate more resources to security – Now this may not be possible if you’re a ‘nimble’ MSP (there’s just you or one other in your business), but if you are in a position to, think about nominating a member of the team as a full-time security specialist to really give priority focus and ownership to what is a hugely important area.
- Host a free ticketing system – The last thing you need in the event of an issue is for your clients to be learning of breaches from their friends who ‘know about computers’ or worse, the mainstream media. Make sure they’re in contact with you in the event your main ticketing system is hit.
- Evaluate your PSA integrations – While it might be tempting to source everything under one roof, if your PSA, RMM, and in some cases distributor (if you work with one with PSA integration) can interact with other applications and your tenants, that potentially makes them less secure. What’s more, some vendors offer better protection with full standalone products than with the version you’ll find through a PSA so think about adding some separation in there.
- Additional firewalling – Consider an additional firewall between your RMM and the outside world to provide additional protection and control over what’s happening within your network.
- User education and phishing resilience – Humans are potentially a powerful tool to protect against threats, but they need education. Continually! Ensure you’ve got a solid toolset in place to be carrying out automated cyber awareness assessments and phishing simulations for example.
- Consider a second RMM platform – Could it be an option to use a second RMM to separate workstations and servers, or client production and backup/response?
- Eliminate local admin (even internally) – Rotate admin passwords often, segment networks using VLANS. Could be separating network devices from backup servers and workstations etc.
Here are some links I found helpful when researching this topic…
- Video: Dave Sobel’s Business of Tech Episode – Is It Time To Dump Your RMM?
- Video: Surviving a Coordinated Ransomware Attack by Huntresslabs
- Whitepaper: How to harden your RMM by Galactic Scan (registration required)
- Whitepaper: Zero Trust Adoption Report by Microsoft
A special thanks as always to the Tech Tribe and their members for the many nuggets of wisdom on the topic!