MSSP Alert is at the Right of Boom conference in Dallas on Thursday and Friday and will be updating this live blog several times over the next two days. The event is hosted by Andrew Morgan, founder of The Cyber Nation, and host of The CyberCall and the podcast CyberCast.
This is the second year for Right of Boom, an event for managed security service providers, which last year attracted about 200 MSSPs. This year, 600 MSSPs are here.
The format of the event takes the audience through a mashup of a Boom event, from the assessment an MSSP does at client, to the Boom — the incident itself, to what happens Right of Boom — the recovery from the incident.
Friday Sessions:
The Cyber Defense Matrix: Sounil Yu, CISO of JupiterOne and former chief security scientist at Bank of America, provided perspectives on how to analyze risk with his Cyber Defense Matrix. This matrix is created by putting your assets (devices, apps, networks, data, users) along the Y axis and the operational functions along the X axis (identify, protect, detect, respond, recover).
But these are the basics. The goal is to avoid unnecessary business impact. For instance, if your client is a company that constantly receives external emails, attaching an “external email” warning to every email may not offer the protection that it would in a different kind of company.
The key questions are as follows:
- How secure am I?
- How secure should I be?
- How do I get there?
Essentially, he recommends a gap analysis in many areas and then communicating risks to the board and customers. But your gap analysis will depend on the maturity of the customer and business.
What does your defense tool stack look like? ConnectWise’s executive vice president and general manager of cybersecurity, Raffael Marty, and threat intelligence evangelist Bryson Bedlock, provided their perspectives on the “defenders advantage” — the tools and approach you should take to protect your environment.
- Know what you protect — deploy an asset management program.
- Establish a central place to collect logs/data (i.e. a SIEM, potentially coupled with SOAR. Not multiple dashboards and collection points. A single place.) (a) At the same time, make sure you have the right tools in place to collect ALL the relevant data; (b) Think about defense in-depth so that you ensure you are covering “single layer failures;” (c) collect contextual information (such as assets, users, etc.).
- Collect relevant and actionable intelligence — not just a threat intelligence feed.
- Drive detections into automated protection (i.e. zero trust architecture).
- Leverage your RMM to assist your security tools.
Key observation from an attendee: A common theme at this conference is that a failure to set things up correctly often leads to vulnerabilities and incidents. The attendee posed this as a question to a vendor about how vendors can support MSSPs with configurations and set ups. The answer is that there are software engineers at vendors who are there to help you. But also, there’s a certain amount of responsibility that is on you. You have to deploy the EDR. You have to keep monitoring that the data source continues to report in.
Thursday Sessions:
Left of Boom: Identifying client assets and determining risk: The meat of Thursday’s program began with a presentation from Aharon Chernin, founder and CEO of Rewst. Chernin began at the asset identification, noting that this is what threat actors do, and it’s what MSSPs need to do as well. He says that during the “identify” phase of the Cyber Defense Matrix, attackers are measuring the target’s infrastructure through reconnaissance and asset management. This includes not only IT assets, but also data inside the organization.
Defenders can even the odds by:
- Determining the CIA (confidentiality, integrity, and availability) of the assets
- Using CIA to help prioritize defenses
- Using risk management to have client discussions
- Use a risk register to document decisions
Leading toward cyber resilience: GMI president Brian Blakely and GMI vice president of client success Mark Kirstein shared their approach for talking to clients about risk. It starts with a few questions for every client:
- What is a material amount of money for you (the client)? (Find out what amount of money would be an insignificant amount versus what would be a business-ending amount if the client had to write a check for that amount.)
- What are your essential functions that generate revenue?
- What tools do your people use for this?
CISA Exec addresses MSSPs: MSSPs were treated to a surprise guest on Thursday afternoon at Right of Boom. Brandon Wales oversaw the Cybersecurity Infrastructure and Security Agency (CISA) response to major incidents that have involved MSPs, including the SolarWinds backdoor exploited by hackers in 2020 and then the Kaseya ransomware attack in 2021.
Wales appeared via a video link at Right of Boom, showing that the agency knows and understands managed service providers and managed security service providers as well as their importance to the economy and business.
In terms of incident response, Wales said that Kaseya set a great example with its transparency, communicating with both customers and the government.
But overall for MSPs, Wales had two recommendations:
- Making sure the product is securable by default.
- Making it easy to use. If customers don’t know how to configure the software properly, that can lead to vulnerabilities. That’s what happened in the case of the SolarWinds backdoor.
Looking ahead, CISA is encouraging all software developers to be secure by design. There are specific ways to accomplish this. One example Wales provided was the use of memory-safe coding languages.
