Onboarding Clients and Identifying Assets
When you first onboard a client, you perform network scanning to identify the client’s assets. Threat actors are also scanning, Chernin said, looking for your devices and your client’s devices so they can identify the vulnerabilities and get to the data.“As an industry we did a good job of scanning networks when we bring on clients, and we’re getting really a lot better at vulnerability scanning,” he said. “But I’ll make an argument that we’re not measuring the data on the devices, the threats actors may actually be doing that better than we are because there’s a monetary gain for them to do all that work.”
What is CIA? Confidentiality, Integrity, Availability
MSSPs should use something called CIA to measure the data on a device. CIA is an acronym for confidentiality, integrity, and availability. Each of these components is measured per asset. MSSPs should also rate each by the business risk -- high, medium, and low -- if this data falls into the wrong hands.
How MSSPs Need to Use CIA Information
The most important part of the CIA effort is the conversation the MSSP has with the client about setting up the CIA. Show the client the list of assets from the scan and do a one-time walk through of each asset together with the client. The defaults you’ve set on some of these will help speed up the conversation.The Volume of Work Means Time to Prioritize
Why do this kind of assessment of risk in the first place? MSSPs may have 10,000 endpoints they manage and thousands of software vulnerabilities they are working to remediate. You are assigning CIAs in order to prioritize those remediations.Chernin uses the analogy of physical security. If you are looking to secure a building, you might install bars on the windows. But that won’t help if the threat actors are picking door locks. If that’s the case, you want to focus your effort on door and lock vulnerabilities instead. Eventually, maybe, you want to address all the building’s vulnerabilities. But you need to use data and facts to prioritize which areas to tackle first to reduce your risk.What is CVSS? Common Vulnerability Scoring System
The CVSS system is a method used to supply a qualitative measure of severity of a vulnerability, but it’s not a measure of risk. The CVSS vulnerability is the base score, Chernin said. MSSPs adjust that score based on environmental factors to provide a more accurate picture on the severity of the vulnerability.MSSPs should apply CIA against the CVSS vulnerability to provide a risk assessment of the vulnerability for their client’s business. Performing this action provides the MSSP with a better prioritized list of vulnerabilities. (Here’s a calculator that lets you apply your environmental factors to the CVSS base vulnerability).“In the enterprise nearly all the large financial services companies have vulnerability scanning solutions that integrate with their asset management products to pull CIA from the assets. If you have an automation platform and it has access to your RMM and scanning solution you could probably do it automatically that way as well,” Chernin said.
Where is Your MSSP Business on the Maturity Scale
Here’s how Chernin defines the maturity scale:- Level 1 is where you perform vulnerability scans, but then you prioritize your remediation based on how freaked out people are on Reddit.
- Level 2 is where you prioritize your remediation based on the CVSS base score included in the release.
- Level 3 is when you do CIA on your assets and prioritize based on environmental metrics.
- Level 4 is just like level 3, but for things that require a client discussion you have a very professionalized risk management discussion.
- Level 5 is something that’s not doable today, according to Chernin. “But we need to have a goal. We should be managing the risk to the business and not just the severity of the vulnerability.”
Vulnerability vs. Risk
“We measure the vulnerability of that capable lock, but we don’t measure whether or not the door is open,” Chernin said. “No one is scoring how securely their devices are configured.”That’s become increasingly important in the software-as-a-service era. CVSS isn’t as helpful in the SaaS world.“Nearly 100% of the incidents that occurred in SaaS environments are configuration incidents, and we don’t measure configuration,” Chernin said.What Can We Do About Risk?
MSSPs have a few options about how to deal with risk.- Transfer it: cybersecurity insurance
- Avoid it: i.e. uninstall vulnerable products, change our configuration so a product is no longer venerable.
“I’ve heard some MSPs are doing waivers. What you want to do is document it. Start by having risk conversation with client. Get the client into the mode that you are going to have these conversations often. You can talk about tornadoes, fires or turning off all MFA. All of them can be framed in the same risk management framework type of discussion,” Chernin said.
Four Takeaways
At the conclusion of his talk, Chernin offered the following four action items for MSSPs:- Determine the CIA of your assets.
- Use your CIA to prioritize your defenses as assets.
- Use risk management to have client discussions.
- Document the outcome of those discussions in a risk register.