It’s Breach O’Clock, Do You Know What Your M(S)SPs Are Doing?

During penetration tests, it’s common to find multiple issues for things like weak protocols, poor message signing, IPv6 issues, missing patches, unsupported software, and more. Even if these issues are valid, it is always preferred that alerts/basic telemetry are available. Alerts like these help to stop activity along the attack path.

Frequently, these alerts don’t happen. Data logs don’t exist or they’re buried, which is almost as bad as not existing.

Our job is always to help find the root cause of client issues, and this is one that is particularly hard to solve.

In many instances, we’ve found that our clients are not fully aware of the details of what their managed service provider (MSP) or managed security service provider (MSSP) is doing for them. Specific scope, coverage, parameters, and thresholds for alerting are often unclear or misunderstood. This is not to say that the providers are at fault – most of the time, they’re doing exactly what they’re contracted to do. However, based on testing results, our clients often realize that what they purchased may not be adequate given their security environment and requirements.

Some of the frequent issues and questions we encounter include:

• Who is responsible for patching?
• How are assets like third-party software updates and versions maintained?
• Where are agents installed for telemetry on malicious activity on endpoints?
• Is malicious activity being monitored both in and out of the network as well as laterally?
• How are they classifying risk per incident type? For example, a recent client’s MSSP classified password spraying attempts as a medium risk issue that did not warrant a phone call.

A lack of confidence in security posture keeps executives and CISOs up at night. Fortunately, there are things that can be done to help you and your senior leaders sleep better, such as:

• Reviewing your contract/SLA for terminology outlining service responsibilities within your environment. Pay specific attention to the scope of what is covered, what is being managed, and what is your responsibility.
• Assessing if the services provided are adequate for your current environment. Oftentimes, MSSPs are more than happy to work with you to update services based on your evolving needs. Consider questions like:
  • Do you have more assets now?
  • Have you changed policies/procedures internally since signing the contract?
  • Do you need a better endpoint protection solution?
  • Have you considered more agent coverage on endpoints for the managed Security Operations Center (SOC) that you’re paying for?
• Having a meeting with your provider(s) to determine if they have the appropriate environment insight to perform their work. This could include things like the data needed to properly monitor the network for malicious activity, which is a commonly identified issue.
• Ensure that provider reporting is adequate.
  • Can you read their patch report?
  • Do you know exactly what was patched, what wasn’t, and why?
  • Is your MSSP providing these reports or are you expected to trust them?
• Confirming you have a person on staff who has the knowledge to work with your provider(s) and can assess if they are adequately performing the contracted services.

Let’s face it: you cannot do everything in-house, meaning the MSSP is a vital piece of the IT/security puzzle. You need to ensure that both you and your providers are working in unison to maintain the security posture of your organization.