The Channel Angle: Weighing The Risk Of Remote Monitoring and Management After The Kaseya Attack

‘Cybersecurity is table stakes for any company today, but MSPs, who provide IT and security services to many companies at once, serve as a critical leverage point for managing or amplifying risk,’ writes Ryan Heidorn, co-founder and managing director at IT services provider Steel Root.

[Editor’s note: The Channel Angle is a monthly CRN guest column written by an executive that focuses on the triumphs and challenges that solution providers face. If you are a solution provider executive interested in contributing, please contact managing editor David Harris.]

By Ryan Heidorn

If you work at an MSP and haven’t woken up in a cold sweat worrying about your clients getting breached, you may have missed the repeated warnings in recent years. An array of reports, including those from U.S. Government agencies like CISA, the FBI, and the Secret Service, as well as security vendors like CrowdStrike and Perch, have warned that MSPs are being targeted by attackers as a convenient single point of entry to breach multiple organizations at once.

On July 2, the threat came into sharp focus when the REvil ransomware gang exploited an unpatched vulnerability in Kaseya VSA, a popular platform used by MSPs to remotely manage their customers’ networks, to simultaneously infect those networks with Sodinokibi ransomware. The total number of affected companies is unknown, but already estimated to be in the thousands, including a Swedish grocery chain that was forced to shut down 800 locations after the attack took their payment systems offline.

Cybersecurity is table stakes for any company today, but MSPs, who provide IT and security services to many companies at once, serve as a critical leverage point for managing or amplifying risk. An effective MSP is a vital asset for companies that cannot staff and manage IT or cybersecurity capabilities in-house. But the Kaseya hack underscores the need for MSPs, as an industry, to take a serious look at their own internal cybersecurity maturity, as well as the tools and methods used to manage customer networks.

[Read A Previous Channel Angle Column: COVID-19 Is A Reminder That Disaster Recovery Tech Is Here To Stay]

Like a Hippocratic oath for IT service providers, MSPs should first ensure their own tooling does not put their clients at risk.

The Security-First MSP

Putting security first should be a business priority for MSPs — not only because putting clients at risk is unacceptable, but also because the market for managed security services is estimated to grow to nearly $19 billion by 2024, up from $12 billion in 2020. MSPs planning to get in on the action should take a cue from airplane safety protocols: please secure your own mask before attempting to help others.

Examining the risks inherent in using a centralized remote administration tool, such as the Remote Monitoring and Management (RMM) platforms which are ubiquitous among MSPs, may be a good place to start.

Cybersecurity company Huntress provided threat analysis and assistance to MSPs in the aftermath of the Kaseya hack, and has seen other RMM vulnerabilities exploited in the past. John Hammond, Senior Security Researcher at Huntress, says MSPs need to be vigilant now more than ever.

“MSPs and MSSPs are the mothership for hundreds if not thousands of small to medium businesses, making them a treasure trove for hackers,” Hammond said.

“With a compromised RMM solution, an unsuspecting MSP can push out ransomware or other malware to all those clients that trusted them for security. While we depend on software and technology to help get our job done, it is absolutely necessary to have security and defenses baked in by design.”

Outsourcing Potential Problems

Companies outsource IT and security to MSPs because, among other reasons, it is more cost-effective than developing maintaining skills and capabilities in-house. “By servicing a large number of customers,” a recently updated CISA alert notes, “MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.”

A well-established ecosystem of vendors, platforms, and integrations exist to support MSP operations. Debate over which RMM tool to use is a common discussion among MSP practitioners, such as those in the Reddit community /r/msp, which boasts over 100,000 members. Reddit user Coriron, a moderator of the popular subreddit, said, “One of the first things new members ask in our community is which RMM or PSA [Professional Services Automation] tool is the best. It’s generally assumed that if you’re an MSP, you will need an RMM.”

However, security concerns may come baked into many of these commonly used platforms. We identified three major areas of concern in the conventional wisdom surrounding how MSPs adopt ecosystem tooling:

1. Ecosystem Security (Or Lack of It)

The major vendors in the MSP tooling space are not known for being security-first organizations with a mature security engineering focus. More likely, the private equity-owned companies have grown through acquisition, bolting on functionality to a legacy code base for RMM platforms and similar tools.

Security documentation for RMM platforms is notoriously inadequate. For MSPs seeking control over their own RMM server (as opposed to using a vendor-hosted solution), hardening the security of self-hosted implementations can be difficult or even impossible. In the case of one major vendor, self-hosting their RMM solution requires deploying a ‘black box’ virtual appliance with no access or visibility into the underlying operating system and an always-on remote connection to the vendor for making licensing changes.

The normal operation of RMM services commonly requires exempting the software from basic security functionality (e.g., antivirus, GPOs, SSL inspection). And, in some cases, the development of basic security features like multi-factor authentication and single sign-on into RMM platforms lagged for years beyond when it was reasonable to do so. It is no surprise, then, that contemporary security concepts like conditional access and other zero trust architecture principles, which could go far to prevent MSP platform breaches, have not made their way into RMM platforms.

2. Platform-Driven Decision Making

There is a running philosophical debate among MSPs (and IT practitioners in general) between ‘integrated’ vs. ‘best-in-class.’ That is, is it better to choose ‘all-in-one’ solutions that offer high interoperability between components, or choose the most effective solution available and risk poor interoperability the with other technologies in the environment?

The integrated approach, by prioritizing operational efficiency (ease of deployment, management, and billing), can help MSPs scale and achieve industry targets for gross margins of up to 75%. But letting integration drive decision making can come with industry-wide security implications – MSPs are incentivized to use and sell the solutions that best integrate or come white labeled with their PSA and RMM platform, as opposed to the most effective security solution.

There are many legitimate and useful arguments for the integrated approach – for one, it is considered foundational to delivering affordable services at scale. Certainly, a savvy and skilled MSP can adopt ecosystem tooling and deliver effective security to their clients. Nevertheless, acknowledging that ecosystem vendors have become de facto gatekeepers is key to analyzing risk within an MSP’s toolset.

3. The Risky Business of Unattended Remote Access

The basic functionality of an RMM platform is functionally indistinguishable from that of a Remote Access Trojan: an agent, running on a computer as “root” or “SYSTEM” and capable of arbitrary remote code execution, communicates back and forth with a command-and-control server. On the other end, a robust user interface allows an operator to remotely view and control the screen, transfer files, execute code, and probe the network.

Consolidating these administrative capabilities across customer environments allows MSPs to efficiently manage and support customer networks. It is also a single point of compromise for attackers to gain privileged access to all an MSP’s customers at once. In the wake of the Kaseya and SolarWinds hacks, as the world turns its attention to supply chain attacks, the question becomes whether maintaining a centralized repository of unattended access to all of an MSP’s customers is an acceptable risk.

Understanding and managing risk is the first step in an MSP adopting a ‘security-first’ approach. This requires ongoing evaluation of practices and assumptions in the context of the current threat landscape, and an openness to letting security take priority over operational efficiency or even short-term profitability. Given the risks inherent in today’s RMM implementations, security-minded MSPs will need to decide whether conventional tooling is up to the task of protecting their business and customers.

Ryan Heidorn is a co-founder and managing director at Salem, Mass.-based IT services provider Steel Root, where he leads the firm’s cybersecurity practice. Heidorn’s expertise includes helping companies in the U.S. Defense Industrial Base implement and operationalize cybersecurity requirements under DFARS and CMMC. He also serves on the board of the National Defense Industrial Association (NDIA) New England chapter.