This article seeks to define the value in acknowledging and supporting the division between MSPs and cyber incident response roles and how in doing so, all parties will benefit.
The following topics will be addressed offering guidance on effective practices:
Segregation of duties
Performing risk assessments
Data asset awareness
Reviewing vendor risk
Log management and evidence preservation
Contractual considerations
With much crossover in the definition of Managed Service Providers (MSPs) and IT Service Providers (ITSPs), for the purpose of simplicity, we will use the term ‘MSP’ to cover both in this article.
With cybercrime hitting organisations across every sector, MSPs are increasingly under pressure for assurances that their clients are secure. Couple this with scrutiny over the associated risk MSPs pose to the critical data and systems they manage for their customers; it would seem the burden of cyber risk now falls heavily on their shoulders. These concerns are frequently heightened by high-profile incidents such as the Kaseya attack in July 2021, when dozens of MSPs were attacked by the REvil ransomware group through a remote management solution.
As unease over MSP risk gains traction in the press, the UK government has put forward legislative amendments bringing them into the scope of Network & Information Systems (NIS) regulations. With this in mind, MSPs must be realistic about their capability to manage cyber risk in addition to their core responsibility of implementing, managing, and monitoring their client's IT infrastructure.
The importance of establishing their role when responding to an incident should factor into client conversations and service agreements. Clients must also be aware that the segregation of duties is essential to the integrity of their business continuity plans, and they should look to their MSP to be clear of their role in the event of an incident.
While many MSPs are taking a proactive stance and growing their cybersecurity capabilities with safeguards like firewalls and endpoint protection, we are noticing a heightened need for this enthusiasm to be reflected inward. A more comprehensive approach to managing vulnerabilities is needed, and realistically, unless they have a dedicated cybersecurity department, this can only come from a specialist third-party provider.
The skill involved in managing cyber incident response and digital forensics is underestimated, and yet many MSPs are portraying their company as fully capable in cybersecurity and incident management. Without these specialist skills, we often see temporary solutions used to restore servers and recover data, which can in fact exacerbate the severity of an incident and at other times, lose vital evidence. Current threat levels must be matched with effective procedures for third-party incident response and the support of those efforts. There are also ethical considerations as follows.
Segregation of Duties
Relying on a one-stop-shop strategy can be a dangerous game. Just like in the financial markets, there can be significant risk if a single organisation is relied upon to provide all security services.
This is because there can be a conflict where a single vendor is tasked to implement, monitor, and assess/investigate. In such a situation, a failure in the implementation may lead to opacity in monitoring or investigation, where a vendor’s actions may be affected by their concerns over potential liability. Similarly, failure to detect a security issue might lead to a cover-up and negatively affect any subsequent investigative activities.
As a result, MSPs should avoid these potential conflicts, and clients who are assigning security activities should be aware of the need for independent assessment and investigation capability. This will ensure cyber risks are managed optimally, ideally with implementation, monitoring, and assessment/investigation split between three different vendors.
Organisations like STORM Guidance specialise in identifying cyber risk and supporting businesses when incidents occur with our highly experienced Cyber Incident Response (CIR) team. Our services complement an MSPs offerings, and yet we occasionally see a reluctance in accepting that a segregation of the two services is what is in the client’s best interest. Collaborating with and incorporating cybersecurity vendors as part of a contingency plan, brings a shared commitment to security that will improve resilience for both the MSP and their client. We would urge MSPs to evaluate their incident management processes so that attack scenarios are addressed efficiently, and conflicts avoided through working with expert CIR providers. Establishing this camaraderie shares the load, integrating response teams as allies in the face of cybercrime.
Performing risk assessments
The undeniable value in assessing risk is true for both the MSP and their client; regarding the latter, it is important to acknowledge this risk should be assessed by an impartial third party.
Establishing risk assessments across an MSPs client base gives an additional layer to security controls, and if conducted by an external provider, can reduce liability in the event of an incident. An MSP assessing the cyber risk of their own clients could essentially be perceived as ‘marking their own homework’, and so a segregation of duties is important here. Establishing a good relationship with an independent cybersecurity firm can be of excellent value to an MSP, allowing for the clear communication of a client’s assessment findings. This collaboration can also boost revenue, as assessment findings are remediated by the MSP.
As part of the UK Government’s amendment to NIS Regulations, MSPs are now required to perform risk assessments and put in place reasonable and proportionate security measures to protect their network. The importance of performing at least annual cyber risk assessments cannot be overstressed, and the emphasis here is ‘risk’ based assessments, not simply a compliance review. Many notable options on the market simply assess technical controls and are not designed to estimate exposure to attack, so when choosing your assessor, it is essential to appoint one that takes a risk-based approach.
Threat actors look to breach networks either through malicious manipulation of people, processes, or data and vendor management. An assessment that looks at how you manage your account credentials and privileges, your staff, and corporate governance procedures, together with assessing technical controls will provide a complete overview of your risk.
An assessment from a trusted provider also gives the additional benefit of reducing the chance of an incident and can act as evidence of due diligence in managing cyber risk.
STORM's Cyber3 risk assessment gives an in-depth understanding of maturity in five key areas of risk management: People, Process, Technology, Vendor Management, and Data Asset Awareness. The assessment gives findings from both the internal and external perspectives, looking at internet-facing systems and internal controls, and providing specialist remediation advice. Cyber3 also optionally incorporates Cyber Essentials certification.
Results from an assessment should be used to create/update both asset and risk registers, with business data listed as intangible company assets. These registers are crucial tools for tracking cyber risk and informing your decision-makers. Ensure that Board executives, senior management, and operational specialists operate with adequate budgets, skilled personnel, and technology to mitigate cyber risk on a day-to-day basis.
Data asset awareness
Having a complete understanding of the data that an organisation holds, and its location is an integral component of its protection, whether that be internal company data or that of clients.
Ensuring the correct handling of data, especially that designated as Personally Identifiable Information (PII), acts as a barrier against data leaks and breaches, whilst demonstrating data protection compliance. Integrating a service such as CyberDiscover as part of a baseline data security toolset allows MSPs and their clients to take a proactive stance in data privacy and protection, safeguarding sensitive information, and limiting the possibility of litigation.
CyberDiscover is a new dataset analysis tool designed to seek out sensitive information contained within large filesystems, mailboxes, or other repositories using an integrated process of data analysis and AI. As a preventative measure, the tool rapidly identifies sensitive data before it falls into the wrong hands, reducing the extremely time-consuming process of data management and protection.
Regulatory requirements obligate businesses to report data breaches to the Information Commissioner's Office (ICO) and affected data subjects within 72 hours. In the unfortunate event of a breach, CyberDiscover can be utilised for the rapid extraction of PII from stolen datasets and the customized notifications to data subjects for a fixed fee; and if no PII is discovered the service is free.
Reviewing vendor risk
Vendors provide a valuable resource for MSPs, extending their capabilities with platform software, IT infrastructure, and business processing.
However, vendor relationships must be built on trust, transparency, and a shared approach and ownership of risk. MSPs need to identify the security gaps and risks their vendor relationships present, accounting for the service they provide, and the associated exposure and losses that may result if they were compromised. Remember to consider the type of data they process or store, the access they have to operational environments, and to what level they interact with clients. A good cyber risk review should assess such risks.
MSPs should carefully review applicable vendor contracts as part of cyber risk management protocols. Consider essential criteria such as the vendor's obligation to notify various parties in the event of a cyber incident or the right to audit. Without vendor transparency, it is hard to provide assurance of your client’s security. If you would like to review your vendor security, reach out to us for more information about the CyberProfiler Attackers Eye View™ scan.
Log management and evidence preservation
MSPs establishing their processes should carefully consider incident management, defining a strategy for the preservation of potential evidence.
Preparedness and effective collaboration with third-party response teams should be considered.
The following critical processes should be defined:
Log management - The logging on all hosts, whether or not centralised, should be sufficient in detail and retention to allow full investigation of a security incident.
The preservation and backing up of evidence - Failure to preserve evidential artefacts for analysis can prevent the root cause of a breach and threat actor behaviour/activity from being established. This can expose parties to stricter regulatory sanctions, increase the work required to manage the incident, and make it very difficult to secure against recurrence.
Log management and evidence preservation should form a critical component of your contingency plan. When operated effectively, this data will support incident response teams and prevent delays during an investigation. It’s important to remember that when faced with a cyber incident, a rapid response including access to useful logs and evidence, can limit the scope of the damage. When you consider that in the UK, organisations took an average of 181 days to identify that a breach had happened and a further 75 days to contain it, this gives an idea of the issues that can stem from delayed investigations.
In the event of a cyberattack, we assist MSPs as a neutral party and are on hand to help, not judge their work. When provided with clear logging and evidence, we can collaborate with MSPs acting as an aid to them and their clients. This synergy delivers fast and effective resolution with reduced potential losses and costs. When third-party incident response is brought in following an attack, their support enables a collaborative effort in restoration, and the client often appreciates such an additional service provided by their MSP.
Contractual considerations
Service Level Agreements (SLAs) typically stipulate that in the event of a breakdown in service, the MSP is responsible for ensuring systems are restored to acceptable levels in a timely fashion.
In a case study example later in the article, we identify key findings that may be useful when considering contractual improvements to assist in effective cyber incident management. In addition, the following are examples that if implemented, will reduce an MSPs exposure and that of their clients.
Cyber incident response – Will you provide a cybersecurity vendor as part of your contingency plans? If yes, appoint an appropriate firm and define processes.
Will your client have the right to audit your processes to assure confidence in these?
Emergency response – Consider defining the hours of work during emergency scenarios, staff allocation, and associated costs so the client is aware of what is available to them in the event of an incident.
Knowledge of contracts – Identify who will have knowledge of contractual arrangements (both internally and with the client), and who is involved in the due diligence processes.
Data protection responsibilities – How will you ensure client data is secure (roles/responsibilities/segregation of duties, backups, MFA/2FA, risk assessments, vendor security, data breach notifications), define your responsibilities as a data controller or processor if applicable.
Consider professional indemnity insurance – To what extent do you require these provisions? Will you insist that customers buy first-party cyber liability insurance?
Ensure SLAs reflect vendor risk, and the data they have access to.
Will your contract give assurance of cybersecurity/data protection frameworks/policies – Consider ISO 9001, ISO 27001, and risk assessment certifications.
Risk management assurances – Consider mitigating vulnerabilities and potential issues with (at least) annual cyber risk assessments, and incident response planning through workshops and exercises.
Notification – Will you be required to notify your clients of an incident?
Case Study - an example case where insufficient logging hampered investigations
In a Business Email Compromise (BEC) incident occurring in September ‘22, we were called in to respond and investigate in November.
The delay prevented timely investigations, and a further obstacle was not immediately reported to us which in turn elevated the problem. We were eventually informed that there had been insufficient logging and preservation of evidence, which are fundamental to the investigation process. With limited information, it was impossible to accurately assess the risk to the client. We could estimate a minimum period the attackers had been in the targeted mailboxes but were missing crucial details such as when they first gained access, and what operations were carried out whilst they were inside. With such vital information missing, we were unable to identify how much of the mailbox data had been compromised which became a concern to the legal team looking to assess GDPR Article 34 notification obligations. As there was no way of knowing if the entire mailbox had been exfiltrated and how much data was taken, the client was obligated to notify all data subjects described within the mailbox data.
In this case, the MSPs client did not have logging enabled on their Microsoft 365 tenant, and the alternative log source (that may have shed some light on the incident) only had a 7-day retention period which was insufficient by the time the incident was discovered and reported. This is a notable example of where the MSP can demonstrate due diligence in their security responsibilities, had they proactively informed the client of the risk this posed in such an incident scenario.
At other times, we’ve encountered numerous occasions where the MSP was responsible for managing the client's Microsoft 365 tenant, however, neglected to check the alerts generated by Microsoft. Suspicious login behaviour was flagged, and they did not act on these warnings. The incident was exacerbated to a point where it was discovered by the client after they found the threat actor had sent a phishing message to several hundred external recipients.
To conclude, the MSPs poor incident response processes in these instances caused their clients prolonged business interruption, heightened legal implications, loss of reputation, and the associated financial implications. In turn, the MSP will have lost their client's confidence, potentially the confidence of their wider client base, and the unnecessary cost of the prolonged investigations. Moreover, if in these cases the insurer decided that the MSP had failed in their responsibility of due care, they will have subrogated the losses and passed the cost over to the MSP.
A United Front
STORM specialists perform comprehensive assessments, undertake tabletop cyber incident exercises, and assist victims of cybercrime. In the event of an incident, STORM coordinates technical operations, risk and forensic analysis, and extortion negotiation/settlement.
We work with our clients to secure the recovery of compromised systems giving them the best chance of a swift return to business-as-usual. STORM partners with leading law firms for a broad range of legal experience, extending our client support with advice on the collection, use, and exploitation of personal data, the management of cyber risks, regulatory and contractual obligations, and liabilities.
To summarise, the key benefits of collaborating with a CIR provider such as STORM are as follows:
A shared commitment to security reducing burden.
Access to specialist skills and services such as cyber incident responders, ransom negotiation, in-depth digital forensics, certified cybersecurity professional support, legal support, crisis PR, and trauma counselling.
Fast and effective incident response, limiting the scope of damage (litigation/regulatory fines, reputational damage, business interruption, and all other losses).
Client satisfaction, confidence, and retention.
Preparation for cyber cover and reduced premiums.
Access to comprehensive risk assessments providing improved cyber resilience and evidence of due diligence for both the MSP and their client.
About STORM Guidance
STORM Guidance is a cyber security firm specialising in cyber risk management and incident response.
Founded in 2014, STORM's team of experts bring in-depth experience in cybercrime, with predominant credentials in dealing with any type of cyber incident including Malware, Ransomware, Business Email Compromise (BEC), cyber-enabled fraud, and extortion. As a trusted provider of specialist tools and advisory services, STORM works with clients to reduce their exposure and remediate vulnerabilities, ensuring the best defence against cyberthreats.