Industry Voice: What MSPs need to know about a multi-layered security strategy
Since the pandemic, the average organisations' attack surface has expanded beyond recognition. As organisations retired traditional on-premise IT systems in favour of cloud and other remote environments, the number of external and internet-facing assets has multiplied. And for many, these environments are unpatched and under protected, meaning they are vulnerable to attack.
In fact, the most recent Sophos Active Adversary report highlighted that external remote services were the number one way that attackers breached networks, followed by compromised credentials and exploited vulnerabilities. External remote services such as Remote Desktop Protocol (RDP), which are more commonly used by IT teams to fix issues on employees' laptops, have consistently been the most frequent source of initial access for cybercriminals since 2020.
For defenders this is a clear message that attacker behaviour is evolving and that the way we think of cybersecurity needs a refresh.
Shifting left
We often think of cybersecurity as defensive, with tools such as firewalls and endpoints aimed at stopping threat actors from gaining access to your customers' organisations. In recent years' we've also seen the rise of managed detection and response solutions, which actively monitor the IT ecosystem for cybercriminals already in the infrastructure.
These methods are all focused on stopping an attacker from exploiting weaknesses in your customers' defences. But, they are not foolproof. Last year, 59% of organisations were hit by at least one ransomware attack, costing businesses an average of $2.73m in downtime, people time, costs and lost opportunity.
That's why, as an industry, we need to "shift left" and look first at addressing weaknesses in an organisations IT infrastructure, from unpatched vulnerabilities to compromised credentials.
To defend against increasingly sophisticated cybercriminals, partners and MSPs need to be prepared to deliver multilayered cybersecurity that identifies and remediates against risks, before cybercriminals have time to exploit them. Looking at the Sophos Active Adversary report, there were three key tasks that organisations should prioritise to minimise the risk of a cyberattack; closing exposed RDP, enabling multi-factor authentication and patching vulnerable servers.
Building a multi-layered cybersecurity strategy
For partners and MSPs to effectively deliver vulnerability and attack surface management for their customers, they should think of their defensive approach like home security. Of course, you bolt the doors and lock the windows, but how effective can that be if you have a broken window around the back of the house? The first layer of defence should be identifying the risks in your organisation – you can't fix what you can't see!
Assessing an entire organisation is a huge undertaking, so you may start with one business function, location or service and make your way through the entire business over time. Naturally, however, this does leave your customers businesses susceptible to unidentified risks. Managed risk services are a great way of helping you to manage this load. They can audit your customers' environments and provide you with a full analysis of points of weakness to remediate, so you can better safeguard their business.
But for many MSPs and partners, charged with the security for multiple customers, the task of remediating can feel insurmountable. When you consider just how many internet-facing assets or unpatched vulnerabilities are lurking unknown in an organisation the challenge for many is knowing where to start. That's why implementing a risk-based prioritisation system or managed risk service that uses up-to-date threat intelligence is key. It gives you clear guidance on the riskiest entities in an environment, so you can focus your team's energy.
Once you've sured up your customers' IT infrastructure, you can focus on the other layers of your defence. You might then want to look at implementing a robust firewall or endpoint, which act a little like a security alarm in your house. Unusual behaviour triggers an alert that your team can investigate.
Of course, cybercriminals are evolving and finding ways to navigate around your customers' environments undetected. The average time dwell time for an attacker in 2023 was a little over 6 days - time spent moving laterally through the system, preparing to launch their attack. If we go back to the house analogy for a minute, you might want to have a guard dog to protect your family if a criminal got in. In much the same way, a managed detection and response service can help monitor your customers' environments – particularly when its outside of your business hours. This kind of always on threat detection and response service, gives you and your customers peace of mind that even if attackers find a way into their environment, someone is there to neutralise the threat.
Today, the biggest threat to your customers is still known vulnerabilities and vulnerabilities where there are patches available. MSPs and partners should build a layered security strategy that starts with identifying and remediating risks to an organisation, before adding further security tools and services on top that sound the alarm if a cybercriminal does get into the organisation.
This article is sponsored by Sophos