[BreachExchange] MSPs: Protect Yourself and Customer Endpoints Through Layered Security
Destry Winant
destry at riskbasedsecurity.com
Wed May 31 23:41:23 EDT 2017
http://blog.kaseya.com/blog/2017/05/26/msps-protect-yourself-and-customer-endpoints-through-layered-security/
PC consumers tend to feel to safe so long as they have antivirus protection
in place. Some neophytes are comfortable even without having this modicum
of protection.
As experienced IT pros, MSPs know better. Antivirus and anti-malware
protection is important, but it is only one aspect of keeping MSP and
client endpoints safe. Keeping both the provider and customer sides safe is
essential. Customers need to be safe because that is what they pay you for
– and your reputation is on the line.
Keeping your own operation secure is perhaps more important. Since you have
control of client endpoints, a successful breach of your infrastructure
means the hacker could next go after your customers. And if you or your
clients fall under compliance rules, there are significant fines and
penalties that come with any sort of breach.
Starting this year, service providers and businesses have a more general
compliance rule for those in the European Union (UI) to worry about. While
HIPAA focuses on healthcare and PCI on credit cards, the General Data
Protection Regulation (GDPR) (Regulation (EU) 2016/679) says that any
company or individual that processes data is responsible for its safety.
This same rule applies across multiple countries.
Layers of security are critical. Once we cover that, we’ll talk about
processes and best practices that make these layers even more effective.
The layers consist of:
- Firewall, both personal and network
- Intrusion detection and prevention
- Anti-virus and antimalware protection
- Patch management and updates
- Auditing and inventory
*Making the Most of Your Layers*
*Full 360° visibility: *You can’t manage what you can’t see. You need a
solution that easily and continually discovers all devices on your network
and your customers’ networks, including servers, laptops, kiosks, mobile
devices, scanners, and peripherals. It also constantly needs to collect
real-time status on all operating details for these devices to keep systems
up to date and have consistent protection in place. Once all devices are
visible, you need to ensure that they are protected.
But installing is just the beginning ― you must also update systems to
ensure they are always running the latest versions. You need a solution
that makes this easy and automatic.
*Keeping patches current: *Patching isn’t optional. All devices need to be
up-to-date on Microsoft and other third-party patches. Patches and updates
can be tested centrally and then pushed out to all machines or select
groups once they are proven safe. Again, with the right type of automation,
you can be confident that all patch updates are successful ― and that
you’ll get an alert if they aren’t.
*Policy-based configurations: *Look for solutions that enable multiple sets
of policies to be applied automatically based on any set of groupings you
want ― by customer, device type, user role, or even location type ― and
that can check that each device is in compliance with its assigned
policies. This way, you can standardize and update all infrastructure under
your care with confidence. Of course, doing this successfully depends on
powerful and flexible automation to keep up with multiple policies and
update many devices by simply changing a policy once.
*Regular, routine backup and recovery: *Routine, reliable (and encrypted)
backup and recovery is a vital component of any comprehensive layered
security approach. In addition, complete and regular backups are also a
defense against CryptoLocker and other ransomware attacks.
*Complete identity and access management (IAM): *You already know you can’t
use vendor-supplied defaults for system passwords. IAM takes this further
by including multi-factor authentication (MFA), which is also a PCI DSS
requirement. IAM also includes centralized credential management,
policy-based rules, and single sign-on for end users (including partners ―
remember how Target was breached!) to keep internal systems and customer
systems protected.
*Policy-based access: *You need to be able to create as many policies about
access as for device configurations. With these policies in place, you can
quickly and completely delimit access to systems and data based on staff’s
functionality and job requirements. In addition, you can create policies to
require password changes after so many days or lockout rules after so many
failed login attempts. Location-based rules would control when and where
users can sign in. For example, limiting user access by location, such as
building, city, or country. This can protect against unverified users
accessing systems and POS devices.
*Deprovisioning users: *Statistically, admins enable more users than they
disable. While outside attacks lead the list of retail breaches, it’s only
prudent to make sure you have a way to quickly and completely deprovision a
user ― whether employee, sys admin, customer or partner ― from any and all
systems under your care.
*Alerts on usage patterns: *You need to be alerted of any potential
security breach beyond viruses and malware, including unusual patterns of
user behavior or access and suspicious spikes in bandwidth utilization.
*App blocking: *Disallowing certain app, like peer-to-peer apps or Flash,
can help keep systems clean and running strong. This also provides another
security dimensions since apps that are more vulnerable can be blacklisted
to prevent users from installing and inadvertently creating an enticing
entry point for hackers.
*Web filtering: *Blocking websites sites known to host spyware, viruses or
malware limits vectors of attack opened by unwitting users. Filtering is
usually accomplished through many tactics, including a database of
black-listed websites, policy-based content filtering, and scanning and
inspecting SSL-encrypted traffic.
*Real-time tracking alerts: *If a device, laptop or even server leaves a
customer’s building, you should know where it is as soon as it’s back
online.
*Securing/destroying data: *Once you know a device has gone out of
corporate control, you must be able to ensure that the data on the system
is not accessible to malicious players. You need the ability to disable the
device remotely, encrypt the data, or even destroy the OS on that device.
*Automation Brings Efficiency to Your Layers*
Most large enterprises and all those on the upper scale of the IT maturity
curve automate their IT security. That means the systems automatically
discover all of the devices that need protecting and continually update
that list. Based on the audit, key security tools are applied to endpoints
automatically. At the core of this is antivirus and anti-malware
protection. Here not only is the software pushed out based on IT–defined
policies, but new definitions and other security data is constantly updated
and applied.
At this level of maturity, patches and updates aren’t parceled out on a
piecemeal basis, and anti-malware software isn’t applied or updated when
there is an “oops.” All of this is handled continuously without bogging
down the IT admin staff.
Again, an audit shows your devices and in this case the OS and update
status. After that, patches are sent out when they need to be and
installed. When there is a problem with a patch, it can be uninstalled,
tested, and reapplied when the issues are resolved.
The best way to keep these devices updated and running, not to mention all
your servers, is IT automation. Consider automating as many IT functions as
possible, including:
- Discovery of your computing assets including non-approved apps
- Safe and disciplined software deployment
- User privileges and access
- Password management
- Auditing and reporting
- Malware and virus interdiction
- Detection and remediation of system problems
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170531/4cf991c8/attachment.html>
More information about the BreachExchange
mailing list