security, technology

Need a MSSP? 5 Actions of Engagement

two person shaking each others hands

The pressure and concern around security in today’s digital business world can be daunting. Some businesses are operating on tight budgets, don’t have the talent in-house to manage security projects, and some aren’t even aware of their vulnerabilities until it’s too late. Qualifying buisinesses are taking note and looking to outsource their security plights to vendors to ease the pain.

So what is a MSSP and what can they do for me? In short, a MSSP is a contracted vendor meant to help with security services related to technology used in business. MSSP services include but are not limited to owning the security of the network down to individual endpoints. They are often used as consultants for meeting certain business compliance standards where technology is the critical resource for transmission of data, finances, and business service.

If you find yourself in need of a Managed Security Service Provider for your business, follow these 5 action items for engagement:

group of people in a discussion

1. Self-assess to discover weaknesses. The idea here is to understand and establish your business risk tolerance. Best practice would be to use already established frameworks like PCI, ISO, NIST etc. as a guide. This can prove to be more efficient and just as effective rather than trying to tackle any legal and/or regional regulations. Once you’ve uncovered security gaps, it’s important to prioritize the impacts to the business. How will this security gap or ‘risk’ affect business should it be compromised? Understanding your business risk makes it easier to rank thus determining the ‘business risk tolerance’. Rank your discovered gaps and prioritize the tasks necessary to close that gap. This very important first step will provide a means to establish a roadmap and help advance next steps.

TIP: Some gaps can be assessed internally. In-house talent and resource constraints should be considered for all discovered gaps during this step.

2. Identify selection criteria for a Managed Security Service Provider. Once you have an better understanding of your business needs from performing the discovery step mentioned above, you’ll be primed to deliver your needed services. Knowing what you need going into the engagement with a MSSP will be extremely beneficial. Ask the MSSP how they will deliver said services. Putting the ‘what’ and the ‘how’ on the table will be paramount to establishing a good working relationship. It will be critical to establish SLAs & incident response timelines in a statement of work to better set expectations between the two business entities.

TIP: Develop a RACI matrix (responsible, accountable, consulted, informed) with the MSSP to institute record which will help with the following next steps.

3. grayscale photo of person holding chess pieceProject manage the onboarding process with your MSSP. Establish timelines and stick as close as you can to them. When you are agressively managing this process, it is possible to realize ROI of security dollars quicker than other business investments. Establish an NDA with the MSSP to cut through legal ambiguity and expedite the process. It is in both the business and the MSSP’s best interest to lay everything on the table so that business risks can be addressed openly and honestly. Allow for realistic timeframes to establish monitoring practices and metrics that bring value. Efforts made up front can reap great rewards down the line.

TIP: Understanding the maturity level of tools used by the MSSP to perform services will help further refine the management of the project to achieve success for meeting deadlines.

4. Establish clear lines of communication and dedicate your cause to continuously improve. We mentioned getting an NDA in place above. Establishing clear lines of communication will go hand in hand with your NDA and having an open door policy between teams, MSSP and the internal business, will aid in collaboration and resolution efforts. A seamless integration of tools including workflows, process, testing, and incident response will help both teams be able to maintain the RACI matrix mentioned in the tip above in step 2. Continuous improvement can be achieved by establishing a cadence of meetups with your MSSP to help them understand changes to the business where they should actively be aware.

TIP: Questions asked during continuous improvement meetups should be along the lines of: Are we still meeting the requirements of the business? Are there any industry or regulations changes that may affect the current services?

5. green and white male gender rest room signagePlan B — Always have an out with your MSSP vendor. In this clause address items like data retention and requirements especially if the business must meet certain compliance measures. Also, should things go sour with the MSSP, ensure the business has a plan to recover data if necessary.

TIP: Get a termination clause built in to your contract.

security, technology

Vulnerability Management Best Process & Practice for MSPs

Any security leader must be able to provide a standard for due care and help to build a comprehensive security program that is good for the entire business. This is no easy feat.FearlessSecurityLeaderWith increased threats and security breaches on the rise, it comes as no surprise that security is today’s top buzzword. And with all the security buzz on the minds of business leaders, we see an increase in security initiatives. And as leaders at small to medium-sized businesses look to their in-house staff to implement, they are discovering a lack of skills and resources. This often leads to a conversation with their trusted Managed Service Provider to help close the gap.

Often, we hear that MSP clients assume security is included as part of the standard of services already provided. We have also uncovered through interviews that organizations and MSPs alike often have a hard time getting their users to adopt better security practices, even simple ones to implement, like multi-factor authentication and password policies. One thing they all have in common however is that they want to be better at security.

Let’s start by stating that achieving ‘better security’ is all about the layers of security that can be established to protect the organization, its users, and most of all, its data. We also conclude that there is no ‘security bliss’ where all levels have been laid and there is no longer any risk.

Security can best be established as a framework for users and the data they share. When we break down security into manageable layers we can create the following categories.  Each category has its own standards and processes to be documented and carried out by a security leader or a team of security leaders.

  • Governance
  • Policy Management
  • Awareness & Education
  • Identity & Access Management
  • Vulnerability Management

Each topic can be quite involved, so our focus for this article will be vulnerability management as it becomes the foundational layer to the organization’s threat defense strategy. Most MSPs are already offering services for managing vulnerabilities through patching operating systems and third-party products. Vulnerability Management is just one part of the security process in identifying, assessing and resolving security weaknesses in the organization. Often there is a focus on the technical infrastructure, like updating endpoints and managing components of a network, like the configuration of firewalls.

Let’s take a closer look at the process and practice of vulnerability management in these 6 steps:

  1. Policy – Your first step should include defining the desired state for device configurations. This also includes understanding the users and their minimum access to data sources in the organization. This policy discovery process should consider any compliance measures like PCI, HIPPA, or GDPR that may exist. Document your policy and your users’ access.
  2. Standardize – Next, standardize devices and operating environments to properly identify any existing vulnerabilities and to meet compliance needs noted during the policy discovery process. When you standardize on your devices, you also streamline the remediation process. If users are all operating on the same type of hardware/software setup, steps 3-6 have the propensity to be more effective and the process more efficient.
  3. Prioritize — During remediation of a threat, any activities conducted must be properly prioritized based on the threat itself, the organization’s internal security posture, and how important the data residing on the asset is. Having a full understanding of your assets and the roles they play in the organization will play a critical role when prioritizing active threats. Document and classify your assets so you can easily prioritize when there is a threat.
  4. Quarantine – Have a plan in place to circumvent or shield the asset from being a bigger threat to the organization once compromised.
  5. Mitigate – Identify root cause and close the security vulnerability.
  6. Maintain – It is important to continually monitor the environment for anomalies or changes to policy, patch for known threats, and use antivirus and malware tools to help identify new vulnerabilities.

vulnerabilityVulnerability management is an essential operational function that requires coordination and cooperation with the business as a whole. Having the entire business buy into better security is paramount to the success of the program. The team must also have a set of supporting tools with underlying technologies that enable the security team’s success. Operational functions include vulnerability scanning, penetration testing, incident response and orchestration.  Remedial action can take many different forms: application of an operating system patch, a network configuration change, a change to a custom-built application, a simple change in process, awareness and education for users who consume and share organizational data. Tools can range from RMM to SEIM, to simple AV/Malware and backup toolsets.

Better vulnerability management practices start with a superhero who promotes security consciousness and helps to innovate solutions and services that make the business thrive!

security, technology

Don’t Ignore Security Activity That Could Help the Most

We tend to think of security as the tools in place like email scanning, malware and anti-virus protection, but did you know that the process of asset management helps you minimize the threat landscape too?threat-intelligence-security-processes

While the management of software and hardware has historically been treated as a cost minimizing function, where tracking hardware and software could be the difference between driving value or reducing it from an organizational perspective.  However, even the best security plan can be as strong as its weakest link, and if IT administrators are unaware where assets reside, the software running on them, and who has access, they are at risk.

Understanding the device as well as the data is what matters here.  Having an in-depth knowledge of the network of devices and their data is the first step in the futile attempts to protect it. Often organizations have the tools in place to support and maintain the device, but once in place on the network, it can be easy to set it and forget it until it needs repair, replacement, or up for the annual review.  Conducting asset management on a reoccurring basis should be a foundational function for your security plan. It can strengthen the already-in-place security tools. Remember, it must be continuous to be truly effective.

When you are conducting continuous asset management you can always answer the following the questions should an incident occur:

  • What’s currently facing the internet?
  • How many total systems do you have?
  • Where is your data?
  • How many vendors do you have?
  • Which vendors have what kind of your data?

Companies struggle with consistent and mature asset management because they often don’t have the time or dedicated resources to stay on top of it. However, an IT asset management program can add value by means of reducing costs, improving operational efficiency, determining full cost and providing a forecast for future investments.  Oversight and governance help to solidify policies and procedures already in place.

Find tools that compliment and strengthen business processes by significantly improving the ability to discover, inventory, manage, and report. Additional tool sets like antivirus, malware, email protection, and user training must be added to help further protect users and their data which will ultimately reduce business operational risk.

security, technology

Top 5 Technologies Helping to Shape the Future of Mobile

MobilityCommunication and mobility has changed drastically in the last ten years. We no longer use the cell phone as a means to simply place a phone call but rather it has become our moving office. With access to email, calendar and time management, internet research, online entertainment, fitness and health management, connecting with friends, or ranting on Twitter, the mobile device has become an extension of ourselves. Ofcom research from 2017 supports that mobile has overtaken the desktop as the main way users across the globe are accessing the internet. This is an important note for technology teams that support mobile or are tasked with creating the next big mobile application. Let’s take a look at how today’s technologies are shaping tomorrow’s mobile use.

  1. Mobile Security Solutions

mobilesecurityPopularity for mobile or wireless security solutions will increase as the sheer number of targets are available for compromise. Although mobile malware is a rare concern these days, it won’t be long before we hear about more targeted mobile attacks.  The chance for brand damage through data leakage, Wi-Fi interference, out-of-date devices is a growing concern as more mobile and IoT devices connect to the corporate network. Think about it. If the biggest threat is the user itself, and with mobile devices superseding the desktop for internet access, the target for cybercriminal activity will shift. CSO online states, “Human attack surface to reach 6 billion people by 2022. As the world goes digital, humans have moved ahead of machines as the top target for cyber criminals. There were 3.8 billion internet users in 2017 (51 percent of the world’s population of 7 billion), up from 2 billion in 2015.” [Source]

The threat to our daily communication and data continues to evolve and mutate like a living organism trying to find its way in an unknown environment. More than ever, security is and should be top of mind for any technology professional.

  1. Application Development

There will also be an enterprise race for mobile applications that help transform our lives. As the tools to design and create mobile apps rapidly change, the more advanced, more complex apps introduce new technologies like virtual assistants or AI bots designed to provide the ultimate experience by exceeding customers’ expectations. This is another technology wave sweeping over us as mobile moves to deliver amazing, consistent experiences to consumers while building brand equity. Combine apps with new-age technology like AR or VR and the stickiness is boundless for businesses and possibilities for users, endless.

  1. Analytics

analyticsThey are always watching, but in a good way. Along with a sweet mobile app, understanding the consumer behavior behind the app is the key to being able to deliver a delightful experience. Analytics applied to applications can offer insight into market, behavioral, and operational knowledge which can lead to better business decisions for the products or services offered.

  • Market – How many users using the app? Where are they located?
  • Behavioral – How is my user interacting with my application? How can I help direct them?
  • Operational – How is the performance of the application?
  1. Wearables & IoT

We’ll start to see an increased use of wearables and IoT making its way into the workplace. “Gartner expects wearables to have a 24% compound annual growth rate (CAGR) in revenue through 2020, reaching a total market value of $62 billion.” [Top 10 Technologies That Are Defining the Future of Mobility, Gartner, July 2018]


Wearables like smartwatches, head-mounted displays (HMDs), and smart clothing is offering up unique opportunities and functionality for hospitals, service management, warehouse logistics, and even enabling a service technician doing repairs in the field. To sweeten the pot, integrate wearables and IoT with mobile for many productive roles within the business. When you connect the ‘things’ through one cohesive platform, like mobile, you can begin to perform greater functions like mass configuration, management, and monitoring to deliver business-based benefits. Think about sensor data delivering an alert to a technicians’ mobile device because the data center’s climate control has reached its threshold. This also provides a less intrusive avenue for alerts and notifications of those wearables and IoT devices.

  1. AR & VR

More AR & VR programs will make their way into mobile applications. What does that mean exactly? Often confused with each other, augmented reality or AR refers to the digital content overlaid on the real world and virtual reality or VR is a simulated, digital environment that shuts out the real world. Both technologies build on immersing the user in either an augmented (real) or virtual (fake) world and can be implemented through a mobile application.

loreal_arA great example of an augmented reality (AR) app is what L’Oreal has done in the beauty and makeup marketplace. You can take a picture of yourself with their app and then augment your hairstyle or try different shades of makeup to ensure the ‘right’ look. This ultimately leads the user to that perfect shade of eye shadow, enhancing the customer experience and inferring brand imprinting. AR applications present real-world opportunities for businesses to interact with their customers in a new, transformative way while also establishing brand delight.

Virtual reality (VR) is also making its way into marketing and branding efforts. A good example of this happening is in the automotive industry where manufacturers create a virtual experience of what it’s like to drive their car in an effort to increase sales. The introduction of this new technology is literally driving new experiences which have significant impact on brand and consumer awareness. Widespread adoption of VR will be much slower than AR because of the hardware requirements. However, the market impact of these technologies will be plentiful in a few years. “By 2020, the economic impact of virtual and augmented reality is predicted to reach $29.5 billion.” [Source]

Most often the future of technology is predicated upon forecasts, new development, and exploration.  Technology will always move forward, and the future of mobile technology will continue to pioneer uncharted lands and unveil new ways in which we will work and live.

security, technology

Meltdown & Spectre: A New Dawn

Meltdown and Spectre dominate the security news and the more I delve into it, the greater the understanding of the depth and breadth this now means for the future landscape of device security.

meltdown-spectre-kernel-vulnerabilityTurns out the three variants of side-channel attacks, Meltdown and two different for Spectre, were discovered back in June of last year [2017] by researchers using speculative execution, which is where processors execute on code and then fetch and store the speculative results in cache. It’s a technique used to optimize and improve the performance of a device. What is important to note with Spectre is that it puts users at risk for information disclosure by exposing the weakness in the architecture of most processors in the market, and the breadth is vast: Intel, AMD, ARM, IBM (Power, Mainframe Z series) and Fujitsu/Oracle SPARC implementations across PCs, physical and virtual servers, smartphones, tablets, networking equipment and possibly IoT devices.

Currently there are no reported exploits in the wild.

Of the two, Meltdown is the easier one to mitigate with operating system updates. AMD processors are not affected by Meltdown. Please see below for Microsoft KBs related to Meltdown. Spectre is a bit more complex to resolve because it is a new class of attack. The two variants of Spectre both can potentially do harm like stealing logins and other user data residing on the affected device. Intel, ARM, and AMD processors are affected by Spectre. Recently, Microsoft released another emergency update to disable Intel’s microcode fix. This original update was meant to patch for variant 2 of Spectre. Unfortunately, that update had adverse effects as there were numerous reports of reboots and instability, so Microsoft issued an out of band update to disable.

Things are still evolving around Spectre and while operating system updates and browser updates are helping to patch for Spectre, it is being reported by some sources that a true fix may be an update to the hardware (processor) itself.

The following is a chart* to clarify each vulnerability:

Meltdown Spectre
Allows Kernel Read Yes No
Patched with KAISER/KPTI Yes No
Leaks User Memory Yes Yes
Executed Remotely Sometimes Definitely
Likely to Impact Kernel Integrity Browser Memory
Practical Attacks Against Intel Intel, AMD, ARM
*Chart is courtesy of SANS/Rendition Infosec. See full presentation here.

The following is list of Microsoft Windows KBs for Meltdown:

Operating system version Update KB Superseded Patch
Windows Server, version 1709 (Server Core Installation) 4056892 4054517
Windows Server 2016 4056890 4053579
Windows Server 2012 R2 4056898 N/A
Windows Server 2012 Not available N/A
Windows Server 2008 R2/Windows 7 SP1 4056897 4054518
Windows Server 2008 Not available N/A
Windows 10 for 32/x64-bit Systems 4056893 4053581
Windows 10 Version 1511 4056888 4053578
Windows 10 Version 1607 4056890 4053579
Windows 10 Version 1703 4056891 4053580
Windows 10 Version 1709 4056892 4054517

Microsoft has also recently released a cool new dashboard that uses analytics to help discover vulnerable devices and helps assess whether those devices are susceptible to Meltdown and Spectre. You can get that here.

It will be important over the next few weeks to stay on top of any breaking news around Meltdown and Spectre. Mitigation efforts should be underway in your IT organization to prevent a future zero-day attack.