When an RMM maker speaks with partners about security these days, one word comes up a lot: SolarWinds.
That, of course, is due to recently revealed vulnerabilities implanted in SolarWinds’s Orion management system by sophisticated hackers believed to be working for the Russian government. Though neither of the two RMM products offered by SolarWinds subsidiary SolarWinds MSP were affected by that breach, managed service providers who have increasingly found themselves targeted by cybercriminals and nation-state attackers in recent years are on edge just the same about where and when the next incident might take place.
They’re right to be concerned, too, according to Lewis Huynh, chief security officer at NinjaRMM. “SolarWinds is not an exception,” he says. “They happened to be the target and the exploited company, but the reality is we’re all vulnerable, and knowing that puts you on a path to prepare.”
Huynh spoke with ChannelPro shortly after the conclusion of NinjaRMM’s second annual Security Summit, which took place online yesterday. Perhaps inevitably, a panel discussion during that conference featuring Huynh and other security experts commenced with thoughts about the SolarWinds breach. The fallout from that incident, speakers noted, is still ongoing.
“We’re over a month, I think, now at this point since it’s gone down, yet I would say the channel is still just as murky on what actually happened and what do I do next,” said Kyle Hanslovan, CEO of security vendor Huntress.
Even as details about the attack continue to emerge, NinjaRMM has doubled down on previously introduced measures aimed at safeguarding its software from compromise.
“We’ve done a couple different things in terms of locking down our supply chain [and] our build systems,” Huynh says. The company has also tightened up its intrusion detection and prevention monitoring and stepped up security training across the company. “A lot of hacks occur because of phishing attempts,” Huynh observes.
To keep its MSP partners safer, meanwhile, Ninja has accelerated several security-related enhancements on its product roadmap. “It pushed things that generally people are OK with waiting for into the forefront,” says Huynh of the SolarWinds story.
Encouragingly, MSPs appear to be better prepared for threats at present, according to Bill Siegel, CEO of ransomware incident response specialist Coveware and a participant in yesterday’s panel. A year ago, he said, MSPs were coming to his firm for help almost weekly.
“We were seeing RMM tools being exploited, unpatched RMM tools. We were seeing MSPs that didn’t have strong authentication systems getting exploited,” he noted. “I would say that’s probably down to like maybe one or two a month at this point.”
Indeed, while the threat landscape remains as treacherous as ever, if not more so, MSPs have actually faced fewer threats than before in recent months, Huynh says, thanks largely to the coronavirus pandemic.
“We had a lot of people working remotely, and home networks are notorious for being insecure,” he observes, adding that hackers have been going after those easy marks rather than trying to pry their way into RMM systems. Don’t be fooled, though, Huynh warns. The current respite is just the calm before a surely approaching storm.
“We’ve definitely noticed some of the activity dying down, but our vigilance has continued,” he says. “The shoe is going to drop at some point this year.”
MSPs should use the time between now and then to harden their defenses, he continues. “A good approach to take is to take a look at these frameworks that have been put together by experts,” Huynh advises. That, in fact, is exactly what Huynh himself did after stepping into his current job in 2018. “We leveraged NIST 800-53. We leveraged NIST 800-71,” he says, referring to guidelines from the federal government’s National Institute of Standards and Technology.
Speakers at yesterday’s conference further urged listeners to take seemingly small, obvious steps that can deliver outsized benefits, like implementing multifactor authentication, eliminating Remote Desktop Protocol connections, and keeping systems fully patched.
“You don’t get a linear reduction in risk when you do these simple configuration things. You get exponential reduction in risk, because you get so much more expensive as a target,” Siegel said.
Take full advantage of all the security features in your RMM and other business solutions as well, panelists counseled. “You have SSO sometimes on these products that nobody implements,” Hanslovan noted. Katie Nickels, director of intelligence at managed detection and response vendor Red Canary agreed.
“There’s a lot of built-in Windows protection that can actually do a lot to stop ransomware,” she said.
Huynh, for his part, encouraged MSPs to stay in close touch with their peers and vendors. “Everybody is vulnerable, and only working together in terms of sharing information and collaborating on solutions will you stay ahead of the attackers.”
NinjaRMM followed its own advice in that regard when it signed on as an early member of an MSP information sharing and analysis center (ISAC) formed by Huntress and managed services software vendor Datto in 2019. “The idea is to kind of provide as much advanced notice [of threats] as possible,” Huynh says. “That awareness can then help other MSPs to take a step to prevent what could possibly be a proliferation of the same attack.”
That several ISAC members, including Datto, Kaseya, and ConnectWise, compete with one another hasn’t kept them from being active ISAC contributors, noted panelist Ryan Weeks, Datto’s CISO.
“I’ve said for a while we can compete on the capabilities of our tools and features and functionality, but I don’t really think we should be competing on the security of our tools, because if we are then MSPs are losing,” he stated.
Huynh offers one last realistic yet sobering piece of advice: get used to the fact that nothing you or your vendors do to strengthen security will provide total safety from a determined adversary.
“There’s no outright security way to lock everybody else out,” he says.