Kaseya Breach Shakes Faith in ITSM Platforms

Managed service providers (MSPs) both large and small are reassessing their approaches to managing IT in the wake of a cyberattack against the IT service management (ITSM) platform provided by Kaseya.

Kaseya is now reporting its software-as-a-service (SaaS) instance of its Virtual System Administrator (VSA) platform will be back online sometime between 4:00 and 7:00 EST today. It expects the on-premises editions of VSA to be patched within 24 hours after that.

The company has also committed to providing access to an independent security operations center on a 24/7 basis for every instance of VSA The SOC will provide the ability to quarantine and isolate not just files but also entire VSA servers. A complementary content delivery network (CDN) for every web application firewall is also being provided for every VSA instance on an opt-in basis.

Finally, a compromise detection tool is available for download and customers who whitelist IPs will be required to whitelist additional IPs.

The MSP Fallout

Thus far, Kaseya is reporting that fewer than 60 of its customers were impacted. All of those customers were using the on-premises edition of the VSA platform. However, many of those customers are MSPs so the blast radius for the attack launched by cybercriminals affiliated with the ReVIL, a ransomware-as-a-service platform, is roughly 1,500 downstream businesses. Cybercriminals are reportedly asking for $70 million to unencrypt the VSA servers that have thus far been impacted by the attack.

While most of the immediate focus is on cleaning up the current mess, the overall impact the attack itself will have on the way IT is managed by organizations that depend on MSPs is a matter of debate.

In many cases, rather than assuming the platforms that MSPs employ are secure, end customers will now require them to prove it via an audit of their software supply chains, says James Shank, Chief Architect of Community Services for Team Cymru, a provider of threat intelligence tools employed to conduct such audits.

Shank, who also served on the Ransomware Task Force Committee set up by The Institute for Security and Technology (IST), notes that MSPs should also assume attacks will only get worse before they get any better. “This is not the end or the middle,” he says. “It’s only the beginning.”

Others, however, don’t think there will be any widespread mandate to audit IT supply chains in the absence of any government requirement. Most organizations are simply not going to conduct or require extensive audits because of the time, effort, money and expertise required, says Mike Hamilton, chief information security officer (CISO) for Critical Insight, a provider of a managed detection and response platform.

“American companies are not going to do that unless someone holds their feet to the fire,” he says.

The challenge that creates for MSPs and their customers is it may force them to continue to place too much trust in IT platforms provided to them by a vendor, says Chris Grove, technology evangelist for Nozomi Networks, a provider of security tools for monitoring networks. “These platforms are over-trusted,” he says.

Will Custom Platforms Return?

The decision many MSPs are specifically wrestling with is the degree to which they should continue to rely on ITSM platforms from an IT vendor that might be compromised by malware versus building and securing their own custom platform. The latter approach is not immune to malware but might be less of a target as cybercriminals increasingly focus their efforts on platforms that enable them to wreck greater downstream havoc. Alternatively, MSPs could switch to ITSM platforms provided by vendors that don’t have enough market share to attract the attention of cybercriminals. There is, of course, no guarantee that cybercriminals won’t one day determine that that ITSM platform warrants their attention.

Building an ITSM platform from scratch naturally requires a level of investment many MSPs lack the funding or expertise to make, notes Eldon Sprickerhoff, chief innovation officer for eSentire, a provider of a managed detection and response platform. “It’s a difficult situation,” he says.

MSP Customers

Regardless of the challenges ahead, the only organizations less prepared to manage cybersecurity are small-to-medium businesses (SMBs) that today by and large rely on MSPs to protect them. As much as many of them may now be inclined to shop around for MSPs that can provide greater assurances of security, the fact remains that only a small percentage are likely to rely solely on an internal IT security team that most of them still can’t really afford to hire or retain.

There’s no doubt the security reputation of MSPs has taken a major hit in the wake of the Kaseya breach. However, this is not the first nor likely to be the last of these types of breaches. The challenge going forward is to determine how best to contain them once they inevitably occur.