SolarWinds MSP’s 7 habits of highly secure MSPs

Tim Brown, SolarWinds Security VP, gave a keynote to the SolarWinds Empower audience where he focused on seven themes they need to address in order to keep their customers, and their own businesses, safer.

Tim Brown onstage at Empower

ATLANTA – The increased centrality of security to the IT industry in general, and to the MSP industry in particular, is well understood. Yet many MSPs, particularly the smaller ones, tend to be laggards in actually adopting features, practices and processes which would improve their security. Tim Brown, Solarwinds VP Security, gave a keynote at the Empower event here on Thursday where he outlined the company’s views on the future of security, and seven areas where the company’s MSPs need to focus.

“A year ago, I would say that not enough MSPs were stepping up here,” Brown said. “Today, most of the ones who will be here tomorrow are doing that. Those who are larger and substantial absolutely are there today, and many of the  smaller ones have realized that they have to make changes. If they don’t adopt security well, they will not be in business.”

Brown emphasized to partners that SolarWinds MSP realizes that they and their MSP partners sink or swim together.

“One of our crown jewels is you,” he told the audience. “If you get breached, it creates a huge issue for the rest of the company. We aren’t perfect but we understand the risk that you guys face and your customers face. If we lose trust from an MSPs perspective, we will implode.”

That’s why the company has stepped up its investment, not just in security technology, but in partner support, Brown stressed.

“With the programs we have put in place in the last three years, somebody will always pick up the phone for you if there is a security issue,” he told partners.

Brown then laid out seven areas where he thinks MSPs need to focus and take action to ensure they are operating at a high level.

The first is to become a lifetime learner, something that Brown said is indispensable to keep up with the rapidly changing risk and threat environment.

“For example, ransomware declined a lot and we thought it had gone, but basically overnight it changed focus from targeting single machines to targeting the state of Texas,” he noted. “So you have a lot fewer attacks, which are a lot bigger. To be aware of these changes, you need to constantly pay attention to what’s going on. Partner if you have to to get this knowledge.”

This requires that MSPs think about how they measure risk for their clients and explain to them how much risk they face

“They should be able to assess a basic level of risk based on industry categories,” Brown said. “They need to be able to determine if a client has any data that people would want. If they have a client that is a car wash who stores no credit card data, they are at low risk. But most larger MSPs will have some clients who are at medium or higher risk, and if necessary, the MSP should outsource to get expert help to properly assess that risk.”

Better awareness also lets MSPs leverage a key competitive advantage over MSSPs.

“The MSSP focuses on keeping bad guys out,” Brown told his audience. “You also need to focus on letting good guys be good, and focus on that as a differentiator.”

This means understanding the businesses that the MSP protects, what access people there need to do their jobs, who needs remote access, who needs apps, who needs POS terminals, and who needs measurement tools.

“Knowing these IT functions is just as important as security,” Brown said. “With the knowledge of what good should look like, MSPs can focus on how to protect each specific customer.”

The second principle is to realize that data is your friend, and start doing basic analytics and automation now. That requires automating as many processes as possible.

“The big guys look for every way possible to take out manual events,” Brown said. “You need to think about how you automate everything associated with data in action. It’s the key to scale.”

Brown acknowledged this has been hard for many MSPs to do, and that automation rates are still quite low.

“The evolution of DevOps hasn’t bridged over to MSPs yet, but many MSPs who have been more successful have embraced it,” he stated. “It’s also a skillset question. Many MSPs have been service providers and not developers, and for them that kind of scripting can be uncomfortable. But there are plenty of great junior programmers coming out of school who can code things if the MSPs know what they want to automate.”

Brown counselled MSPs that going forward, they should look for technology with analytics built in.

“Analytics is the key to unlocking the future,” he said. “Today, analytics are not strong enough to show us all the meaningful deviations. Tomorrow, it will be.”

The third habit MSPs should adopt is to recognize the big shift in the endpoint market that has added many operational tech devices that are harder to protect, and to segment wherever possible to optimize protection.

“Avoid mixing environments which mix devices you can’t protect well with ones you can,” Brown stressed. “Segment whenever possible to limit attack aperture. Make sure cameras don’t share the same networks as other devices. Only allow devices to communicate with who they need to. Monitor for indications of compromise and act fast.”

Brown said this should be more intuitive for many MSPs, since it is rooted in networking rather than security.

“They just need to have the realization that they can’t protect all this stuff, that parts of the network have to be segmented,” he said. “Today, some are segmented in this way, but many are not.”

The fourth principle is to recognize how the network itself has changed, from a single-seed avocado to a multi-seeded pomegranate, with many more things to protect. Each seed needs to satisfy basic security requirements and come into Active Directory.

“This requires understanding what applications your customers have, as well as the customers’ access model, and how much identity control they have. It requires understanding the benefits that a Zero Trust policy can provide.”

Zero Trust, Brown said, means that you don’t have access to anything, and have to request access. Then checks happen and when answered appropriately, access is granted.

“Zero Trust is a journey, not a singular point in time, but they have to take the first step,” Brown said. “Many MSPs already are dealing with networks like pomegranates, but they haven’t internalized it because they don’t like it. If they embrace that fact, they can make rules and policies for these cloud apps.”

Fifth is understanding that identities are key to everything.

“That’s why we acquired Passportal,” Brown said. “I work to a 20-80 model, where 20 per cent of users, if compromised, can do material harm to the company.” This includes jobs like systems admins, and people with access to financial data before it becomes public.

“If you only need to protect 600 people to the max in a 3000-person company, that’s much easier,” Brown said. “You might even push that 20 per cent back to VPN, to check everything they are doing, and make sure they are not compromised.”

The sixth principle is to understand the present swing towards privacy, its impact on regulations, and the opportunities these pose for MSPs.

“Understand that regulations are your friend and create real business opportunities,” Brown told the MSPs. “Regulations always create opportunity –  to understand the regulation, and to give advice to clients. People are forced to spend money on them. Understand what regulations your customers face, and that any customer dealing with personal data may face additional regulations. Make regulations part of your normal inspection and monitoring.”

Finally, Brown emphasized that MSPs have to understand the foundation.

“Good cyberhygiene is critical for everything,” he said. “90 per cent of risks are not from sophisticated attacks, It’s from bots running around the Internet looking for things that aren’t patched.  But protecting against the mundane is not easy. To do the basics is hard. There is no silver bullet that will solve all problems. Be proactive and not reactive when possible. Focus on architecture and not individual components. And link security to the business, and be practical.”