Datto CISO Ryan Weeks details a practical strategy MSPs can use to develop their cyber resilience capacity in a way that will not overwhelm them, while also introducing some new product features designed to strengthen this capacity.
On Thursday, Datto held their fourth annual MSP Technology Day, a half-day virtual event with the theme of explaining to MSPs how to move beyond providing cyber security, and provide cyber resilience for both their customers and themselves.
“A lot of the things Datto has done over the past several years is protect MSPs, and we think of that as cyber resilience,” said Ryan Weeks, Datto’s CISO. “That’s a fairly new concept for MSPs. They think of becoming cyber secure, which involves getting your defenses to the point where nothing bad will happen. Cyber security focuses on things to protect, and what to do if those controls fail. Cyber resilience goes beyond that, to cover the additional things MSPs need to be resilient and to deal with breaches, and provide disaster recovery and incident response. Cyber resilience is a combination of protection, response and recovery. It’s thinking about things you need to do to respond to incidents in the security world.”
Weeks cited the exploitation of the zero day vulnerabilities in Microsoft Exchange Server by state sponsored hackers that just took place of an example of the specific need for cyber resilience.
“Many MSPs had many customers affected,” he stated. “The scale for many of them was staggering. It’s hard to keep up if you don’t have robust response and recovery capabilities. No amount of controls alone would help. You need response and recovery, which is the other part of the equation.”
Weeks’ keynote at the event laid out a practical strategy MSPs can take on their journey to becoming cyber resilient.
“My keynote laid out a path to becoming cyber resilient, which looks at several common frameworks that already exist, and how to leverage them in chunks to achieve objectives,” he said. “You can spend weeks inside of some of them to break it down into smaller chunks. For example, start with CIS controls until you reach a point where you fork off to NIST. CIS is more accessible, so it is a good place to start. When they get to a certain point, they have enough confidence that they can pivot to the NIST CSF. It’s all about breaking it down and making it accessible. That’s important, because many MSPs feel it’s all too complicated and don’t know where to start. This is a way to get started that’s very accessible for them.”
Weeks acknowledged that only a small percentage of MSPs have reached the minimum level of cyber resilience necessary to protect themselves and their customers, but he strongly emphasized that there is a willingness to get there.
“I would say that probably around 90% of MSPs are not there yet, but one thing gives me hope,” he said. “When I went to my first DattoCon in 2017, MSPs didn’t get security as a service at all. Every MSP now is doing that today. They understand that it’s to protect themselves as well as their customers. So you have to give credit for the progress that has been made, even though for most of them it has not yet been completed.
“If they don’t make these achievements on this own, they might be for forced to do so by regulation,” Weeks added. “I hope as a community we can come together on a common framework instead.”
Weeks said that most RMM/PSA vendors talk about the need to get better organized around security, but that the results really haven’t been there.
“I believed very strongly that through sheer will in 2019 we could create a community of vendors that would collaborate and increase security as a whole, and we DID bring vendors together in a threat intelligence community,” he commented. “Everyone understands that if any one RMM gets breached, it makes us all look bad. But not enough vendors have come together to play well in the sandbox. Some are defining their own frameworks. That’s part of the reason why at MSP Technology Day we focus on frameworks that already exist. We need to get MSPs involved in the conversation. This kind of work needs to be done for MSPs by MSPs, although ultimately funded and sponsored by vendors. Vendors getting together and telling MSPs what to do isn’t necessarily a winning formula.”
Datto made a pair of product enhancements at the event designed to help MSPs become more cyber resilient. One is Datto RMM Ransomware Detection, which complements other security applications like antivirus to reduce the impact of cyberattacks. It monitors endpoints for unusual encryption activity, immediately attempts to terminate the ransomware process, isolate the infected device and prevent the ransomware from spreading through the network.
“The RMM Ransomware Detection feature will ultimately be a low-cost add-on for RMM,” Weeks said. “Right now, we are offering it for free, for a limited time.”
Weeks said that this solution is designed as a fail-safe in case attackers beat other defenses.
“This doesn’t mean you can get rid of your AV,” he noted. “We love our EDRs and next-gen AVs, but attackers know how to bypass them, so another layer of defense doesn’t hurt. This is for when all else fails. We do that in a way that the MSP can access this through the RMM to clean it up and discover. You don’t actually want the anti-ransomware in your core RMM. You want it separate so if ransomware gets into the RMM, you can kill it. We’ve also added automation capabilities, which is what cyber resilience is all about. Cyber resilience needs to be automated for MSPs to do it at scale. MSPs aren’t going to succeed in competing for cyber talent. They need to achieve the same results through processes, like network isolation and other automated response activities.”
The other enhancement is Datto Cloud Deletion Defense, which protects backups stored in the Datto Cloud from both accidental and malicious deletion.
“We are announcing this, now but have been running it in our cloud for months,” Weeks stated. “It’s the ultimate last line of defense. Attackers try to destroy backups, and we never want to have a backup destroyed through a malicious actor. Datto Cloud Deletion Defense is the backstop for that. When the attacker clicks a button to destroy the backup, we ensure there is a copy of that data in our cloud.”
Datto Cloud Deletion Defense is available both for the SaaS platform and for Datto BCDR.
“We are really focusing on the BCDR version of this though,” Weeks said.
Finally, last week, Datto announced that it had acquired BitDam, which makes a cyber threat detection platform that protects collaboration tools like Microsoft 365 and Google Workspace from ransomware, malware and phishing. Weeks said that MSPs want to know when this will be integrated within the Datto platform, but unfortunately, it’s too early to give any clear answer.
“They are excited, and want to know more about when it is coming,” Weeks noted. “BitDam has amazing talent and a really effective product, and it made too much sense not to make that acquisition. It is very synergistic with our SaaS backup as well. Our focus now though is on bringing the team into Datto. In terms of when the product is integrated, I can say that it will definitely be this year, although I know that’s very broad.”