Security Frameworks Are Key To MSPs Looking To Secure Clients: Pillr
‘I don’t care which [security framework] you pick, but pick one. Don’t try and build your own. Don’t say “We’re like a combo of NIST and ISO and we use a little bit of CIS.” That does not work. You have to pick one security framework, one standard, go with it, implement it,’ says Adam Gray, Pillr’s chief science officer.
Adopting a standard security framework could help managed service providers become a better advocate for their clients’ security while helping mitigate a shortage of cybersecurity talent.
That’s the word from Adam Gray, chief science officer at Wichita, Kan.-based cybersecurity technology developer Pillr, who told an audience of MSPs at this week’s XChange August 2023 conference that the key to doing well with cybersecurity is to pick a security framework, whether it is NIST, ISO or CIS, and focus on that framework.
“I don’t care which one you pick, but pick one,” he said. “Don’t try and build your own. Don’t say ‘We’re like a combo of NIST and ISO and we use a little bit of CIS.’ That does not work. You have to pick one security framework, one standard, go with it, implement it.”
[Related: Major Cybersecurity Companies Create New Open-Source Consortium To Share Key Data]
The XChange August 2023 conference is hosted by CRN parent The Channel Company and is being held in Nashville, Tenn., this week.
Gray said he recommends that MSPs new to security frameworks choose CIS 18, which he said has good guidelines, is quite reasonable, and is not too complex. MSPs who later need a more rigorous security framework can upgrade, he said.
CIS 18 consists of 18 controls, including:
1) Inventory and control of enterprise assets
2) Inventory and control of software assets
3) Data protection
4) Secure configuration of enterprise assets and software
5) Account management
6) Access control management
7) Continuous vulnerability management
8) Audit log management
9) Email and web browser protections
10) Malware defenses
11) Data recovery
12) Network infrastructure management
13) Network monitoring and defense
14) Security awareness and skills training
15) Service provider management
16) Application software security
17) Incident response management
18) Penetration testing
It is important to note that CIS 18 is a top-down approach, meaning each control must be taken care of before tackling the next control on the list, Gray said.
“So if you’re spending more of your budget on nine and ten than you are on one and two, you failed,” he said. “You did something wrong in this space. You are supposed to do these in order. There is a reason that pen testing is last on this list and not first. There’s a reason that malware defenses are in the middle and not first.”
If someone tells you he or she is a former NSA (National Security Agency) employee, or says he or she can handle a customer’s security for $15 per month and throw in incident response at no charge, that will not work, Gray said.
“None of that’s going to happen,” he said. “That’s all in nine and ten, so far down the list. You kind of miss the point. Security programs are really about building controls. And if you don’t know where your assets are, or what your software is, you’re not moving forward in the right way. It’s just not really going to happen. On the list there’s continuous vulnerability management. That’s not scanning once a quarter, or even once a month. ‘Continuous’ is multiple times a day so you know what you’re vulnerable to.
Even doing log management comes before malware defenses, Gray said.
“It’s more important to log the stuff than to actually defend yourself because real-time defenses do not work,” he said. “They will not work. If they did, I wouldn’t have started in the mid-90s doing security and still be doing it. I wouldn’t be standing on this stage today telling you, ‘Hey, we should probably follow these things.’”
Gray said that malware defenses have a sub-50-percent efficacy rate.
“So given that you spent 80 percent of your budget on malware defenses, but it has a sub-50-percent efficacy rate, we probably need a better or a different approach,” he said. “And so that’s why we have to look at the controls. That’s why we have to do these things.”
The best way to talk with clients about such a security framework is to discuss their regulatory and compliance objectives, Gray said.
“Look for highly regulated, compliance objectives where they are required to spend money,” he said. “That should be your primary conversation within your customer base. Highly regulated medical, financial, oil and gas guys have security programs. They’re dictated to do it. They will spend money on it.”
MSPs should also be taking security frameworks to customers looking for cyber insurance and who are required to meet a minimum level of security.
“If you’re not, somebody else is,” he said. “If you’re not talking to them about SOC services, strong authentication, vulnerability management, some group out there is direct selling against you. You may have another SOC provider that’s selling directly against you. We only sell through the channel, but there are many that don’t.”
Other ways to present security frameworks will come from talking about best practices and operations with groups, risk mitigation, and when cleaning up after an incident response, he said.
An MSP’s choice of security framework starts with looking at what the MSP can actually achieve, Gray said, noting that the CIS framework has multiple levels of various degrees of difficulty.
“Start with one, achieve those goals, look at the controls, go through them, build out the necessary pieces that you’ve got, and really relate that to how do I build a technology stack,” he said. “The people, the operations, what do I need to insource? What do I need to outsource? Where do I go and get a partner for that?”
He suggested looking for a SOC-as-a-service that is co-managed and multi-tenant, and explore options that do not require a rip-and-replace of existing security technology investments.
“Are services like threat hunting and investigation included?” he said. “Is IR [incident response] included? Are there procurement terms that I need to know about, either monthly or yearly or other spending components?”
It is also important to physically visit the site where the infrastructure is actually managed and ask to talk to the staff and see how many analysts they have, he said. Ask to read their compliance reports, as well as the full version of the SOC 2 Type 2 controls they have put in place and not just the abridged version, he said.
“When you get a SOC 2 Type 2, you get to decide, as the group going for it, what things you’re going to put under scope,” he said. “So if you only put one room in your whole facility under scope with three people, that’s the only thing that the SOC 2 Type 2 covers, and it’s the only thing they ask you about. So you get to define the rules. So you get to know that when somebody puts that special SOC 2 Type 2 logo on and they’re like, ‘We’re certified,’ it doesn’t mean much. You have to actually read the reports.”
MSPs should also ask for a sample RACI (responsible, accountable, consulted, and informed) report to understand what the roles and responsibilities between all the groups are, and then understand what’s included in detail, he said.
Finding the right partner to help implement a security framework will also help mitigate a cybersecurity talent shortage that currently means that only about 1 percent of U.S. enterprises can really afford an enterprise security program, Gray said.
An increasing shortage of cybersecurity talent is a key reason many companies do not have the kind of security they need, Gray said.
“There’s a shortage of qualified people running this stuff,” he said. “And operationally, it’s really hard to be good at security. And because of that, that’s pushed up the amount of budget that’s required to be good at it, and you have to have the people. So all of you in this room have the same problem. And there’s not a lot of great solutions.”
Pillr is an enterprise-grade SOC and on its own covers about half of the CIS 18 controls, Gray said. Working with other technology partners, it covers about two-thirds of the controls, he said.
“So you can knock off a big list of that without having to do a complete rip and replacement of your technology,” he said. “We support about 500 different technology groups today in integrating their technologies, both inbound and outbound. And we are partnered through distribution.”
Network Services, a Cheektowaga, N.Y.-based MSP, already is doing about 70 percent of the controls in the CIS 18 framework, and so eventually adopting the full CIS 18 framework should be an easy lift, said Anthony Robbins, a partner at the MSP.
“So I think we will continue moving in that direction, mostly because it’s the right thing to do,” Robbins told CRN.
Network Services has already implanted controls one through eight, along with parts of controls nine and ten, Robbins said. He said his company is still using a manual process that relies on pulling data out of his RMM to manage the assets, but is looking to automate that as well, as well as adopting SOC-as-a-service.
“I think it’s an advantage in our marketplace to say things like we are using a CIS 18 framework, and we will do the same to protect your data like we protect ours,” he said.