SolarWinds and Kaseya Attacks Shake Faith In SaaS Model (channelinsider.com) 58
"First SolarWinds, now Kaseya. SaaS software heavily used by managed service providers (MSPs) has now been the target of two successful cyberattacks," writes Slashdot reader storagedude.
He shares a ChannelInsider article reporting the Kaseya ransomware attack compromised roughly 1,500 "downstream" businesses — and that now managed service providers "are reassessing their approaches to managing IT" after their own upstream vendors were breached: In many cases, rather than assuming the platforms that MSPs employ are secure, end customers will now require them to prove it via an audit of their software supply chains, says James Shank, Chief Architect of Community Services for Team Cymru, a provider of threat intelligence tools employed to conduct such audits. Shank, who also served on the Ransomware Task Force Committee set up by The Institute for Security and Technology, notes that MSPs should also assume attacks will only get worse before they get any better. "This is not the end or the middle," he says. "It's only the beginning."
Others, however, don't think there will be any widespread mandate to audit IT supply chains in the absence of any government requirement. Most organizations are simply not going to conduct or require extensive audits because of the time, effort, money and expertise required, says Mike Hamilton, chief information security officer (CISO) for Critical Insight, a provider of a managed detection and response platform.
"American companies are not going to do that unless someone holds their feet to the fire," he says.
The challenge that creates for MSPs and their customers is it may force them to continue to place too much trust in IT platforms provided to them by a vendor, says Chris Grove, technology evangelist for Nozomi Networks, a provider of security tools for monitoring networks. "These platforms are over-trusted," he says.
The decision many MSPs are specifically wrestling with is the degree to which they should continue to rely on IT service management (ITSM) platforms from an IT vendor that might be compromised by malware versus building and securing their own custom platform. The latter approach is not immune to malware but might be less of a target as cybercriminals increasingly focus their efforts on platforms that enable them to wreck greater downstream havoc. Alternatively, MSPs could switch to IT service management platforms provided by vendors that don't have enough market share to attract the attention of cybercriminals... Building an IT service management platform from scratch naturally requires a level of investment many MSPs lack the funding or expertise to make, notes Eldon Sprickerhoff, chief innovation officer for eSentire, a provider of a managed detection and response platform. "It's a difficult situation," he says.BR> The article points out that few small- to medium-sized businesses can afford their own internal IT security team.
Slashdot reader storagedude then suggests "on-premises installed and managed software could get another look as a result of the attacks," while vendors who can prove high levels of security "could gain a market advantage."
He shares a ChannelInsider article reporting the Kaseya ransomware attack compromised roughly 1,500 "downstream" businesses — and that now managed service providers "are reassessing their approaches to managing IT" after their own upstream vendors were breached: In many cases, rather than assuming the platforms that MSPs employ are secure, end customers will now require them to prove it via an audit of their software supply chains, says James Shank, Chief Architect of Community Services for Team Cymru, a provider of threat intelligence tools employed to conduct such audits. Shank, who also served on the Ransomware Task Force Committee set up by The Institute for Security and Technology, notes that MSPs should also assume attacks will only get worse before they get any better. "This is not the end or the middle," he says. "It's only the beginning."
Others, however, don't think there will be any widespread mandate to audit IT supply chains in the absence of any government requirement. Most organizations are simply not going to conduct or require extensive audits because of the time, effort, money and expertise required, says Mike Hamilton, chief information security officer (CISO) for Critical Insight, a provider of a managed detection and response platform.
"American companies are not going to do that unless someone holds their feet to the fire," he says.
The challenge that creates for MSPs and their customers is it may force them to continue to place too much trust in IT platforms provided to them by a vendor, says Chris Grove, technology evangelist for Nozomi Networks, a provider of security tools for monitoring networks. "These platforms are over-trusted," he says.
The decision many MSPs are specifically wrestling with is the degree to which they should continue to rely on IT service management (ITSM) platforms from an IT vendor that might be compromised by malware versus building and securing their own custom platform. The latter approach is not immune to malware but might be less of a target as cybercriminals increasingly focus their efforts on platforms that enable them to wreck greater downstream havoc. Alternatively, MSPs could switch to IT service management platforms provided by vendors that don't have enough market share to attract the attention of cybercriminals... Building an IT service management platform from scratch naturally requires a level of investment many MSPs lack the funding or expertise to make, notes Eldon Sprickerhoff, chief innovation officer for eSentire, a provider of a managed detection and response platform. "It's a difficult situation," he says.BR> The article points out that few small- to medium-sized businesses can afford their own internal IT security team.
Slashdot reader storagedude then suggests "on-premises installed and managed software could get another look as a result of the attacks," while vendors who can prove high levels of security "could gain a market advantage."
In the words of Montgomery Scott (Score:5, Insightful)
"The more complicated they make the plumbing
the easier it is to stop up the drain."
Re: (Score:3)
Or as I was taught in CS: "complexity kills".
Unlikely (Score:5, Interesting)
I'd wager a thousand bucks at five to one odds that it does NOT result in large industry changes. There is no god more omnipotent than the status quo, and no worshiper more devout than an MBA who is faking it till they make it.
Today, right now, someone who doesn't deserve their position is making the choices that will ruin a fifty year old business. Maybe it'll make the news, maybe it won't. Maybe people will die. Maybe they won't. But it is happening.
Re: (Score:3)
There is no god more omnipotent than the allmighty dollar. And SaaS is just heaps chaper.
Besides, there is no exit strategy. They have no choice, there is no going back.
Re: (Score:1)
Noting that prestige, position, and approval are all things people will gladly risk money FOR. Especially if the money is someone else's.
Re: (Score:2)
Re:Unlikely (Score:5, Interesting)
But that only happens to others. Not to me. Or at least hopefully, at least before next year when my tenure is over and I'm out of here with a golden parachute, making it the problem of the next poor idiot you hire as CEO.
Re:Unlikely (Score:5, Interesting)
I am IT Director for a medium sized business. I inherited a position that was deeply embedded with MSP's and some cloud services. I have brought a large portion of those back in house and saved $250k in the first year alone running those services in house on open source software. Free licenses. Tell me again how cloud saves money? I can pay for the manpower to manage those services MANY times over for cost I save on licenses and recurring fees. SaaS was created EXACTLY so they could charge you more. With market penetration maxed out, they could no longer grow by getting more people to buy it and they got pissed off that people had control over when they wanted to upgrade or move on. Enter SaaS, created specifically so they could charge you "forever and ever Amen" for something you used to be able buy once and be done with it. Yea.. that's a huge fucking no for me and I have saved my company so much it is incredible. But also on to another huge reason SaaS was created... Snowden documents prove almost ALL the major tech companies have secretly embedded CIA personnel steering/guiding/influencing the companies and their users toward those SaaS services for the express purpose of gaining access to all of this information via non-government entities to get around data collection laws against the government doing it directly. Anyone using smart speakers or cloud services in general is basically a clueless idiot. Snowden documents blow the whistle on it and it isn't even denied. This is conspiracy in the open yet most idiots still use this shit. And it isn't just Google. Why the FUCK do I have to log in to a server at a remote site to ask permission to control things in my own home like thermostats or Chamberlain garage door openers or any number of other things. I WANT connectivity, but refuse to do it in a way that puts my shit in someone elses control whether nefarious or not.
Re:Unlikely (Score:4, Informative)
If you're big enough to be able to have the resources in house, then I 100% agree, not way can paying for a service be cheaper.
For smaller companies that can't afford to have people with the skill sets required for their technologies, then it can be worth while. You'd not only be paying for the service, but also paying for the (hopefully) technical expertise needed to support that service.
I remember long ago when I worked for a large vendor, some small companies would use the support services for training and help to do basic activities that they should have been able to do themselves. They lacked the trained staff to do so.
Re: (Score:2)
I would take that bet. Either client risk managers or insurance companies will force the end customers of the MSP/SAAS chain to have the data.
We have one application that will be areal challenge to address, due to the vendor’s (AutoDesk) lock-in strategy. I am pretty sure our clients will be pushing for change and getting it at some level.
Re: (Score:2)
I'd wager a thousand bucks at five to one odds that it does NOT result in large industry changes.
No, but plenty of companies are still on the edge about cloud services, and this will give those against it another argument, and at the very least delay the move into the cloud for those who've not yet done it.
I'm the security expert in a multi-million tender offer right now, with one of the requirements being that all data and systems run on-prem. It's by far not the only company I know that is reluctant to embrace the cloud. This is still an active discussion in many companies, and each such event will a
MSPs will need to prove their value-add (Score:5, Interesting)
For MSPs to survive, they will have to prove their value. Insurance companies will require indemnification upstream, and that will push a number of changes. I know after we had a crime policy claim we had plenty of scrutiny into our procedures, and it will only get worse.
What about a different approach (Score:2)
As TFA pointed out, few companies have the resources to roll and manage their own. I've worked on. a few projects that tried that and there never was enough money to do it right and the projects went on forever until someone killed them.
I would suggest a multi pronged approach:
The service provider should actively attack their systems to find flaws and fix them
Develop a backup system that regularly makes backups of all your data and airgap copies of the backup so if you are compromised you at least you can
Re: (Score:2)
The immediate problem I see with all of your suggestions (but especially with #1 and #2) is - they all cost money, which means they'll impact the service provider's and/or the customer's profitability.
It's much cheaper to just throw generic phrases like "we regularly monitor our network for suspicious activity" - it sounds impressive, and it's not like most of them know any better.
I'm really doubtful these attacks are going to lead to any substantive change. I'm in education, not business; but even our PhD-
Re: (Score:2)
The immediate problem I see with all of your suggestions (but especially with #1 and #2) is - they all cost money, which means they'll impact the service provider's and/or the customer's profitability.
It's much cheaper to just throw generic phrases like "we regularly monitor our network for suspicious activity" - it sounds impressive, and it's not like most of them know any better.
I'm really doubtful these attacks are going to lead to any substantive change. I'm in education, not business; but even our PhD-toting faculty routinely say things like "yes, I understand the issue you raise regarding us not having adequate backups" while blithely refusing to spend money to fix the issue. Unless you've been directly impacted by a problem, it's very easy to ignore. Heck, I've seen researchers lose terabytes of data and *still* not learn the "you need backups" lesson.
yea, I agree. I setup an automatic backup for a friend so that no data would be lost if the machine crash, etc. I get a call "I lost my project I've been working on for hours..." No problem, just revert to the last backup, right? Turns out the backup was never plugged in. You can't fix stupid so I gave up trying.
Re: (Score:3)
Re: (Score:2)
And if the company hired smart security people
There are not enough smart security people for every company that needs one. There are far more companies that need security than there are people to fill the positions.
I'm not complaining. But imagine you are in a position where you can't hire a security person, but you still want better security. What are you going to do?
Re:What about a different approach (Score:5, Insightful)
Send your people out to be trained, like they used to do; when companies gave a shit about their employees and invested time and money in professional development, to get their employees the training, personal security, and work/life balance they needed. Back when a company would show loyalty and get it back in return. When an employee is trained, feels valued and loyal, they will work much harder to keep your business secure. Now as you highlight here, companies throw their hands up and say we can't train people they will just move on, instead of addressing why they move on so that it is win win. And then they hire consultants and/or outsource the responsibility to folks whose focus is 1) their company first and 2) to use your company to achieve number one (yeah they'll try and do a good job, but when they are doing that for 100 or 10,000 or 100,000 clients are you going to be at the top of the list, no?). And then the execs wonder why it goes to shit when stuff like this happens.
And people wonder why IT folks only stick around a few years on average when people used to work their whole life at a company. I've consulted the last number of years, and I've seen both types of companies. The ones with loyalty and that train their people have surprisingly good security practices, they might use older technology but you can also call it technology that is stable by maturity and does the job. And they have far less employee churn than companies that don't send people out for training and don't treat their employees with more respect and loyalty. And that has the beneficial knock on effect of people actually knowing their systems very well which helps to keep them healthier than using folks who constantly come and go.
Re: (Score:2)
Good point.
Re: (Score:2)
Training someone to be proficient in security is a 3-10 year endeavor. Until at least year 2 they are likely to be a bigger hazard than help doing anything. I agree that the industry needs to cultivate these people (and should have been for five years), but it is not just a matter of spending money.
Re: (Score:2)
Re: (Score:2)
This.
I spent the last year training the CISO of a bank. He's now moving somewhere else. Good for me, I will be training his successor this year. But instead of improving the security we built so far, we'll be starting again with half of it, and until we can get back to making things better it'll be at least six months.
The loss for the bank is much higher than whatever would've been needed to keep this guy on board would be.
I see the same attitude whenever I talk with a headhunter. People want to hire expert
Re: (Score:2)
Yeah, sure. The world only began when SaaS started. Get a grip
.Who said anything about SaaS? What I said applies in the old pre SaaS days as well.
And companies don't and didn't roll their own. They purchased and customized and got what worked best for their system.
Right, and paid serious money for customized systems that still had any underlying flaws because it still was Oracle or SAS or peopleSoft or some Windows product. Of course, when the next version came out they paid again to get their customized version to run on the new version.
And if the company hired smart security people, they didn't get compromised even if a software package had a flaw (because they had layered security) or if some twat gave up their password in a phishing attack (not every company gets owned when someone in a completely different organization gave it up).
The key is hire smart people and pay them what they're worth.
On top of that, companies were forced to own their software. That means more than financially. They had to own what it did, how they implemented it, how they secured it, and how they understood it. They owned the responsibility of owning it and didn't give that up to other companies whose interests are to make the most money for themselves and ensure YOU keep paying; even if THEIR software might not be the best for YOU.
You just described the entire ERP /Software Implementation consulting world in a nutsh
Nothing to do with SaaS (Score:5, Insightful)
This has nothing to do with SaaS and everything to do with companies giving the equivalent of root access to management software whose quality and provenance is unknown. Part of the problem is that Windows is a royal pain to manage without third-party add-ons, so a bunch of companies with dodgy security records have filled in the gaps.
I mean, if you wanted to attack a whole bunch of targets, would you do each one individually? Or go for the common weak link that they share? All of these remote management software companies have targets on their back...
Re: (Score:2)
management software whose quality and provenance is unknown
Isn't this the very definition of SaaS? Seriously, is there any SaaS out there that we know isn't completely garbage?
Re: (Score:2)
Seriously, is there any SaaS out there that we know isn't completely garbage?
I would say open-source except the idea of software rental is abhorrent to them. So no their isn't.
Re: (Score:2)
I would say AWS is not "completely garbage". Sure, it has its weird warts, but it works fairly well. As another example, I outsource my company's payroll to a company called Ceridian that runs payroll as a Web-based service, and it's excellent.
SaaS and software quality are orthogonal. You can have good and bad SaaS, just as you can have good and bad normal software that you run yourself.
Re: (Score:2)
You can have good and bad SaaS
This was actually part of my point. Even if it has a shiny interface and works, it's not really possible to determine if it's secure. You can dig into the software interface and test if it's secure (which nobody does) but the servers could be so full of holes it's Swiss cheese. Even your payroll SaaS may provide an excellent service and it's security could be a total shit show, you just don't know.
You are right though that AWS is actually well secured, though it had growing pains and you can still shoot
Re: (Score:2)
Well, TFA suggests: "end customers will now require them to prove it via an audit of their software supply chains."
That is, until the audited SaaS provider gets compromised and you ave to question te competency of the auditors.
Then we'll have auditor-auditors. Turtles all the way down.
I'm skeptical of any actual improvement because I see a lot of the "hire someone to do it so that if it goes wrong they take the blame" mentality kicking around. Until there are consequences for choosing the wrong provider I
Re: (Score:2)
Then we'll have auditor-auditors. Turtles all the way down.
Nah, you just use audits from multiple companies every time. It's easy to give a thumbs up until someone else points out that's BS and then your rep is ruined.
Re: Nothing to do with SaaS (Score:2)
Part of the problem is that Windows is a royal pain to manage without third-party add-ons
What are Puppet, Bolt, Ansible, Chef, Salt, Splunk, Satellite/Spacewalk, IPAM software like SolarWinds for then?
Linux OOTB has ssh, syslog, sendmail going for it. Windows has rdesktop, powershell remoting, kerberized remote management interfaces. You're going to use management software in either case once you're past "forward root cron spam" scale. Any Linux environment worth breaking into will be that big.
Re: (Score:2)
Puppet and Ansible are open-source, so their provenance is fairly well-known. Splunk is a log-analysis tool; I don't think it's something that has root on your systems to apply patches. Haven't heard of many of the others, so don't know if they are open-source or not.
Linux systems generally have built-in package management systems like apt or dnf that make it fairly easy to keep up-to-date with Linux vendor security patches. I don't believe there are any patch-management tools in the Linux world exactl
Re: (Score:2)
We are one compromise from disaster (Score:5, Interesting)
Re: (Score:2)
I am a Linux user. What is "flatpack" or "snap"? Never heard of that and obviously never used it...
Re: (Score:1)
Snap is yet another attempt to provide a distribution-agnostic packaging tool. Because Linux needed another packaging system, clearly. And everyone should download a new copy of every dependency for every piece of crap they run.
Re: (Score:2)
Sound like some morons coming from Windows....
Re: (Score:2)
The people using flatpack and snap are the same folks who bitterly complain that what's holding Linux back is its lack of uniformity relative to Windows or MacOS. Oh, and they also don't like spending money on security and skilled employees.
Re: (Score:2)
The people using flatpack and snap are the same folks who bitterly complain that what's holding Linux back is its lack of uniformity relative to Windows or MacOS. Oh, and they also don't like spending money on security and skilled employees.
Makes sense. Of course, in actual reality, Linux has a lot of uniformity, but it thinks, for example, that the desktop is the decision of the user and not the OS.
Never had it to begin with (Score:4, Insightful)
Anyone who had faith in SaaS in the first place is an idiot. The only true valid use for off premise hosted cloud services is in TRULY collaborative instances like multi-university research or something like that. Important data should be in house. That is the corporate side and is just good security. But on the consumer side it is much more insidious. Anyone who didn't see right from the beginning that cloud connected devices were a grab at your data, was an idiot. Think about it. What incentive does a company have to run a server forever for free once they have sold you a device like a garage door opener or thermostat other than to farm you like a fucking pig. It is infuriating absolutely unacceptable that someone has to ask permission from a server someone else controls to change settings or access a device in your own home. Anyone that bought into that shit is also an idiot. Snowden documents also show that so many of the companies that do this shit have been influenced/steered/guided by secret embedded CIA personnel toward moving companies and its user base toward these services for express purpose of gaining access to a treasure trove of data that they can get via private companies that they CANT get as government entities because of search and seizure laws. It isn't really even a conspiracy.. it is known and idiots are still buying into this shit. it is a conspiracy in the open. Stop using cloud services. Stop using devices that force you to use cloud services. Grow a functioning brain.
Re: (Score:1)
Consider also, that one reason for the popularity of outsourcing is, that it gives management something to point to when things go wrong... its basic CYA thinking for career bureaucrats.
Re: (Score:2)
Indeed. SaaS does not make keeping it secure and working somebody else's problem. It just hides the responsibility behind some shiny surface, but if things fail it will _still_ be you that gets hit. Only that you can do less about it.
Re: (Score:1)
I got all my data stored in my own Synology NAS (SHR, with single disk fail over), with important data backed up on external USB drives as well. USB drives are only connected when I need to do data transfer, not permenantly connected.
I have not, and will not consider any cloud organisations for my data backup, unless some things change, especially in terms of security and privacy.
Then you shouldn't be in business (Score:1)
> The article points out that few small- to medium-sized businesses can afford their own internal IT security team.
Any Medium sized businesses can absolutely afford a internal security team, if not they shouldn't be in business because they've done it wrong. Small businesses can get some slack, but a small business becomes a medium business at 50+ employees.
Re: (Score:1)
Christ, we have 180 employees and I'm the only guy who knows how anything works. The thought that we'd hire someone just for security, let alone a team, is laughable. I'm close to ordering a satellite phone just so I can occasionally leave cell phone range without feeling guilty.
There is one simple solution (Score:1)
Go back to pen and paper. The only security you'll need are good locks and sprinkler systems.
Re: (Score:2)
Well, given that pen and paper have been optimized for a few 1000 years, it is no surprise that they are much more reliable and dependable. A while ago I recommended to a rather large bank that they should store their CA's master key as a printout on high-quality paper. They wanted to put a flash-drive into a safe as the only copy....
The short version: (Score:1)
They should have hired me instead. *yawn*
SaaS (Score:2)
Run a app over a wan link call it cloud and it is magically more secure and cheaper.
Are people getting stupider as I get older in this industry or is it just me?
Re: (Score:2)
Are people getting stupider as I get older in this industry or is it just me?
I think people were this extremely stupid before, but it was a lot less visible. Now that the stupid oozes into everything "Internet" and "computer", it becomes much more visible.
Only idiots ever had faith in it (Score:2)
SaaS just means you get even more dependent on things you do not control and you do not understand or at least have only very partial information about. That kills any real risk management and is about the most stupid thing you can do to your business.
Re: (Score:2)
https://www.gnu.org/philosophy... [gnu.org]
SaaS wasnâ(TM)t hit with ransoms in Kaseya at (Score:1)
Correction (Score:2)
On premise is dead (Score:2)
SolarWinds isn't cloud (Score:1)