The recently enacted Strengthening American Cybersecurity Act of 2022 has specific implications for MSPs. This is by my recollection the first time that a Managed Service Provider’s internal security has been specifically addressed in law.
Title II defines an MSP as “an entity that delivers services, such as network, application, infrastructure, or security services, via ongoing and regular support and active administration on the premises of a customer, in the data center of the entity (such as hosting), or in a third party data center.”
Since this law will affect how MSPs approach cybersecurity, MSPs should pay particular attention to what the law requires and understand how to interpret it.
Here are some key takeaways for MSPs.
Most cybersecurity experts vehemently advise against paying the ransom, as it contributes to an already-profitable ransomware industry and doesn’t guarantee that an organization will get its data returned.
The Department of Justice has also issued past warnings regarding ransomware payments. Many ransomware campaigns operate on behalf of entities on the U.S. Department of State’s State Sponsors of Terror list, or entities sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). Even if you are not aware of potential problematic affiliations that a ransomware group may have, you are still responsible if a payment ends up being made to a sanctioned group.
These previous advisories warned that the OFAC could impose civil penalties for sanctions violations, but the Strengthening American Cybersecurity Act of 2022 makes a promise: if MSPs get breached, the federal government will investigate. The takeaway here? Avoid that type of attention with strong ransomware prevention that incorporates several security layers, including segmentation, multi-factor authentication (MFA), firewall, endpoint detection and response (EDR), and a centralized location for logging such as a security information and event management (SIEM) to detect suspicious behavior early enough to prevent an attack.
This law has a lot of other items relating to the establishment of Federal task groups to address the growing ransomware threats. As Federal task groups get established and start to write their mandated rules and regulations, they may develop additional security measures and reporting requirements within the scope of this new law.
The law requires that MSPs report any breach of their operations or systems within 72 hours, or within 24 hours if a ransomware payment was made. It also codifies a federal vulnerability disclosure program in which vulnerability reporters will coordinate with federal agencies to “share information in a consistent, automated, and machine readable manner.”
The need for better vulnerability reporting has never been higher; 2021 broke records for the highest number of reported vulnerabilities at 28,695.
Blumira and the greater MSP vendor community have promised to lead this charge by supporting bug bounty initiatives and handling incidents with transparency. Despite the severity of REvil’s July 2021 ransomware attack via Kaseya VSA, vendors and MSPs came together in its aftermath to quickly communicate remediation steps for customers.
We believe it’s our duty as cybersecurity vendors to provide clarity, not FUD, to help MSPs and their customers with next steps. Fortunately, this law indicates that the government supports that stance, too.
In addition to the reporting requirements in this law, there are requirements for “covered entities” which include MSPs, to retain all data related to a reportable incident.
This basically means that all MSPs need to ensure that their IT systems are not only secured properly, but steps are taken to retain all available logging for post-incident analysis.
This is especially important for any logs generated by any MSPs tools, such as remote monitoring and management (RMM) and remote support applications. These applications are specifically targeted by attackers, as a successful compromise of these tools gives the attacker easy access to potentially thousands of endpoints across many businesses — like REvil’s attack on Kaseya.
In addition to retaining logs for post-incident analysis, log retention can enable the ability to perform advanced analysis to detect an attacker long before they execute malicious code at the MSP or customer level.
Blumira supports MSPs and their customers in their overall security maturity journey, and specifically helps MSPs meet log retention requirements.
Our free not-for-resale (NFR) licensing for MSPs is a great way to get started using a SIEM in your environment. Deploying Blumira takes a matter of hours, and using our platform is easy for teams of all sizes and experience levels. Plus, our competitive pricing is affordable for your SMB customers.
Sign up for your NFR account to try Blumira’s full product for free — no strings attached.