Basic cybersecurity architecture elements for MSPs
This blog is part four of the multi-part series summarizing “The Ultimate Operations Guide For MSP Cybersecurity.” In this fourth installment, we’ll detail basic cybersecurity architecture elements and establish a common starting point for MSPs hoping to build out their cybersecurity offerings. If you’re interested in reading the previous installments of this series, you can access them below:
- Part one: A Summary of the Ultimate Operations Guide for MSP Cybersecurity
- Part two: Core concepts for MSPs setting up a cybersecurity practice
- Part three: Key components of an MSP cybersecurity governance program
The importance of cybersecurity architecture
Cybersecurity architecture is essential for managed service providers (MSPs) because it provides a structured approach to securely designing, implementing, and managing cybersecurity solutions. When created, implemented effectively, and regularly tested, the architecture enables MSPs to identify and address potential cybersecurity risks and vulnerabilities. Cybersecurity architecture enables:
- Enhanced security posture: It helps MSPs improve their cybersecurity posture by identifying and mitigating risks before they become actual threats
- Straightforward compliance: It provides MSPs with a framework for compliance with regulatory requirements such as HIPAA, GDPR, or PCI DSS
- Better alignment with business goals: It helps MSPs align their cybersecurity solutions with their client’s business goals
- Improved communication: It provides a common language and framework for communication among MSPs, clients, and other stakeholders
- Increased scalability: It helps MSPs design scalable cybersecurity solutions that adapt with changing business needs
Given the importance of cybersecurity architecture, network segmentation becomes a crucial component of a comprehensive security strategy. By dividing the network into smaller segments with their own cybersecurity policies and controls, MSPs become better able to manage both cybersecurity and compliance for themselves and their clients. Network segmentation helps:
- Reduce the attack surface: By dividing the network into smaller segments, an attacker’s ability to move laterally within the network is significantly limited
- Limit the impact of a breach: If a breach does occur, network segmentation helps to limit the damage
- Simplify compliance: Network segmentation is often required to comply with various regulations such as HIPAA, PCI DSS, and GDPR
- Enable better monitoring and control: Network segmentation allows for granular control of access to resources, enabling organizations to monitor and manage network traffic more effectively
For cybersecurity, compliance, and confidentiality reasons, it’s recommended that MSPs maintain their network segment independent from all client networks.
Remote work considerations
The shift to remote work has significant implications for providing cybersecurity services, as it introduces new challenges and risks. Some of these risks include:
- Increased reliance on technology: With remote work, cybersecurity services must rely on technology to monitor and secure networks and endpoints
- Expanded attack surface: Remote work often involves employees using personal devices or working from unprotected networks, which can increase the organization’s attack surface
- Added compliance requirements: Remote work introduces new compliance requirements, such as ensuring remote workers follow the appropriate cybersecurity policies and procedures, or monitoring remote access to sensitive data and systems
- Increased need for training and awareness: Remote workers should be trained on cybersecurity best practices, such as avoiding phishing scams and using strong passwords, and should be provided with ongoing awareness and education about new threats and risks
- Increased need for collaboration and communication: Cybersecurity services must collaborate more closely with IT teams and other stakeholders to manage cybersecurity risks associated with remote work
The shift to remote work has significant implications for providing cybersecurity services. Cybersecurity services must rely on newer technology solutions like zero trust to protect remote workers and their devices, monitor and secure networks and endpoints, and ensure compliance with new requirements. Effective collaboration and communication between cybersecurity services and other stakeholders are also essential to manage the risks associated with remote work.
Core cybersecurity components
There are many elements that go into creating a cybersecurity program. Some of the most important components include:
- Identity provider
An identity provider (IdP), sometimes called a directory service, is the central repository of account information. It provides identification and authorization services. Trusted IdPs assert the validity of identities to other services. A service is just a formal term for something that uses identity information, like a computer logon or web application.
Some identity services provide “conditional” policies for authentication. This means that you must meet additional criteria in addition to valid credentials before the service renders a final valid or invalid response. These conditions include physical location, device ownership (corporate versus personal), enforcement of additional authentication (MFA), and more.
- Endpoint protection
Traditional antivirus software looks at executables for known malware, matching to known signatures. However, this has become insufficient as automated tools generate malware, experience new techniques such as polymorphic malware, and “living off the land” attacks become more common. Endpoint protection vendors have begun adding capabilities that monitor overall system activity to look for signs of compromise beyond the simple analysis of executables.
Helpful capabilities have emerged that further combine these analysis capabilities with threat intelligence feeds to classify specific actions as benign or malicious more efficiently. This analysis and review is called threat hunting. While the original antivirus function remained, this new set of capabilities became known as endpoint detection and response (EDR).
Some cybersecurity organizations started offering security operations center (SOC) analysis services to respond to EDR alerts. Managed detection and response (MDR) offerings combine information from an EDR with response capabilities. The primary differentiator between EDR and MDR is the presence of a human-managed response and analysis component.
When it comes to endpoints and the IT environment as a whole, there are many potentially useful sources of information. MDR offerings have started to combine these additional information sources with the endpoint-level data from existing EDR solutions and the analysis element of MDR to form a new offering: Extended detection and response (XDR).
- Security information and event management (SIEM)
Information comes from multiple sources. When investigating a threat, analysts must correlate activity on an endpoint with activity in the organization’s email system, activity in the organization’s identity provider, and activity in critical protected systems such as cloud applications.
Correlating all of that data may indicate a threat early enough to limit the threat actor’s impact. Rather than reviewing each of these data sources separately and painstakingly correlating events while hoping that the time is set correctly on everything, organizations use security information and event management (SIEM) solutions to centralize these data sources.
SIEMs are generally not corrective controls. They don’t take action on detections or actively prevent malicious activity. They provide a repository of information to support investigations and detect threats by correlating activity across systems. Like EDR solutions, SIEMs require active internal or third-party management to provide real-time response capabilities. Without real-time augmentation by a SOC, SIEMs only provide value post-incident during investigations.
- Security operations center (SOC)
A SOC watches all the cybersecurity tools you have in place and handles the alerts, and is either an in-house team or a contracted service. To be an effective SOC, there are a few requirements:
- Offering 24/7 coverage, including both analysis and response capabilities
- Having expertise and experience in making cybersecurity judgment calls when filtering alerts
- Having the ability to conduct further analysis based on the content and context of an alert
- Having the ability to conduct proactive threat-hunting activities without alerts
- Offering response capabilities, including both immediate containment and initial investigation
In most cases, SOCs will assist in initial containment—stopping the threat from spreading—and then provide input to incident response teams for more formal restoration activities or forensic investigations. Depending on the organization’s size and availability of talent, building a SOC internally can be cost-prohibitive.
- DNS filtering
DNS filtering means a third-party service overrides DNS lookup requests and applies filtering to them. This serves as an additional defense layer when other controls fail and as a form of endpoint self-protection. Using a trusted DNS provider removes the risk of querying an intentionally malicious nameserver.
When choosing a provider for DNS filtering, ensure that the vendor supports IPv6. Several attack techniques take advantage of Windows’ default preference for IPv6 to poison DNS requests, even in the presence of filtering tools, when only IPv4 is protected.
- Awareness training
The primary goal of cybersecurity awareness training is to instill a cybersecurity mindset in your staff. Through other mediums, such as training videos, it’s also a mechanism to guide your employees toward making more risk-informed technology decisions. It’s also important to note that almost all compliance frameworks require awareness training.
- Email security
Email security is an overarching term for multiple types of protection, including:
- SPAM filtering: The most traditional protection is to filter SPAM messages, which aren’t necessarily malicious but are still unsolicited emails.
- Phishing protection: NIST describes phishing as “an attempt by criminals to trick you into sharing information or taking an action that gives them access to your accounts, your computer, or even your network.” Phishing protection solutions attempt to detect these by recognizing deceptive links, names that are similar to legitimate names, patterns in email flow, etc.
- Malicious content filtering: Some emails contain malicious attachments, links, or images. Cybersecurity tools scan for and identify these using mechanisms like attachment scanning, URL rewriting, or sandboxing.
While there are many essential components to a cybersecurity program, there are also optional enhancements that can help fortify your security posture. Some such optional components include:
- Cloud access security broker (CASB)
The use of hosted applications has increased significantly over the past few years, both sanctioned and unsanctioned. CASBs sit in line between employees and cloud applications to enforce cybersecurity policies. Some solutions also work at the endpoint level and can monitor traffic not going through the organization’s identity provider.
- Secure access service edge (SASE)
Organizations have become widely distributed, and employees work from home, in coffee shops, or from business partners. Additionally, more and more data is stored in the cloud in SaaS applications or public cloud providers. As a result, the perceived cybersecurity of the corporate LAN no longer exists.
SASE routes all traffic through a solution provider’s network. These products apply traffic policies, firewalling, data loss prevention, and CASB services through the connection. The SD-WAN portion of the solution allows connectivity to protected corporate resources without creating an individual VPN connection.
- Privileged access management (PAM)
For MSPs, privileged access management refers to controlling access to sensitive accounts and their use. PAM is often grouped with privileged identity management (PIM) solutions, and it usually refers to types of just-in-time admin solutions that allow an employee to run a specific command or executable, with optional additional justification, authentication, and approval required.
- Application safelisting
Today, most employees don’t have administrative rights to their own computers. And as a result, most software now installs into a user’s local profile unless it needs to make system-level changes. File-sharing applications, chat applications, or utilities can all cause significant damage without administrative rights.
Application safelisting describes a strategy that complements antivirus software. Instead of blocking known bad programs, safelist only permits known-good programs to run. This means that all applications must be pre-approved by the cybersecurity team.
- Penetration testing
When an organization has public-facing applications or services, penetration testing evaluates the cybersecurity of those access points. Penetration tests are often required by regulatory frameworks or for insurance coverage. Penetration tests are distinctly different from vulnerability scans in that these tests attempt to exploit vulnerabilities and gain access to systems. They may also employ social engineering and other manual tactics to gain access to systems. Penetration tests start with significant negotiation, including which systems to evaluate and limits.
MSPs should consider using an outside firm for compliance-based penetration testing, even if they have the in-house skills to perform one. Having a third-party conduct the assessment lends additional credibility to the results.
- Incident management
Having a solid incident management plan in place is crucial for MSPs to ensure business continuity and in maintaining the trust of their clients. Here are some steps to help you plan for incident management:
- Define what constitutes an incident: The first step in incident management is to define what types of events qualify as an incident. These could be anything from a cybersecurity breach to a system outage.
- Create an incident response team: MSPs should assemble a team that can respond quickly and effectively to any incidents. We recommend creating a team that includes individuals from various departments, such as IT, cybersecurity, and communications.
- Develop an incident response plan: The plan should outline the steps to respond to an incident and include procedures for identifying and containing the incident, notifying stakeholders, communicating with clients, and conducting a post-incident review.
- Test and refine the plan: It’s essential to test the incident response plan regularly to ensure it’s effective. Conduct mock drills periodically, and adjust the plan as needed.
- Train the staff: All staff members should be trained on the incident management plan and know their roles and responsibilities in responding to an incident. This training should be ongoing to ensure that staff members are prepared to respond to any incident that may arise.
- Establish communication channels: Effective communication is critical during an incident. Establish clear communication channels for notifying stakeholders, updating clients, and coordinating with the incident response team.
- Monitor and analyze incidents continuously: When responding to incidents, collect data, and analyze the incident management process. Use this information to improve the incident response plan and adjust as needed.
Employee onboarding and offboarding
A secure onboarding and offboarding process ensures that only authorized personnel can access an organization’s sensitive data and systems. To achieve this, there are several steps you can take:
- Preparing the necessary equipment: Before a new employee starts working, prepare the necessary equipment such as laptops, mobile phones, and cybersecurity tokens.
- Managing user access: Establish a process to provide user access to various systems based on the employee’s role and responsibilities.
- Training on cybersecurity: All new employees should undergo mandatory cybersecurity training, including password best practices, phishing awareness, and other cyberthreats to the organization.
- Setting up multi-factor authentication: Implement multi-factor authentication (MFA) to provide an additional layer of security.
- De-provisioning user access: When employees leave the organization, promptly revoke their access to various systems.
- Retrieving equipment: Collect all the equipment provided to the employee, including laptops, mobile phones, and cybersecurity tokens.
- Reviewing account activity: Review the activity logs of the user’s account and ensure that there are no unauthorized activities.
- Terminating all remote access: Terminate any remote access the user might have had to the organization’s systems, such as virtual private network (VPN) access and access to client networks, including client information and passwords.
- Conducting exit interviews: Conduct exit interviews to get feedback from the employee and ask for feedback on the onboarding and offboarding process.
Vulnerability management involves identifying potential environmental technical weaknesses and tracking their remediation. Automated scanning tools look for vulnerabilities and alert to any problems.
While identifying outdated software with known issues is a component of vulnerability management, testing and identifying insecure configurations is an equally important part. Vulnerability management solutions also provide mechanisms to mark individual vulnerabilities as accepted risks.
Configuration management refers to two distinct concepts: Applying organizational default configurations to devices and tracking configuration history.
- Default Configurations
An organization might standardize on a default configuration for computers, network devices, or email accounts. Configuration management ensures that these configurations remain consistent with corporate defaults and that any deviations are approved and documented. Automated tools monitor assets, apply current configurations, and watch for changes, while manual reviews serve as a compensating control when technical limitations don’t allow for that automation.
- Tracking configuration history
Configuration management also involves the tracking of configuration files for devices like routers, firewalls, or other devices with exportable configuration files.
Disaster recovery (DR) planning is critical for MSPs or TSPs that want to ensure business continuity in an unexpected disruption or outage. When creating a disaster recovery plan:
- Identify potential risks: Identify the possible risks that could disrupt the services provided. This could include natural disasters, cyberattacks, hardware failures, and other incidents.
- Create a response team: Establish a team responsible for implementing the disaster recovery plan, including communication with customers and executing the necessary steps for recovery.
- Define recovery objectives: Determine the acceptable service level during and after a disaster and the timeframe for returning to normal operations.
- Document the plan: Develop a policy that necessitates annually updated DR, then create the DR document and share it with the key stakeholders for their input.
- Develop a contingency plan: Develop a contingency plan that outlines alternative processes for critical business functions, such as data backup, software systems, and network infrastructure.
- Test the plan: Regularly test the disaster recovery plan to ensure it works as expected and update it as needed based on any issues identified during testing.
- Monitor and maintain the plan: Ensure that the disaster recovery plan is updated to reflect any changes in the business environment, such as changes to software systems, network infrastructure, or business processes. Most compliance requirements mandate annual updates to the DR plan.
- Communicate with customers: Communicate with customers about the disaster recovery plan and the steps that are being taken to ensure the continuity of their services.
Exercises and verification
It’s important to conduct regular testing of all facets of the operational plans to ensure that the plans work. When verifying your plan, there are some critical things to remember, including:
- Plans aren’t static: Update your plans as the technology environment changes with new applications, infrastructure, or business units.
- Plans should expand beyond disaster recovery: Include incident response and plans specific to the organization in testing.
- Be wary of handwaving during exercises: Perform as many of the actual steps as possible to identify gaps in procedures or documentation.
- Incident response covers more than the technical mechanics: Make sure everyone has access if there are steps in a plan to use an alternative communications channel during an incident.
- Ensure all materials will be accessible during a disaster: Organizations sometimes create complex procedures around break-glass accounts or emergency approval, only to discover that something is missing or inaccessible when needed.
In discussion-based sessions, a trained facilitator guides participants through discussion-based scenarios in an informal setting to discuss their roles, responsibilities, and responses during emergencies. These can be helpful in building out the disaster recovery plan.
NIST defines this as the “systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.” Every MSP should have a documented patch management policy.
Cloud cybersecurity presents complex and ongoing challenges for MSPs that require a combination of technical, procedural, and organizational measures to ensure that services are always secure and available to clients. Some important facets of cloud cybersecurity include:
- Cybersecurity and technical training
MSPs should ensure that their employees receive regular technical and cybersecurity training to help them recognize threats specific to cloud technologies. They should also make sure they are trained to deal with the technical and cybersecurity challenges they will face.
- Access control
MSPs should have strict access controls to ensure that only authorized users can access the cloud infrastructure and services.
Data should be encrypted in transit and at rest to protect against unauthorized access. Encryption protocols should be carefully chosen to ensure the best possible protection.
- Secure network architecture
MSPs should design cloud infrastructure with cybersecurity in mind, and a secure network architecture that limits access to critical systems and data.
- Monitor and log
MSPs should have monitoring and logging systems to detect and respond to cybersecurity incidents.
- Disaster recovery and business continuity
MSPs should have business continuity and disaster recovery plans in place to ensure that they can restore services quickly in the event of a cybersecurity breach or other disruptive event.
MSPs should comply with relevant regulations and standards, such as the GDPR, HIPAA, and PCI DSS. This can involve implementing specific cybersecurity measures, such as data retention policies and data access controls.
Physical security refers to the measures taken to protect an MSP’s physical assets, including its buildings, equipment, and personnel. Some physical security measures include:
- Access control
MSPs should have a system to control access to their facilities, data centers, and equipment. This can include measures such as security gates, keycard readers, and security cameras to monitor and record who enters and exits the premises.
- Perimeter security
MSPs should have measures in place to secure the perimeter of its facilities. This can include fences, walls, and other physical barriers to prevent unauthorized access.
- Environmental controls
MSPs rely on specialized equipment and infrastructure to provide their services, and this equipment is often sensitive to temperature, humidity, and other environmental factors. Physical security measures should include maintaining proper environmental conditions, such as HVAC systems, backup power supplies, and fire suppression systems.
- Monitoring and surveillance
MSPs should have 24/7 monitoring and surveillance in place to detect any security breaches, including intrusion detection systems, security cameras, and security personnel. Whenever possible, these solutions should be configured to their SIEM log.
- Incident response
MSPs should have an incident response plan to quickly and effectively respond to security breaches. This can include procedures for reporting incidents, isolating affected systems, and restoring service as soon as possible.
This blog is meant to serve as a high-level overview of basic cybersecurity architecture for MSPs. For a more detailed understanding of each of these architecture elements, download “The Ultimate Operations Guide for MSP Cybersecurity” eBook in its entirety.