Ransomware Protection: Who’s Responsible for What?

Ransomware risk changed dramatically for Managed Security Service Providers (MSSPs) and their clients in 2021. The Kaseya hack used a vulnerability in the popular Virtual System Administrator (VSA) remote management software to spread ransomware through MSSPs to an estimated 1,500 small-to-medium-sized businesses (SMBs) worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) warns that more of the same is coming in 2022.

This article provides insights about mutual ransomware responsibilities to set expectations, ensure threat lifecycle coverage, and enhance client satisfaction.

MSSP Mitigation Responsibilities Against Ransomware

Clients know about the escalating ransomware threats and are understandably concerned. As an MSSP, are you making it clear where your responsibilities begin and end for both you and your clients? Miscommunication regarding ransomware and cybersecurity roles and responsibilities can lead to finger pointing, a lack of action in the middle of a security incident, and even dissatisfaction with the business relationship.

Justifiably, MSSP clients should expect their service providers to do everything they can to protect them against ransomware and widespread vulnerabilities like Log4j. Service providers should take both strategic and tactical approaches to multi-layered security.

MSSPs should also be ready to demonstrate that they meet cyber hygiene fundamentals on their own systems, including encryption of network traffic and effective patch management. In particular, you must make sure that you are proactive in patching and keeping current on remote monitoring and management tools used to access client systems. Cyber criminals are actively targeting MSSPs as a steppingstone to targeted client accounts and other supply-chain partners.

Other mitigations and hardening within MSSP control that clients expect, include:

• Implementing robust network monitoring
• Closing all remote access ports no longer needed for providing services
• Applying the principle of least privilege to client environments to limit access to client systems
• Preserving, aggregating, and correlating log data
• Preventing lateral movement within the MSSP and client environments
• Managing client data backups as part of your services, and keeping backups offsite
• Ensuring that cloud services and cloud storage are properly configured

The Precedent for Shared Cybersecurity Responsibility

At the same time, MSSPs can expect their clients to assume responsibility for the elements of cybersecurity under their control — with joint responsibilities clearly defined in writing if possible.   

There is established precedent for shared security responsibility by cloud providers. For example, this matrix from Microsoft makes it clear that responsibility for information and data, end user devices, and accounts and identities is always retained by the client. Microsoft is always responsible for physical hosts, the physical network, and the physical data center. However, responsibility for the layers in the middle – operating system, network controls, applications, and identity and directory infrastructure – varies depending on the type of cloud service and may be shared by the client and Microsoft.

Clients Can Retain or Delegate their Responsibilities

MSSP clients can be expected to perform basic security practices such as their own patching of operating systems and applications if they are not part of a managed security service offering. Unless otherwise stated, client security responsibilities can include endpoint protection, vulnerability management, account privilege policy management, security awareness training for employees, virtual private networks (VPNs) for internet access and remote work, and Multi-factor Authentication (MFA) for network and application access.   

Alternatively, clients can engage their MSSP to provide any or all of these security capabilities. As a trusted advisor, you can help elevate cybersecurity and ransomware protection as a strategic priority and shared responsibility. Given the high visibility of third-party vulnerabilities and the continued threat of ransomware, now is a good time to talk to clients about their level of protection and how you can help.  

Key Takeaways

What is important for MSSPs and their clients is clarity about who is responsible for what aspects of cybersecurity management. MSSPs, especially those serving SMBs that have limited in-house IT or security expertise, should use plain language in outlining ransomware and cybersecurity roles and responsibilities so there can be no misunderstandings.

A Solution That Makes It Easier for MSSPs and Their Clients

Use these four steps to predict, prevent, detect, and respond to escalating ransomware:

• Predict attacks by scanning your endpoints for vulnerabilities that may be exploited by ransomware. Continually prioritize, patch, and remediate these before they become an attack vector or path of lateral movement.
• Prevent as many ransomware attacks as possible by blocking known ransomware strains like WastedLocker, Maze, Ragnar, Snake, Ryuk, and REvil based on known signatures.
• Detect ransomware immediately before it does real harm. If ransomware successfully eludes prevention measures, it will generate encryption keys, communicate with Command and Control (C2) servers, and begin encrypting files.
• Respond to ransomware immediately and effectively once all malware, lateral movement, and variants have been detected.

Netsurion’s approach to managed threat protection ensures transparency and allows you to set client expectations regarding cybersecurity responsibilities and deliverables.

Paula Rhea

Paula Rhea, CISSP is a product marketing manager at Netsurion. She is responsible for developing go-to-market strategies for customers and partners regarding managed threat protection and secure edge networking. Paula has extensive cybersecurity experience in managed services, compliance, and endpoint protection.