Penetration Testing and MSPs

Penetration Testing and MSPs

(source: pablo.buffer.com)

Managed Service Providers

MSPs provide invaluable services to companies with minimal or no IT staff. When prospects sign on as customers, they’re expecting the experts to be ready at a moment’s notice to fix any issues based on their contract. One request that arises is the infrequent, perhaps semi-annual, request for pentesting. Perhaps the client looking to assure their customers of an advantage in the marketplace. Maybe the client is going to acquire another business and needs to verify that business’s security. Or they have a pending sale that will more than offset the cost of a pentest. Possibly, they’re looking at getting SOC 2, or some other certification, or even entering the regulatory landscape for something like HIPAA or PCI DSS.

Another inherent demand is the foundational premise that an MSP implicitly – if not explicitly in contract – makes the MSP itself responsible for securing the client’s networks and computer. Clients may focus on adding technology while reducing administration, but they may not understand that each technology opens up more attack vectors. With the increased demand for ensuring a client’s security, above and beyond providing managed services, what can an MSP provide that would create a competitive advantage against other MSPs?

Improving Client Security

For MSPs, the focus is on IT services, and adding on internal security staff will be expensive, perhaps more than is worth any benefit. Moving from being an MSP to being an MSSP may prove too much of a resource burden.

One popular and necessary information security service is a vulnerability assessment. Vuln tests and assessments are essential for an org’s security posture and could be provided by an MSP, but the assessment is not necessarily a reflection of a company’s true security stance because it’s missing manual intervention and probing of systems. Additionally, a client can potentially perform vuln testing at will, using less expensive tools, less than what an MSP can provide. Internal pentesting by a company is beneficial, but it’s not considered vendor neutral. Internal penetration testing is good for bolstering confidence in your security, but only if it’s an addition to third-party testing.

Turning One-Off Purchasers into Customers

(source: pablo.buffer.com)

MSPs may have many break/fix clients who only interact with them when IT problems strike. What if more of those break/fix clients could not only see the benefit of managed services, but also be shown the advantage of better securing their infrastructure? What if the MSP could prove to customers that they have improved security because of the managed services?

Third-party penetration testing could turn break/fix clients into customers. Break/fix vendors send a professional IT technician to a customer’s location to analyze and determine system issues, then provide on-prem remedies. Businesses are charged for those services rendered, and the services don’t carry contracts or subscriptions with ongoing fees built in. If those one-off clients could be provided a fuller service by an MSP, it can prove to be a competitive advantage for both the MSP and the irregular customer.

The third-party penetration testing model helps keep tests consistent because a client’s internal pentesters might tailor the methodology around what they think should be tested based on the knowledge of any recent updates or changes (not counting the possibility of a conflict of interest). Third-party testers will have a more objective view of testing, not making assumptions as to what should be tested. Third-party testing also avoids conflicts of interest. They are paid to be disinterested and impartial, so working with a provider without them being on your payroll leads to increased trust.

As an MSP, adding third-party pentesting to your repertoire can help customers create a better total security program. While you may implore your customers to implement X, they may decide against it (whether due to cost, lack of time, no interest, etc.). An independent penetration test might well bring up not only verified reasons for implementing X but could also uncover other vulnerabilities that can be solved by you as the MSP. This data will be beneficial both to the customer in their security program and to you, the MSP, as a provider of new and necessary services.

Offering pentesting services can assist an MSP if a current client needs to move from on-prem to a hosted platform. After such a major move, clients will want to ensure that their security posture has remained as effective as before, if not improved. They may also want a third-party baseline scan before moving to the cloud.

Third-party pentesting provides added insight into a customer’s network security because it performs exploitation and post-exploitation to demonstrate the impact of attacks such as numerous attempts at privilege escalation and lateral movement. Even if a pentest does not uncover blatant vulnerabilities (e.g., XSS, SQLi), this objectivity opens up other areas where the customer may be vulnerable. As an example: what if a pentester can uncover a wiki or support site that contains a login that isn’t validated, which can then lead to creating an account that allows that account to pull organizational data, however minimal (e.g., ticket number and details, names, and email addresses)? A third-party penetration testing firm can provide a wealth of actionable knowledge for both the client and the MSP.

Leveraging Teamwork

Hiring third-party testers relieves the resource burden on an MSP. Professional pentesters as on-prem staff can be expensive – not only is initial certification pricey, but ongoing training is expensive. Outsourcing this can be for the same reasons that your customers rely on you – reduction of expenses. While you may be able to afford some staff with certain certifications, your clients – for reasons such as regulations or internal policies – may require certain certifications that you don’t have. Your personnel may have OSCP or CEH, but what if DoD clients require Pentest+, or other clients require GPEN? Hiring third-party pentesters can greatly increase offerings by selecting testers who are both expert and certified according to the needs of your clientele.

It may be too expensive to move to being an MSSP, so adding penetration testing services might be the right move.

Cybersecurity Crusaders’ penetration testers have years of professional experience in uncovering areas of weakness and with the goal of simulating real-world style attacks. The findings are compiled into a management-focused report and presenting recommendations that align with your business goals.

The D.A.E.R. penetration testing methodology provides a common, understandable, and repeatable framework for both the customer and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.

Contact us for a free consultation.