Ask Intronis: How can I minimize downtime from breach to detection?

Posted by Lauren Beliveau on Apr 17, 2017 8:28:00 AM

Ask_Intronis_Logo_2016.png

Q: For my MSP, preventing and minimizing downtime for our customers is crucial—especially when we’re protecting data for businesses in highly regulated industries. What are a few improvements we can make that can really help us minimize the downtime from the time a breach occurs to when it is detected?

If your SMB customers have a high dependency on their data, it’s essential to get them back up and running as quickly as possible. So as an MSP, it’s crucial to make sure you have the right tools and best practices in place to help prevent a breach from happening and an efficient way to mitigate the risks and restore their data if it does.

To ensure that you have the right tools and best practices in place we spoke to Mark Ballegeer and Kyle Marsan, two members of the System Engineering team at Intronis MSP Solutions by Barracuda. Mark shared his tips on how to implement the right security solutions to prevent a breach, and Kyle gave advice on how MSPs can meet or exceed the tight RTOs that highly regulated industries are looking for.

Preventing data breaches

workstation-405768_640.jpgMaking sure all users are properly trained is the most important part of preventing breaches, says Mark. Hardware does a great job of protecting against all the threats that are out there, but it can only do so much. If a user plugs in a USB drive with a malicious file or clicks on a suspicious link—it’s too late. You aren’t going to be able to prevent everything, but educating your user base on the different types of attacks is a critical first step in reducing the chances of a breach occurring.

There is wide variety of equipment out there that can help minimize breaches and downtime, such as next-generation firewalls, web application firewalls, web security gateways, email security solutions, and more. While a next-generation firewall is a good start, you can’t consider a customer to be totally protected because there are so many ways malicious files can infiltrate a network. With so many avenues for threats to come in, you want to find a holistic suite of services to protect numerous vectors, rather than relying on just one piece of technology. All those pieces come together to help you mitigate threats faster, identify how the threat that caused the breach came in, and protect the customer’s network as a whole.

If a breach does occur, you want to be able to quickly identify and mitigate it, Mark explains. To be able to do that, make sure you have all the security features for your solutions turned on, such as Advanced Threat Protection and intrusion prevention systems. You also want to make sure each customer’s anti-virus up to date.

Ransomware-ebook-small

I know your clients will probably be reluctant to put firewalls between different departments, but that can be a good way to isolate threats—especially if the threat is trying to move laterally through the network. If you have a firewall between departments, it can help detect those types of threats faster. Once a breach occurs, the malware is going to try to “phone home” and connect out to the internet. Once it tries to do that, your firewall will detect it and notify you so you can start the mitigation process. The more traffic that passes through the firewall, the faster you’ll be able to remediate any threats.

You also want to be diligent about checking thetraffic going in and out of customers’ networks. An example of this is a USB drive with malicious software on it. Once the USB drive is plugged in and connected to the network, it’s considered a breach, but until that malware tries to phone home, it won’t traverse the firewall. A threat can’t be detected until it traverses the firewall—after it does you can see what address it came from, who is affected, and then preform a remediation.

Taking data protection one step further

A big piece of minimizing downtime after a breach is implementing backup because you want to be able to restore customers’ files as soon as possible. To make sure you can meet short RTO requirements, check that you have working scheduled backups, says Kyle.  Whether it’s nightly, hourly, or every 15 minutes, find out upfront what a customer’s needs are in terms of backup frequency. How long can they go without their data?

Usually, I see MSP partners implement a hybrid approach with their SMB customers—especially if they’re in a regulated industry. For example, that could mean they need databases backed up every hour and machine snapshots every night. This way, you can easily get the data from a time that makes sense for the customer. Run tests regularly and have a plan for how you’d handle recovery if and when it’s needed.

When it comes down to it, data recovery is all about the planning—and short RTO times can be difficult if you don’t have an thorough plan in place.  To set your MSP up for success, have a good ticketing system in place to ensure your backups are successful and that you’re restoring all the critical data the customer needs.

Putting these tools and tips in place will help you minimize your customers’ downtime and hopefully prevent a breach from happening in the first place. From a security perspective, educate users and make sure all your security features are turned on. After all, how can you detect a breach if your SSL interception is turned off? The more security features and tools you can implement, the more vectors you can protect against, the less likely it is customers will experience a breach—and if they do, having a good backup solution in place can really save your SMBs. Security and backups go hand-in-hand to help prevent, detect, and remediate attacks. While you can’t ever fully prevent a data breach from happening, the right tools can decrease the severity of an attack.
Barracuda NextGen Firewall - Intronis MSP Edition

Ask Intronis is a weekly advice column answering common questions from MSPs and IT service providers. It covers topics ranging from pricing and selling to marketing and communications—and everything in between. Submit your questions by emailing AskIntronis@intronis.com.

Which Data Loss Gremlin Is Targeting You
MSP Health Check
MSP Phishing Quiz
Intronis Local Lunches
MSP Marketing Assessment