Brigantia Roadshow: Tools For MSPs To Mitigate Insider Threats
Insider threats are something every business needs to be concerned about and take very seriously.
Cybersecurity distributors Brigantia held a series of roadshows across the UK, bringing together product experts and managed service providers (MSPs).
The aim, to explain the dangers of insider threats, and what tools can be utilised to mitigate them.
The events took place in February over consecutive days in London, Birmingham and York.
Stephen McCormick went along to the Birmingham event, which took place on Thursday 22nd February 2024.
Introduction: Why Brigantia?
Brigantia Partners are cybersecurity distributors who work on the belief that traditional distribution is broken.
Senior product specialist Ed Knox explained that Brigantia is built on three founding principles:
- Quality Products – Vendors are chosen for their rigorously tested quality products, not just their reputation in the marketplace.
- Trusted Advisers – Peerless knowledge with dedicated product support.
- Strong Partnerships – Adding value and providing tailored support to build a strong relationship with customers.
They work with a collection of hand-picked vendor partners that provide solutions that work for MSPs and their clients, some of whom were in the room to give their expertise.
Channel Statistics
Ed provided some statistics and predictions for the channel for 2024:
- Compliance consulting services will grow by 60% for MSPs throughout 2024
- At least 65% of end users will be using generative AI tools to grow productivity
- Total managed services revenue will grow by approximately 12%
- Human firewall and staff cyber hygiene training will continue to be a growth market
What is an Insider Threat?
The definition of an insider threat is a risk posed by those who have access to an organisation’s physical or digital assets.
Threats can come from:
- Current employees
- Former employees (where access has not been revoked during offboarding)
- Malicious actors (cybercriminals)
- Unintentional insiders (coming from employee negligence or not adhering to company policies)
These threats can lead to data breaches, phishing and social engineering, fraud, negligence, compliance violations and unauthorised access to your systems.
The channel is underprepared, and therefore it’s a big opportunity for MSPs to increase their revenue in 2024.
How to Protect Against Insider Risk for Microsoft 365
Hornet Security’s Matthew Frye explained how Microsoft 365 has transformed productivity and expanded collaboration.
However, allowing users to work from anywhere across a broad spectrum of connected devices has its downsides too. Insider risks for M365 include:
Data is easily shared across numerous applications (Sharepoint, Teams, OneDrive, etc.)
Human aspect (overriding data, malicious data loss, stolen devices, etc.)
Unauthorised access via phishing and ransomware
Purview Insider Risk Management is not practical for small and medium-sized businesses (SMBs)
Permission Management Risks
In Microsoft 365, a new user is usually given group access, but will have full access to any subfolders or confidential files.
Shared files do not have granular controls, and by default, anonymous copy-link sharing is universal.
Also, if a team member has a change in role, they’re much more likely to request access to files and folders they need from now on. But it’s human nature to forget to request for access to be revoked for the things they no longer need.
Furthermore, when it comes to access audits, these are rarely carried out by the people who know who should have access. So, they don’t know where access should be granted and where it should be revoked.
Hornet Security’s Microsoft 365 Permissions Manager
One of the great features of this tool is the audit feature.
You can use it to identify audit policy violations after they’ve been set via a central dashboard. You can fix or approve any violations across all the sites you manage.
Quick actions include:
- Copy user permissions
- Remote access for a user or group
- Set site permissions
- Clean up orphaned users
- Remove ‘everyone’ user permissions
This kind of audit feature can fuel your governance, risk and compliance strategy.
Unrestricted access leaves your business exposed to insider risks. It’s harder to spot lateral movement when access is not controlled. And this can lead to data breaches, exfiltration and ransom.
Real-Time Email Analysis
AI-recipient validation is an AI-based learning tool that recognises patterns in user behaviour and provides feedback to advise the user before they send an email.
This provides advisor warnings when you’re about to send an email containing sensitive information, such as credit card details, across email.
Be Ready for What’s Next – Next DLP’s Reveal Platform
Stefan Jarlegren from Next DLP began with a bit of background.
Data loss has always been a risk to businesses, but the way we send, receive and store data has changed. Digital transformation has seen businesses move away from on-prem servers and put their data in the cloud.
The Reveal platform provides the optimal balance of risk insights and data loss prevention (DLP).
It uses instant on-endpoint and cloud sensors which provides cloud, system, user, data and network telemetry. It provides cross platform protection covering ingress and egress on both managed and unmanaged devices.
With all this coverage, you can accelerate investigations using contextual reporting across all touchpoints in your network.
Three Use Cases for Managed Security Service Providers (MSSPs)
Phishing – Threat actors exploit human vulnerabilities to steal access details and exploit sensitive data. Reveal notices suspicious links and prompts the user to think before entering their details.
AI Chatbots – Reveal can monitor and secure data headed for ChatGPT or other Large Language Models (LLMs). It will look for sensitive data, such as API codes or confidential information and flag it up as a risk before the data is shared.
Cross-Platform DLP Controls – When sharing files across platforms, such as via a USB stick, the platform will prompt the user to choose an alternative sharing method. This is because it recognises that files shared using USB drives are not secure.
The Future for Reveal
The Reveal platform is scalable, simple and secure. It’s an industry first MSP insider risk and DLP tool.
The roadmap for future development of the platform includes:
- SaaS Visibility
- Secure Data Flow
- XTND AI Service
- Unmanaged Devices
How Hackers Bypass MFA With Session Hacking
Joe Burns of Reformed IT, an MSP based in the East Midlands, gave a couple of demonstrations on how easy it is to hijack session cookies using phishing techniques. And how a ‘rubber ducky’ can be used to steal stored browser passwords from an unlocked device.
Session Cookie Theft
A session cookie is a token that gives you the right of access once you authenticate at the gateway of a system.
When a user has been phished by a threat actor, they may be sent to a login page, which is actually a spoofed proxy. The login will prompt their username and password, and then ask for multifactor authentication.
These will log the person into the system, but it will also provide the scammer with all of that information, plus the session ID.
The threat actor will then be able to copy and paste this into a new browser window, and gain access to their Microsoft 365 mailbox, for example.
Mitigation and Remediation
If you have behaviour detection and conditional access policies implemented, you can mitigate this threat.
Trusted devices and approved geolocation are good parameters to establish to protect your network.
Though passkeys will be an even better practice, once they’re available.
If you are hit by this type of attack, it’s advised that you terminate the session immediately and change the password. You can also reduce permissions and isolate the account if you want to be extra cautious.
Rubber Ducky – Browser Password Theft
A rubber ducky is a device that plugs into a USB slot and runs a short PowerShell script to copy any saved passwords in the Chrome or Edge browser cache for that device. Though browser passwords are typically encrypted, it also steals the key as well.
It avoids detection by not showing up as a USB drive, and instead disguises itself as unassuming device like a keyboard or mouse.
It’s not a good idea to keep passwords stored in your browsers. Instead a password vault is recommended to mitigate this type of attack.
Protecting Against Insider Risk with Conceal Browse
Conceal‘s Mark Ross explained why insider risk is such an important consideration for cyber defence, especially in the public sector.
- Between 2018 and 2022 there were 1,819 publicly disclosed cyber attacks on schools in the UK.
- And over 100 million patient records were leaked in 2023 according to NHS data.
- Phishing remains the dominant threat in the cyber landscape
- 80% of reported security incidents began with a phishing attack
- 74% of data breaches result from human error
So, the earlier an attack can be prevented, the less likely a phishing attack will succeed. That’s why protection at the browser level can intercept this kind of attack and minimise insider risk.
Chief Information Security Officer (CISO) budgets are constrained year on year. So, a lightweight solution like Conceal Browse, which doesn’t impact on services, is ideal.
How Conceal Browse Protects Against Insider Threats
Conceal Browse is an AI-powered zero trust browser extension. While running, as you browse, it performs multiple checks in the background to find malicious links or bad DNS records on webpages you visit.
It covers Microsoft Teams, Whatsapp, Google Workspace, Slack and more.
And with Conceal Browse, malware will not reach the endpoint, and credentials will never be harvested!
The solution is deployable via an Remote Monitoring and Management (RMM) solution, so can be rolled out across any site you monitor.
Conceal Browse will see coverage for Apple devices and Android by the end of 2024.
Lead the Email Security Charge and Strengthen Client Trust with DMARC
Lee from Sendmarc explained that 91% of cybercrimes today are initiated using email. And worryingly, 95% of breaches are caused by human error.
This can be by impersonation, where threat actors submit fraudulent requests, or by interception, where details are changed or diverted.
For example, when you receive an email asking you to pay an invoice via a link. it may look legitimate. But you could be sending your payment information anywhere if you can’t authenticate the email.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance.
DMARC is a policy standard that helps to establish the legitimacy of an email. When an email is received it uses a combination of SPF record and DKIM keys to authenticate the sender is from the domain they say their from. And if they’re not, the email is rejected.
Therefore, it’s an effective way to solve the impersonation problem.
How Sendmarc helps MSPs to Protect Against Insider Threats
Sendmarc is an MSP-centric DMARC solution that helps their clients see how vulnerable their domains are.
It helps businesses protect their domains so that cyber criminals can’t spoof them, and ensures compliance in DNS security by managing their SPF and DKIM authentications.
By securing your clients, you are are not only protecting their businesses, but also anyone in their supply chain, which is peace of mind when protecting their reputation.
MSP Compliance Opportunities and How to Sell Managed DMARC Services
Regulators and institutions are pushing for DMARC compliance regulation and accreditation.
Out of 5,000 UK companies surveyed, 75% are not yet protected, so the opportunities are massive.
So, Sendmarc helps certify MSPs to deliver a multi-tenanted managed white labelled DMARC solution.
And they can also help in marketing managed DMARC to generate leads, target new prospects, and co-sell with full implementation and support.
Insider Threats and the Markets They Provide MSPs
Brigantia understand the impact insider threats have on UK businesses. So the potential this has for MSPs, both in terms of the dangers and sales opportunities, is immense.
Knowing the breadth of tools out there, especially tools that have Brigantia’s seal of approval, is always a good thing. And as providers of managed services, you get a broader perspective on compliance as a whole, and what you can offer your clients as part of your ever-expanding tech stack.
And although the roadshow was a half-day event, there were lots of quality speakers and a wealth of information to take away.
Though sales pitches were part of it, they were informative too, and there was no pressure to have follow-up sales calls.
However, it did start up conversations, around risk, compliance and protection, which was a good thing.
So, did you make it to any of the roadshows? What did you think? And how do you think the compliance market will expand for MSPs over the next three to five years? We’d love to hear your thoughts in the comments!
Comments