In recent years, resorting to MSPs has become very popular for companies wanting to accelerate the digitization of their businesses. With this surge in popularity, MSPs are broadening their range of responsibilities and now face the question: how to ensure we can meet our cybersecurity responsibilities?
In this article, we will see why monitoring in real-time code-sharing platforms such as GitHub should be a top priority for any MSP.
What Is a MSP?
Managed service providers or MSPs provide outsourced IT services to many companies around the globe. They often employ hundreds or even thousands of developers.
Why Should MSPs Care About Security?
MSPs are responsible for ensuring that IT security is correctly implemented, as far as the services they provide are concerned: this means that, in theory, they should be better equipped than most IT companies to prevent and respond to cyber threats.
But the reality is quite different: a recent survey by LogicMonitor, The next-gen managed service provider, revealed that 80% of MSPs’ customers had been affected by cyber-attacks and that MSPs admitted they were “not very confident” in their ability to successfully address one.
They can hardly be blamed, though: the development lifecycle in the software world has evolved into a very complex supply chain involving a lot of different third parties. Security needs to be enforced on a much larger attack surface than it used to be. In fact, software supply chains may be the top security priority right now for software companies (basically, every company).
One big difference in the development world of today, and therefore one big part of this attack surface, is the code-sharing platform GitHub. This leads us to the reasons why MSPs should absolutely be monitoring GitHub:
1. Catch Leaked Customer Secrets Before Hackers Do
As you must already know, if you are a regular reader of this blog, secrets are digital authentication credentials (API keys, certificates, tokens, etc.) that are used in applications, services, or infrastructures. Developers working with code will often keep keys and passwords for various resources in an insecure location to make it easier to change the code, but doing so often results in the information mistakenly being published.
In our 2021 edition of the State of Secrets Sprawl, we actually found more than 6 million secrets exposed during 2021 alone, doubling the number from the previous year. Many of these credentials are, unfortunately, valuable corporate secrets that represent a serious cyber threat.
Here is the point: even if an MSP doesn’t contribute to any open source repository, chances are its developers do. An organization does not need to have an official presence on GitHub to be vulnerable!
Therefore a service provider puts its clients at significant risk if it ignores the attack surface of publicly accessible source code. From a reputational point of view, a leaked credential on GitHub giving access to customer data, services, or any kind of infrastructure could be one of the worst scenarios. Failing to assess the threats existing out on the open Internet and manage their exposure could represent an existential risk to MSPs.
2. Future-Proof Their Compliance
In the coming years, MSPs will have to satisfy increasingly concerned customers about their IT cyber resilience. Being able to prove a certain level of maturity will inevitably become strategic for the deployment of secure services in the future.
In addition, cybersecurity compliance frameworks such as NIST SSDF or Google’s SLSA are being consolidated and will be requiring security to be baked in from the start in IT products in the coming years. NIST, under Executive Order (EO) 14028, has launched an initiative to define minimum testing standards for software vendors or developers, which include performing static analysis to find hardcoded secrets.
3. Make-Up for the Lack of Centralized Security Controls
MSPs’ security monitoring is especially challenging because, unlike other companies, they can lack a centralized IT structure to monitor all their activity across their client portfolio.
For instance, they cannot supervise all the source code that their developers produce since it is hosted in a myriad of private repositories belonging to their customers. Therefore, it is nearly impossible for them to have the same level of observability and automation as provided by “internal” SOCs.
On the other hand, monitoring a public platform such as GitHub can help SOC analysts build threat intelligence processes to detect suspicious activity. A textbook case would be a former employee pushing code with a professional email, indicating that his account wasn’t properly deactivated.
4. Detect Source Code Leaks
In recent years, we’ve seen a surge in corporate repositories being leaked online. While many incidents are criminally-motivated — a hacker’s motive is to put pressure on corporations by showing he has hacked them and had access to data — let’s not forget that mistakes do happen more often than we please to think and without making a noise: a developer inadvertently pushing to a public repository while thinking (s)he’s working on a private environment is enough.
For an MSP, such an error on the part of an employee could have big repercussions not only for its reputation but also financially and juridically. Source code can hold a lot of sensitive data, including trade secrets, copyrights, patents, or personally identifiable information (PII).
Failing to prevent or take action to remove problematic source code from GitHub (in the case of copyright material, the procedure is called a DMCA takedown notice) could be used against the MSP in case a leak occurs.
MSPs will have a big role in securing IT operations in the coming years. This is why they should be aware that the more developers they manage, the bigger their footprint on GitHub is.
Source code is a liability they are responsible for protecting. It is both one of the most valuable assets held by a company and a potential weapon (hence a high-value target) for attackers.
For instance, secrets exposed in code-sharing platforms are being actively leveraged by attackers, as demonstrated by various breaches play-by-plays in the past. Leaked secrets can lead to the cascading compromise of an MSP’s entire customer base. As we have seen, these are not well-equipped to face the expanding attack surface of the modern DevSecOps world.
Monitoring GitHub, in this context, is an efficient manner to pro-actively gather intelligence to circumvent inherent limitations and hedge against the worst scenarios. The stakes are high, and it’s time to take action. Failure to do so may result in damages being brought against them.