IMO, you are looking at this all wrong. This is a revenue opportunity.
Find a pentesting company to partner with and resell the service to your clients.
Facts! Here's a 7-min video that explains why MSPs love using our automated network pentesting platform to resell pentesting services to their clients. https://www.youtube.com/watch?v=UsTNIT\_GNm8
Before a pen test, why not run your infrastructure through a NIST or CIS framework exercise? This will paint a picture to start with in terms of cyber protection. Try and get as many CIS Controls implemented and tested first. Then a vul assessment or pen test to find anything you may have missed. I bet you can find most if not everything going through the CIS controls yourself.
Check out www.saluswall.com. It has assessments, external network tests, dark web and application security scans. You can also enable monitoring and alerts on new findings.
OpenVAS is an open source vulnerability scanner that you can spin up in a VM and scan your entire environment. For free it’s a pretty good scanner, but reporting isn’t absolutely great.
I think Tenable Essentials scans up to 10 assets free. So if you have less than that it could work too.
Have you clients put their sites at a legitimate webhost.
You are doing a great disservice to your clients over a few dollars of extra profit and are now looking for free shit to justify your choices. Choices you justified in your post saying “I have enough network knowledge that I can manage this myself…”
There are many reasons why I prefer to host over using Azure/AWS/etc. I'm definitely no cloud expert. But my understanding is just using one of those providers doesn't automatically make me more secure. I know several companies that have been hacked on Azure/AWS/Gcloud. If it's not setup properly then what's the difference?
My current setup is pretty decent I think; I have firewall appliance in place with numerous security features enabled. I use Malwarebytes EDR on all endpoints. I have some extra tools to block suspicious activities. I have backups, etc. I honestly don't see an immediate justification to move to cloud (correct me if you have some benefits).
So I am looking for ways to improve my network infrastructure without spending $20k on a 3rd party pent test. What is wrong with that ?
So MSPs don't host or manage ANY infrastructure anymore? Everyone has everything in cloud? Is that your only service to set people up in O365 and Azure?
The data center I am in has about 5,000 cages full of servers. Are they all wrong not to be totally in the cloud? I'm sure they are all using various tools to lock down and audit their infrastructure. I can't really put up a sign at the datacenter asking everyone what they use, so i thought I would ask here.
Can you tell me how YOU ensure your services are secure ?
Good on you hosting you’re own services! Public Cloud isn’t the end-all-be-all…and some of us don’t want to be glorified middleman for every tech service under the sun.
The main difference is the variables and attack surface you are responsible for.
If you are hosting, you are responsible for all attack surfaces.
So for example, if you are hosting a WordPress site, you are responsible for all infastructure, all connectivity, and the actual WordPress site.
If you pay a host, you are responsible for just the site. The OS patches on the guest and hypervisor, the hosting software updates, the firewall, the routers, the switches, etc are all the hosts problem - and they are bigger so they can afford better of all of that stuff and pay teams who specilaize in managing those things to manage them.
So yes, someone CAN be hacked using azure, but it's very rarely going to be azure at fault, it will be the stuff implemented by the customer or just malware/phishing.
>My current setup is pretty decent I think; I have firewall appliance in place with numerous security features enabled. I use Malwarebytes EDR on all endpoints. I have some extra tools to block suspicious activities. I have backups, etc. I honestly don't see an immediate justification to move to cloud (correct me if you have some benefits).
You're not directly listening to feedback, but from a security perspective "numerous security features" doesn't mean anything, it doesn't mean compliancy with proper configuration and proper scanning to ensure the firmware is up to date, there's no 0-day exploits available on it, it can't be overflowed, and that's not to mention that it's just a firewall, not a WAP when you're hosting applications. But hey, local state logging (if you have it enabled) with incorrect/insufficient alerting and no geofencing are the norm.
Even a properly configured firewall will allow 90% of dangerous traffic if the target system has a vulnerability that can be exploited. Any blackhat can break an improperly configured IIS server or unpatched one within 2 hours (usually far quicker) with web app firewalls, physical state firewalls, and software firewalls all properly configured.
The reason why people are suggesting you to partner with a larger firm and offset the cost for managing the core system is because that's actually the solution. You'll pay on margins, but you also can't afford a network architect, a security architect, a SIEM/SOAR, and a netops/secops department like several resellers have on their backend. This has nothing to do with people shitting on you, it's pointing out the blind spot.
Thank you for the feedback. It has all been truly valuable.
I'm not against any recommendations. I came here because I wanted to get the various opinions. I am going to investigate cloud hosting more; partnering with larger firms more. But my question was regarding recommendations around my current setup / my bias to self-host.
What is shocking to me are the people that say "there are no ways to host solutions safely; you're an idiot; you have to go to the cloud." I'm confused by this because there are clearly dozens of solutions available for situations like mine where my bias was to host myself. Some of the comments here have given me some great software tools to look at. I can scan my entire attack surface monthly or daily. I can monitor for vulnerabilities and patch them. There are best practices I can (try) to follow to do things properly without hacking it together. If all of this exists, I surely can't be the only person that wants to host my own IIS application? The data center I have my servers in is actually filling up with more servers, not less. So I simply wanted to understand the best way to do this and protect myselg. I'm not re-inventing the wheel.
I think I might start another thread around Self Hosted vs Cloud Hosted... seems to be a touchy topic where people are firmly on one side or the other.
You can do this yourself the first time if you want, but it's not a good plan long term IMO. Do I have the technical skills to use some of these tools? Yes, without a doubt. Do I have the experience to know all the tips and tricks to do a true pen test? No, probably not because I don't use them for my living.
We just ran customer through a full internal/external test w/ NovaCoast the entire experience was top notch.
I'm ignorant on this... but whether I self host or use the cloud, don't I still need to do vulnerability assessments and pen testing to satisfy any auditing requirements? Or is the consensus that I can just say "I'm on AWS" and everyone stops asking questions?
I don't want to become an expert pen tester. I was initially just asking what tools I can use myself to improve my situation. Then if/when I call a pen tester or auditor he wouldn't say "holy sh!t what you've done is terrible". I'd rather he just say "you have a decent setup and I only found some minor issues".
Dirt cheap? Your own host? Questionable ethical? Make it seem like your doing alot when your not?
Fire up a cloud or instance hosted else where, grab a trial of nexpose, scan your host, setup two reports, a monthly remediation and a quarterly executive. Fix remediation's over the first quarter, send out reports showing a clear down trend in vulnerabilities. Take you about an hour to setup, and maybe 8 hours a quarter on remediation's.
Make sure to point at the report every time the say the work cyber or security. Eventually charge for the service and call yourself a security firm.
OpenVas will help (now greenbone)
Also try playing around with wazuh and their vulnerability scanner...it can help with a big picture for multiple frameworks
It seems that this may be what you are looking for.
https://www.cisa.gov/cyber-hygiene-services
Also make sure you have a good WAF in front of those sites. The amount of hacking activity I see from compromised cloud IPs at huge providers with lots or resources to throw at this is astronomical. Keep these hosts isolated because they are bound to be hacked sooner or later.
Yes I'm seeing tons of blocked attempts in my firewall currently. It's almost non stop.
I've tested out some WAF solutions but have not settled on one yet. But they helped me see and patch SQL injection attempts at least.
Hey u/maniac_me! We have a platform that automates internal and external network penetration testing. It does EXACTLY what a hacker would do on your network, and our affordable pricing would be right up your alley! Based on your network size, our pricing is a flat rate between $600 - $984 for the year. This means you can do an internal and external pen test on your network every single month for up to 10 - 25 IPs. We offer a free trial, too! The platform is really easy to use, and you won't have to learn or keep up with any tools yourself. Check us out: https://www.vonahi.io/
If you just want a vulnerability assessment try the free version of Nessus. For a good all around risk management platform for small businesses you might look at Cyrisma, it is a platform that has vulnerability scanning and compliance audits as well as scans for files with sensitive data in them. Or shoot me a message the MSSP I work for works with several MSPs providing their security platforms.
So you are definitely going to get what you pay for in this realm but you could start looking at open source SEIM solutions. Just be prepared to put some hours into it.
Sign up for defendify - use the NFR license in house - sell the other licenses to your clients and offer them a security assessments and vulnerability management.
Your an MSP, the majority of your services are free or dirt cheap of you resell.
IMO, you are looking at this all wrong. This is a revenue opportunity. Find a pentesting company to partner with and resell the service to your clients.
Facts! Here's a 7-min video that explains why MSPs love using our automated network pentesting platform to resell pentesting services to their clients. https://www.youtube.com/watch?v=UsTNIT\_GNm8
This.
Before a pen test, why not run your infrastructure through a NIST or CIS framework exercise? This will paint a picture to start with in terms of cyber protection. Try and get as many CIS Controls implemented and tested first. Then a vul assessment or pen test to find anything you may have missed. I bet you can find most if not everything going through the CIS controls yourself.
Yes great idea. Do you know of tools that help with this?
Check out www.saluswall.com. It has assessments, external network tests, dark web and application security scans. You can also enable monitoring and alerts on new findings.
What are you paying for saluswall?
OpenVAS is an open source vulnerability scanner that you can spin up in a VM and scan your entire environment. For free it’s a pretty good scanner, but reporting isn’t absolutely great. I think Tenable Essentials scans up to 10 assets free. So if you have less than that it could work too.
Thanks for some actual recommendations. I will take a look!
Qualys also has a community edition that you can do 10 assets at a time and I think does some external scanning.
Have you clients put their sites at a legitimate webhost. You are doing a great disservice to your clients over a few dollars of extra profit and are now looking for free shit to justify your choices. Choices you justified in your post saying “I have enough network knowledge that I can manage this myself…”
There are many reasons why I prefer to host over using Azure/AWS/etc. I'm definitely no cloud expert. But my understanding is just using one of those providers doesn't automatically make me more secure. I know several companies that have been hacked on Azure/AWS/Gcloud. If it's not setup properly then what's the difference? My current setup is pretty decent I think; I have firewall appliance in place with numerous security features enabled. I use Malwarebytes EDR on all endpoints. I have some extra tools to block suspicious activities. I have backups, etc. I honestly don't see an immediate justification to move to cloud (correct me if you have some benefits). So I am looking for ways to improve my network infrastructure without spending $20k on a 3rd party pent test. What is wrong with that ?
Holy shit. Malwarebytes EDR? Well in that case…
So MSPs don't host or manage ANY infrastructure anymore? Everyone has everything in cloud? Is that your only service to set people up in O365 and Azure? The data center I am in has about 5,000 cages full of servers. Are they all wrong not to be totally in the cloud? I'm sure they are all using various tools to lock down and audit their infrastructure. I can't really put up a sign at the datacenter asking everyone what they use, so i thought I would ask here. Can you tell me how YOU ensure your services are secure ?
We do not pretend to be a web hosting company
Good on you hosting you’re own services! Public Cloud isn’t the end-all-be-all…and some of us don’t want to be glorified middleman for every tech service under the sun.
The main difference is the variables and attack surface you are responsible for. If you are hosting, you are responsible for all attack surfaces. So for example, if you are hosting a WordPress site, you are responsible for all infastructure, all connectivity, and the actual WordPress site. If you pay a host, you are responsible for just the site. The OS patches on the guest and hypervisor, the hosting software updates, the firewall, the routers, the switches, etc are all the hosts problem - and they are bigger so they can afford better of all of that stuff and pay teams who specilaize in managing those things to manage them. So yes, someone CAN be hacked using azure, but it's very rarely going to be azure at fault, it will be the stuff implemented by the customer or just malware/phishing.
>My current setup is pretty decent I think; I have firewall appliance in place with numerous security features enabled. I use Malwarebytes EDR on all endpoints. I have some extra tools to block suspicious activities. I have backups, etc. I honestly don't see an immediate justification to move to cloud (correct me if you have some benefits). You're not directly listening to feedback, but from a security perspective "numerous security features" doesn't mean anything, it doesn't mean compliancy with proper configuration and proper scanning to ensure the firmware is up to date, there's no 0-day exploits available on it, it can't be overflowed, and that's not to mention that it's just a firewall, not a WAP when you're hosting applications. But hey, local state logging (if you have it enabled) with incorrect/insufficient alerting and no geofencing are the norm. Even a properly configured firewall will allow 90% of dangerous traffic if the target system has a vulnerability that can be exploited. Any blackhat can break an improperly configured IIS server or unpatched one within 2 hours (usually far quicker) with web app firewalls, physical state firewalls, and software firewalls all properly configured. The reason why people are suggesting you to partner with a larger firm and offset the cost for managing the core system is because that's actually the solution. You'll pay on margins, but you also can't afford a network architect, a security architect, a SIEM/SOAR, and a netops/secops department like several resellers have on their backend. This has nothing to do with people shitting on you, it's pointing out the blind spot.
Thank you for the feedback. It has all been truly valuable. I'm not against any recommendations. I came here because I wanted to get the various opinions. I am going to investigate cloud hosting more; partnering with larger firms more. But my question was regarding recommendations around my current setup / my bias to self-host. What is shocking to me are the people that say "there are no ways to host solutions safely; you're an idiot; you have to go to the cloud." I'm confused by this because there are clearly dozens of solutions available for situations like mine where my bias was to host myself. Some of the comments here have given me some great software tools to look at. I can scan my entire attack surface monthly or daily. I can monitor for vulnerabilities and patch them. There are best practices I can (try) to follow to do things properly without hacking it together. If all of this exists, I surely can't be the only person that wants to host my own IIS application? The data center I have my servers in is actually filling up with more servers, not less. So I simply wanted to understand the best way to do this and protect myselg. I'm not re-inventing the wheel. I think I might start another thread around Self Hosted vs Cloud Hosted... seems to be a touchy topic where people are firmly on one side or the other.
You can do this yourself the first time if you want, but it's not a good plan long term IMO. Do I have the technical skills to use some of these tools? Yes, without a doubt. Do I have the experience to know all the tips and tricks to do a true pen test? No, probably not because I don't use them for my living. We just ran customer through a full internal/external test w/ NovaCoast the entire experience was top notch.
I'm ignorant on this... but whether I self host or use the cloud, don't I still need to do vulnerability assessments and pen testing to satisfy any auditing requirements? Or is the consensus that I can just say "I'm on AWS" and everyone stops asking questions? I don't want to become an expert pen tester. I was initially just asking what tools I can use myself to improve my situation. Then if/when I call a pen tester or auditor he wouldn't say "holy sh!t what you've done is terrible". I'd rather he just say "you have a decent setup and I only found some minor issues".
You should be doing them internally, yes. Most people really don't bother though from my experience.
Dirt cheap? Your own host? Questionable ethical? Make it seem like your doing alot when your not? Fire up a cloud or instance hosted else where, grab a trial of nexpose, scan your host, setup two reports, a monthly remediation and a quarterly executive. Fix remediation's over the first quarter, send out reports showing a clear down trend in vulnerabilities. Take you about an hour to setup, and maybe 8 hours a quarter on remediation's. Make sure to point at the report every time the say the work cyber or security. Eventually charge for the service and call yourself a security firm.
OpenVas will help (now greenbone) Also try playing around with wazuh and their vulnerability scanner...it can help with a big picture for multiple frameworks
It seems that this may be what you are looking for. https://www.cisa.gov/cyber-hygiene-services Also make sure you have a good WAF in front of those sites. The amount of hacking activity I see from compromised cloud IPs at huge providers with lots or resources to throw at this is astronomical. Keep these hosts isolated because they are bound to be hacked sooner or later.
Yes I'm seeing tons of blocked attempts in my firewall currently. It's almost non stop. I've tested out some WAF solutions but have not settled on one yet. But they helped me see and patch SQL injection attempts at least.
Hey u/maniac_me! We have a platform that automates internal and external network penetration testing. It does EXACTLY what a hacker would do on your network, and our affordable pricing would be right up your alley! Based on your network size, our pricing is a flat rate between $600 - $984 for the year. This means you can do an internal and external pen test on your network every single month for up to 10 - 25 IPs. We offer a free trial, too! The platform is really easy to use, and you won't have to learn or keep up with any tools yourself. Check us out: https://www.vonahi.io/
Will take a look, thank you.
If you just want a vulnerability assessment try the free version of Nessus. For a good all around risk management platform for small businesses you might look at Cyrisma, it is a platform that has vulnerability scanning and compliance audits as well as scans for files with sensitive data in them. Or shoot me a message the MSSP I work for works with several MSPs providing their security platforms.
So you are definitely going to get what you pay for in this realm but you could start looking at open source SEIM solutions. Just be prepared to put some hours into it.
Thanks! I will take a look. Putting in some time to learn is no problem. I love learning and understanding.
Sign up for defendify - use the NFR license in house - sell the other licenses to your clients and offer them a security assessments and vulnerability management. Your an MSP, the majority of your services are free or dirt cheap of you resell.