The majority of MSPs (Managed Service Providers) are not serving fortune 500 clients because those companies probably have an internal team handling their technology needs. Where most MSPs become most valuable is with small to medium businesses with limited budget and limited resources. This can become tricky when trying to offer services to your clients, knowing their budget is already fixed. 

The trick is to think like a dentist. When you go to the dentist for the first time in a while, the first thing they do is bring you to the X-ray room. They do X-rays to see what they’re dealing with, and then discuss treatment options, maintenance needs, etc. 

MSPs need to do the same thing with cybersecurity. Vulnerability scanning (and even penetration testing) should be an automatic requirement for your clients. 

The importance of patching CVEs

“70% of cyber attacks come from known vulnerabilities”, Jason Manar, former FBI Special Agent.

The scary unknown exploit or zero day that was discovered five seconds ago is not what MSPs should be focused on. When something like Log4Shell comes up, of course we need to react quickly (all the more reasons to be working alongside a vulnerability management company), but focusing on those all the time is a waste of effort because you can’t prevent every future exploits.

The vast majority of breaches come from known vulnerabilities, which means if you can keep these patched up for your clients, you’re improving their security posture tremendously. 

However, the struggle is not convincing MSPs of the value of cybersecurity; it's convincing their clients. But how can you secure a hole that you don’t know exists? This is why vulnerability scanning and penetration testing (ideally continuously, but at least quarterly or annually) is crucial for you to be successful. 

What do I patch first?

Any vulnerability management tool you have in place will generally rank CVEs based on severity. This severity ranking will allow you to prioritize your clients’ security, especially when time and resources are limited. These CVEs and their severities will be based on industry resources and also on the individual knowledge and experience of the engineers building that exploit engine (so make sure the company has a good dev team backing it up).

Where does Red Sentry get its vulnerabilities?

Red Sentry uses a combination of techniques and resources to build exploits for our platform and score them (and give your client an overall score based on the vulnerabilities found). Here are some of our most reliable resources, based on the type of scanning being done. 

For cloud misconfigurations, the ever-changing CIS framework is our main go-to. 

For web applications, OWASP Top 10 is one of the best resources. Here is an example of how OWASP Top 10 changes over the years, and why it’s so important to continuously evaluate your clients’ security posture. 

For external environments, we build exploits from a wide variety of resources. Besides covering public CVEs, we use a ​​variety of techniques, including misconfiguration tests, sensitive data exposure tests and more complex tests to take a comprehensive look into your clients’ external perimeters. We also constantly monitor hacking forums, so we find new exploits as soon as a malicious hacker does. This is important to us because our founder, Alex Thomas, is a white-hat hacker, and he built Red Sentry around getting into the mind and strategy of malicious hackers. Our platform focuses on real-world exploits and techniques hackers are actually using. 

Solutions

There are more and more vulnerability management solutions flooding the market, so it can be difficult to know which ones actually work, which ones are full of fluff, etc. It can also be difficult seeing the price tag and convincing your clients they need this in their stack. And don’t get me started on the inflated price of traditional penetration tests for small businesses.

Red Sentry is one option for an automated penetration testing platform (that also scans for vulnerabilities). Because we specifically target MSPs who serve SMBs, our solution is affordable and has very flexible licensing models, so you can do what makes sense for you and your clients. We also have white-labeling, multi-tenant capabilities, and other solutions specifically tailored to MSPs. 

Conclusion

Cyberattacks are far too prevalent now to rely on the same security practices used 10 years ago. 

Remember to think like a dentist! You can’t fully do your job in protecting your clients if you don’t understand where they are vulnerable. So whether it’s part of onboarding, quarterly review, or continuous monitoring, vulnerability management should become a part of your standard offerings. 

Your clients may not understand the importance of cybersecurity, which is why it’s the job of managed service providers to insist on taking proactive measures. 

‍

Discover more cybersecurity gems: SOC 2 Compliance: Do I need a pentest or vulnerability scanning?

‍