13 Nov V-MaaS is Your Ticket to a Better Bottom Line
Delivering Vulnerability Management-as-a-Service (V-MaaS) is a straight-forward exercise. Set up your internal and external vulnerability scanner to run at a desired frequency; review the alert reports as they come in and determine which issues that need to be immediately addressed, which should be investigated, and which should be ignored; then update your scanner settings as needed to further refine and optimize your false positive reporting.
So, the only real variables in the “level” of service you offer clients should be the frequency of the scans, the CVSS level threshold you set for immediate remediation, and your SLA for regular maintenance and updates of the network security posture. The fee you charge for your V-MaaS should reflect these variables, and the vulnerability management platform you select should be licensed to allow you to charge less for smaller clients without eating into your profit margins.
Consider offering four different levels of service for four different types of clients MSPs typically have: Smaller “micro” businesses; traditional SMB clients; mature organizations; and larger “elite” clients. In this example, we’ve set up four levels of V-MaaS with placeholder names for each: Bronze, Silver, Gold and Platinum.
The Bronze level is for smaller clients, those who you occasionally do projects with, or your managed service accounts that simply won’t sign up for any other tier out of the gate. This would typically be clients that have less than 50 assets, no mission critical apps, and no stored personal or highly sensitive information.
Run an initial internal and external vulnerability assessment to get a baseline understanding of their vulnerability profile and take care of any severe or moderate vulnerabilities that show up. If the client balks, insist that with the rise in cybercrime, this is a necessary procedure you need to perform to lower their risk profile and protect your reputation as an MSP. You can charge separately for any significant network changes that are necessary.
For many MSPs, this is going to be the biggest bucket of clients. They have 250 assets or less to scan, but they rely heavily on their computers and may be storing some amount of sensitive information that could have financial consequences in the event of a breach.
Whether you are following the NIST Cybersecurity Framework, the Center for Internet Security (CIS) guidelines, or any other standard, the MINIMUM recommended frequency of vulnerability review is quarterly, regardless of the size or nature of the client. Quarterly vulnerability reviews tend to catch any major security holes that need to be assessed on most stable network environments that are being properly managed.
EVERY client should agree to your Silver Plan for a quarterly network vulnerability review and remediation service at the very minimum. Even though your clients are signing up for a quarterly vulnerability review, you’ll explain you are going to monitor the network monthly, just to make sure that no high-risk vulnerabilities pop up between reviews.
At this level, you might have more than one appliance sharing the scanning load, and you’ll set them up to scan weekly. You might adjust the scan types to run less invasive routine scans between more aggressive monthly scans…and perhaps amp it up to a high-level scan with brute force log-in attempts every quarter.
Having a weekly alert coming in to give a quick review pretty much assures you and your client that any newly discovered high-risk vulnerabilities will be quickly attended to. It’s not hard to explain to your clients that a more frequent review of their network vulnerability will keep their systems and networks safer.
There are plenty of clients out there who really need continuous vulnerability monitoring of their networks, and they are more than willing to pay for it. They may not be your clients today, but with this type of service in your portfolio, it could be your entrée into a higher class of client. Among those needing continuous vulnerability scanning are: regulated clients, clients with a lot of sensitive data, clients with mission critical applications that their businesses depend on, and large corporate accounts with distributed networks.
For these types of clients, increase the scan frequency from weekly to daily. Have alerts generated immediately after each scan and sent to a tech to review each day. Look for any high or medium level vulnerabilities that need to be addressed and keep system noise down through ongoing false-positive management.
We’ve outlined a very basic V-MaaS program that meets the needs of most MSP clients. If these service levels don’t match your needs, you can easily tailor the offerings to match your requirements and those of your clients. But you still need a tool that offers the necessary features and allows you to scale your services to meet whatever service levels you decide to offer.
VulScan is the purpose-built platform for both MSPs and IT Pros that handle their own IT security. It has all the features you need for both internal and external vulnerability management and is ideal for implementing and managing V-MaaS.
Want to learn more about V-MaaS, vulnerability scanning or the ultimate vulnerability management platform VulScan? Click here to get your personal demo of VulScan and find out what you’re missing out on.