Meraki

johnnyngena · ‎Mar 25 2021

This inquiry is regarding Meraki security, especially regarding IDS, malware (and potentially URL security block) events when an MSP, such as ourselves, is managing a Meraki network on behalf of the customer. Detection in any of these modules can happen in situations when somebody is “attacking” the customer, but can also mean that customer client device is already infected and doing malicious traffic to outside (e.g. to command and control server) or customer is doing suspicious connections to malicious sites (e.g. malicious web browser plugin, infected USB, suspicious advertisements on sites, etc.).

We had one event with one of our customers (as AWS Cloudfront is CDN, that means that request was initially from the customer, and CDN responded with a suspicious response. Could be e.g. suspicious advertisement on the website during surfing, or malware on customer device trying to download additional payload):

Is there a best practice or benchmark that would answer the following questions:

What are the MSP's obligations towards the Meraki customer in these cases? If the MSP detects such an event, should it be reported to the customer? If yes, should the MSP provide additional details about client device (such as MAC address, URL if available etc.) – due to potential privacy concerns? Who in the parter organization should be responsible in this case, OPS, SecOps?

Appreciate the support on this.

DarrenOC · ‎Mar 25 2021

Hi @johnnyngena

This would really depend on what’s in your agreed contract as the MSP to your client.

If you’re managing the firewall and proactively reviewing security events then surely you’re duty bound to report the issue with as much details as possible

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

View solution in original post

DarrenOC · ‎Mar 25 2021