This inquiry is regarding Meraki security, especially regarding IDS, malware (and potentially URL security block) events when an MSP, such as ourselves, is managing a Meraki network on behalf of the customer. Detection in any of these modules can happen in situations when somebody is “attacking” the customer, but can also mean that customer client device is already infected and doing malicious traffic to outside (e.g. to command and control server) or customer is doing suspicious connections to malicious sites (e.g. malicious web browser plugin, infected USB, suspicious advertisements on sites, etc.).
We had one event with one of our customers (as AWS Cloudfront is CDN, that means that request was initially from the customer, and CDN responded with a suspicious response. Could be e.g. suspicious advertisement on the website during surfing, or malware on customer device trying to download additional payload):
Is there a best practice or benchmark that would answer the following questions:
What are the MSP's obligations towards the Meraki customer in these cases? If the MSP detects such an event, should it be reported to the customer? If yes, should the MSP provide additional details about client device (such as MAC address, URL if available etc.) – due to potential privacy concerns? Who in the parter organization should be responsible in this case, OPS, SecOps?