How to Audit a Cybersecurity Stack


One of the most essential roles an MSP takes on is overseeing customer cybersecurity stacks. It’s the MSP’s responsibility to ensure they’re functioning well, are compliant, and are up-to-date with all the latest software updates and technology patches.

Typically, this responsibility includes doing regular cybersecurity audits of the stack. This is a great way to evaluate the customer’s current security posture. The cybersecurity auditing procedure also offers MSPs a look at whether the organization is in adherence to compliance controls and how their security is implemented and tested — all valuable information that can inform strategy moving forward.

While this auditing process is integral to cybersecurity risk assessments, not every MSP handles it in the same way, meaning gaps can develop because no one’s going through the exact same list of steps. This can be curbed, however, by doing the most important step in a cybersecurity audit: running a risk assessment at the start of your audit. This identifies whether there are currently gaps in network security that need to be filled, which then informs the rest of your audit. 

Today, we’ll explain how MSPs can improve their cybersecurity auditing process to better serve customers and make it easier for staff to identify and manage critical IT gaps.  

How Traditional Cybersecurity Stack Audits Work

Typical security stack audits are forward-thinking. They are looking for potential vulnerabilities and gaps in coverage that a threat actor could exploit to gain access to the network. That could be anything from weak password policies to poor coverage in the disaster recovery mechanisms, risky protection settings, inadequate intelligence, and more.

Essentially, these stack audits measure how people, processes, and technologies come together to determine how easily a threat actor could gain access to the customer’s environment and the organization’s assets.

The problem with current cybersecurity audits is that they are too often focused on future vulnerabilities. Who could get into the network? Where could someone exploit the network’s weak spots if they don’t fix them? The audit scores are based on what companies should be doing, and how much risk mitigation the MSP or IT teams have employed.

However, none of these current tools show what is happening in the network right now. That’s an oversight that could cause your client to get breached today.

What to Look for in an Audit of a Stack

Some questions that inform a traditional cybersecurity stack audit include:

  • How often is the organization doing cybersecurity staff training?
  • Are staff giving out access they shouldn’t be?
  • What are the company password policies?
  • What are the processes used to keep software and firmware updated and secure?
  • Are actually implemented technologies leveraged correctly?
  • Are there any gaping holes based on the scoring or compliance frameworks?  

While audits need to be forward-thinking to help identify potential issues, many MSPs are often solely focused on potential future issues, which could leave their clients vulnerable.

Looking at these potential threats also leaves out any evidence of known threat actors that have already been allowed access to the network the firewall missed.

How to Make a Cybersecurity Stack Audit Better

While performing a traditional audit of your client’s network security stack is valuable, there are ways to conduct better cybersecurity audits, as mentioned above.

Currently, security stack audits only give information about future potential vulnerabilities and gaps in security coverage. However, if you hope to find ways to plug vulnerabilities that ever-increasingly creative bad actors could exploit, you need to start with a risk assessment that gives a clear picture of the current threats in your network.

When you add Threater’s Threat Risk Assessment into your audit process, you will find pivotal information about your security posture previously unavailable in cybersecurity stack audits, including what malicious traffic is currently on the client’s network right now.

This is the only tool available to show which threat actors are in a network today and how they are trying to communicate outbound to other bad actors. Take note here about that outbound aspect. This outbound portion is significant because when threat actors do get in, they need to then ‘phone home’ so the data they’re hoping to steal has a place to go once it’s been accessed. Blocking these calls ‘home’ can prevent a threat actor from perpetrating their attack.

If you can show your clients what threat actors have already been admitted through their firewalls, it’s easier to stop these actions in their tracks and then re-evaluate from the ground up during an audit how something like that happened in the first place and get ahead of it next time. Even better: this risk assessment requires nothing more than 24 hours of firewall logs, making this stage of the audit process not only informative but a low lift for the MSP.

From there, you can move on to a more holistic cybersecurity evaluation, including elements like:

  • Backups and disaster recovery plans
  • Identity and access manager
  • Firewalls
  • SIEMs and SOARs
  • TIPs
  • EDR, MDR, XDR, etc.
  • …and more 

How to Optimize Your Cybersecurity Stack from Audit Findings

Once the risk assessment is complete and you’ve run your audit against the gaps you found, the next step is implementing new and improved protections for those gaps. This is especially critical if you run the risk assessment and see all the threat actors the firewall allowed to pass through.

In that situation, we recommend implementing Threater immediately, so your (and your clients’) cybersecurity technology stacks are protected immediately. From there, depending on what the cybersecurity audit revealed, you can then take steps to shore up security based on findings from other pieces of your audit processes. 

For example, if your client’s organization has a weak password policy, you should advise a new one. If it turns out their disaster recovery technologies are inadequate or not fully comprehensive, you should recommend an improved approach.

Ensure Improved Cybersecurity Stack Auditing with a Threater Risk Assessment

Encouraging your customers to pursue a more active cybersecurity posture starts with giving them information about what’s happening in their network security system right now. This information can then be used immediately to identify active threats, while a traditional audit uncovers deeper potential issues.  

Want to see how it works for you? Try out Threater’s Risk Assessment tool today to see how an immediate assessment of your client’s firewall health could give you the information you need to make more intelligent cybersecurity recommendations.